1. My SQL server was in a domain that had the Certification Authority role installed, but only partially configured, and the web services portion of the role was not installed.  This limited my ability to create the proper certificate in the first place.
2. I am not using a SQL cluster, and many of the blog posts and forum threads I read were focused on resolving the empty drop down menu in a cluster environment.

For me, this is what worked:

1. Create the certificate request on the SQL server

• Open the MMC console and add the Certificates snap-in for the Local Computer (read the MS technet article above on this for more background)
• Right-click the Personal folder and select All Tasks -> Advanced Operations -> Create Custom Request, then click next on the first screen of the enrollment wizard
• Select “Proceed without enrollment policy” under the custom request section and click Next
• Select “No Template” Legacy Key under the template drop down, leave other values as default and click Next
• On the next screen, click the little down arrow Details button to expand an additional properties window, then click Properties
  
• Type in the friendly name as the fully qualified host name, for me, this seemed to even require including proper capitalization because my server name was SRVSQL01.domain.loc, so that is that I used.  I left description blank
  
• On the Subject Tab, I added the values in the screenshot below.
  
• On the Extensions Tab, I added “Key encipherment”  under the Key Usage setting box, and “Server Authentication” and “Client Authentication” under the Extended Key Usage (application policies) settings box.
  
• On the private key tab, under key type, I changed the value from Exchange to Signature.
  
• Finally, click OK, then click Next back in the Enrollment Wizard window.
• Enter a file name and click Finish.
  

2. Process the CSR on your Certificate Server

I won’t go into detail here, but you need to copy the file you created to your Certificate Authority server, process and approve the request, then export the binary key file of the certificate.  Then copy that exported binary file back to your SQL server.

3. Import the certificate into the local certificate store

Back in your MMC console and Certificates snap-in, you can now right-click on the Personal folder again and select Import.  Complete the import wizard using your recently created binary export of the cerficate and the new cert should now show up in the certificates folder under Personal in the Certificates snap-in.

One last step here, and its and important one, on the certificate itself, right-click on the cert name, and select All Tasks -> “Manage Private Keys…”, then give the user the SQLSERVER service runs as Read permission in the security tab.

4. Tell SQL Server which certificate to use

Now, when you follow Microsoft’s instructions and you open the properties of the protocols instance for your SQL Server and view the Certificates tab, you should see the new certificate in the drop down menu! Select the certificate here, click OK, then restart the SQL service.  Clients can now use the encrypted connection and you won’t see errors like, “SSL Provider, error: 0 – The certificate’s CN name does not match the passed value”

I hope this saves some of you some time, I spent the better part of 3 days working on this.  I went through the whole process many times, and for me, I believe the biggest change I made was changing the Exchange key type to Signature.  I don’t know for sure if this is true, but that’s what I’m thinking.  In the comments below, let me know if the process works for you or if you have any questions I’ll be glad to help where I can.

Note: Requires Mac OS X 10.4 or later.  I have run it using Leopard (10.5) and Snow Leopard (10.6)

If you’re a user that has a desktop computer always on at home (Mac or Windows) and you carry a laptop around, this post can help set yourself up with some private web browsing.

I’m going to cover all the different Mac & Windows options here, because I know not everyone uses the same set of computers. I hope the post doesn’t get too cluttered…

Home Computer Setup

1. A Dynamic DNS account configured using your high speed internet account.
2. An SSH server running (this is the tricky part)
3. A properly configured home firewall

1. Dynamic DNS

There are lots of Dynamic DNS services out there, but my favorite is DynDNS.com.  I’ve had an account with them for over 10 years and I don’t think they’ve ever been offline.  I use their paid Custom DNS service because it gives me a lot of flexibility and control.

I’m going to leave the setup process for Dynamic DNS on your home account out of this post.  Your firewall may already have integrated support and there are lots of other pages out there to set this up.  Here are a few:

• http://www.dyndns.com/services/dns/dyndns/howto.html
• http://minitutorials.com/apache/dyndns11.shtml
• http://geekswithblogs.net/saifkhan/archive/2008/12/29/setup-dyndns-dynamic-dns-on-a-linksys-wrt54g-router-again.aspx

For reference, I set my custom DNS name to, home.mydomain.com.  This is the hostname I’ll use when configuring the remote SSH tunnel.

2a. An SSH Server using Mac OS X

With Mac OS X as your home computer, you’re in luck, this is easy to setup.  First, I recommend creating a user account used only for SSH connections.  Open System Preferences – Accounts, click the + icon to create a new account, and name it whatever you want, something cryptic maybe, I’ll call my new user, goodbadtechremote2009, and I recommend picking a very strong password, 8+ characters, letters, numbers, symbols, etc.

Next, enable remote access by opening System Preferences -> Sharing.  Then click the checkbox next to “Remote Login”.  In the “Allow Access” section, change the selection to “Only these users”, and add the user you just created.

Last, configure your Mac to use a static IP address.  This can be done under System Preferences -> Network.  Make note of the address you use, I’ll refer to it later as SSHIP.  Take a look at this link for additional help: http://answers.vt.edu/kb/entry/1867/

That’s it on the Mac side, you’re ready to go.

2b. An SSH Server using Microsoft Windows

Running Windows, it’s definitely more of a challenge to get an SSH server online.  I know some people have used Cygwin, but I think using the free VMWare Server product is a better way to go. It makes the whole process much faster, is more reliable and VMWare is just cool.

1. So, step one, download and install VMWare Server.  VMWare provides a lot of great documentation regarding how to get the product downloaded and installs, but typically you just need to download and run the installer with all the default options.
2. Reference my post regarding installing CentOS 5 as a VMWare guest.  Complete the steps in the section, CentOS 5.  Make sure you choose Bridged for the type of network connection. There are also many other places that detail installing Linux operating systems in VMWare, feel free to use a different resource if you have one you prefer.
3. Login to your new Linux operating system as root
   1. Add a new user for SSH connections and set a very strong password, let’s call the user goodbadtechremote2009
      /usr/sbin/adduser goodbadtechremote2009
   2. I recommend you edit /etc/ssh/sshd_config to lock access down.  Here is a sample config that I like to use.

      Port                            22
      Protocol                        2
      ListenAddress                   0.0.0.0
      AllowUsers                      goodbadtechremote2009
      SyslogFacility                  AUTH
      LogLevel                        INFO
      PermitRootLogin                 no
      StrictModes                     yes
      RSAAuthentication               yes
      PubkeyAuthentication            yes
      PasswordAuthentication          yes
      PermitEmptyPasswords            no
      KerberosAuthentication          no
      X11Forwarding                   no
      PrintMotd                       yes
      PrintLastLog                    yes
      KeepAlive                       yes
      UseLogin                        no
      UsePrivilegeSeparation          no
      Subsystem                       sftp            /usr/libexec/openssh/sftp-server
      Banner                          /etc/issue
      UseDNS                          no

   3. I also like to edit the /etc/issue file to include a simple “keep away” statement.

                                  NOTICE TO USERS
      
      This computer system is the private property, whether individual,
      corporate or government.  It is for authorized use only. Users
      (authorized or unauthorized) have no explicit or implicit
      expectation of privacy.
      
      Any or all uses of this system and all files on this system may be
      intercepted, monitored, recorded, copied, audited, inspected, and
      disclosed to your employer, to authorized site, government, and law
      enforcement personnel, as well as authorized officials of government
      agencies, both domestic and foreign.
      
      By using this system, the user consents to such interception, monitoring,
      recording, copying, auditing, inspection, and disclosure at the
      discretion of such personnel or officials.  Unauthorized or improper use
      of this system may result in civil and criminal penalties and
      administrative or disciplinary action, as appropriate. By continuing to
      use this system you indicate your awareness of and consent to these terms
      and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
      conditions stated in this warning.

   4. Configure a static IP address
      1. run /sbin/ifconfig and note your current IP address and Network.
      2. In CentOS, edit /etc/sysconfig/network-scripts/ifcfg-eth0, so it looks something like the text below.  Make sure to replace the IP address and Gateway with a valid address in your network.  I’ll later referece the IP address you set here as SSHIP

         TYPE=Ethernet
         DEVICE=eth0
         BOOTPROTO=
         IPADDR=192.168.0.10
         GATEWAY=192.168.0.1
         NETMASK=255.255.255.0
         USERCTL=yes
         IPV6INIT=no
         PEERDNS=yes
         ONBOOT=yes

   5. Restart the SSH server

      /etc/init.d/sshd restart

   6. Restart your networking

      /etc/init.d/network restart

   7. That’s it, your Linux setup in Windows should be ready to go.

3. Your home firewall

Disclaimer: Open remote access to an SSH server in your home network at your own risk.  I can’t cover all the details of this setup process here and there are several security concerns to consider.   Also, your internet provider may NOT allow home servers running over the Internet.

In order to access your own computer over the Internet, you’ll need to allow remote access through your home firewall/router (you are using a firewall on your high speed connection right?).

I use a LinkSys WRT300N wireless router.  Most of the LinkSys, Belkin, NetGear, etc routers operate pretty much the same.  For me, I logged into the router, went into the Applications & Gaming section and setup single port forwarding.

A little trick I use is to set the external port to 443 instead of 22 (which is the default for SSH connections) because some networks control outbound traffic and port 443 is more likely to be allowed outbound then port 22 is.  Also, if anyone were to glance at the actual traffic it would look like the HTTPS encrypted traffic they’d expect to see.

Make sure to set the internal port to 22, set the protocol to TCP, and enter the SSHIP address you recorded in earlier and save your settings.

You’re ready to setup your laptop to open the SSH tunnel.

Laptop Setup

Windows SSH Tunnels

• Download putty.exe and save it to your hard drive.  I usually place the executable in my Program Files directory.
• Run PuTTY
• We need to create a saved session for easily opening an SSH connection with all the right settings in the future
  • Expand the Connection section and click Data and enter goodbadtechremote2009 in teh Auto-Login username field.
  • Expand Connection->SSH and click on Tunnels
  • In the Source Port field type 1080
  • Leave the Destination field empty
  • Change the Local radio button to Dynamic
  • Click on the Session category
  • Type in the hostname you configured when setting up Dynamic DNS, home.mydomain.com, in my example
  • Make sure the connection type is SSH
  • The default port will be 22, change this to 443 if you set your home firewall up the way I did in this example.
  • In the Saved Sessions text box, type in a name for the session.  I like to use the remote hostname I’m connecting to, home.mydomain.com.
  • Click Save
• Test the new PuTTY session by clicking open.  If all goes right you’ll get a terminal session window that opens and it will prompt you for a password.  On your first connection attempt you may be asked to verify that you are connecting to a valid host, you can type yes to authorize the connection.
• Shortcut tip:  Create a shortcut on your desktop to the putty.exe application.  Edit the properties of the shortcut and add some information to the target line.  Mine looks like this:

  "C:\Program Files\SSH Client\putty.exe" -load "home.mydomain.com"

Windows Web Browser changes

This is the last step, configuring the browser.  There are a number of different ways to set this up.  I’m going to keep it simple here.  I use Internet Explorer 8 for my primary web browsing, and I downloaded and installed Firefox to use when I want use my private browsing SSH tunnel.   So here is the process for this approach:

• Download and install Firefox if it’s not installed already. http://www.mozilla.com/en-US/firefox/personal.html
• Open Firefox and click on Tools -> Options
• Click the Advanced Icon at the top of the Options Window
• Click the Network Tab
• Click the Settings button
• Select “Manual Proxy Configuration”
• Under SOCKS Host, type in, 127.0.0.1
• Set the port for SOCKS Host to 1080
• Select the SOCKS v5 radio button
• Click OK
• Click OK again to close the Options window

If your SSH connection is still open, you should be able to visit web pages just like you normally would, go ahead and try to visit GoodBadTech.com and see if it works.

Now this is the real test, close your SSH tunnel by closing your PuTTY session window.  Try to go to http://goodbadtech.com again.  This time the connection should fail.  If it does, your private web browsing configuration is READY TO GO!

In the future, to use private browsing, open the PuTTY shortcut you configured on your desktop, then open Firefox and no body at your office or in the coffee shop or where ever will be able to detect or restrict what web sites your visiting.

Mac OS SSH Tunnels

This is a pretty quick process, here goes…

1. Open your Applications folder -> Utilities -> Terminal
2. Type
   pico ~/.bash_profile
3. scroll down to the very bottom of the file
4. Add this line
   alias homessh=”/usr/bin/sshtunnel -D 1080 -f -C -q N  -p 443 goodbadtechremote2009@home.mydomain.com”
5. Type Ctrl+x to exit the Pico editor, type Y, to indicate you want to save the changes
6. Now at your command prompt type, homessh, this should connect to your home SSH server and prompt you for your password. Type in your password and your tunnel will be ready to go.  \

Mac OS Web Browser changes

On my MacBook Pro, I find it works best to use the location functionality. Note: This will only effect the Safari browser.  Firefox will ignore these location settings.

1. I go into the Apple Menu, Select Location, then select “Network Preferences”
2. In the Location drop-down menu select “Edit Locations…”
3. Click the + icon at the bottom of the Locations menu that pops up and name your new location, “Home SSH Proxy”, click Done.
4. Back in the Network system preference, select the new “Home SSH Proxy” location
   
5. Click on the Ethernet icon
6. Click on the Advanced button
7. Click on the proxies tab
8. Click the check box next to Web Proxy (HTTP)
9. In the Web Proxy Server enter, 127.0.0.1, into the first text field and enter, 1080, into the second field.
10. Now click the check box next to Secure Web Proxy (HTTPS)
11. In the Secure Web Proxy Server enter, 127.0.0.1, into the first text field and enter, 1080, into the second field.
    
12. Click OK
13. Repeat steps 6-12 for your AirPort connection

That should be everything.  Just as in the Windows setup, if your SSH connection is still open and your location is set to Home SSH Tunnel, you should be able to visit web pages just like you normally would, go ahead and try to visit GoodBadTech.com and see if it works.

Now this is the real test, close your SSH tunnel by typing exit in your terminal window.  Try to go to http://goodbadtech.com again.  This time the connection should fail.  If it does, your private web browsing configuration is READY TO GO!

In the future, to use private browsing, open a terminal window and type homessh, enter your ssh password, then switch your location to “Home SSH Tunnel”.  Make sure to switch back to your normal network location when you’re done.

Additional Reading

• Read the Public Key Setup section on Public Key Authentication

As always, feel free to post any questions in the comments below.

Note: This post assumes you have a valid multi-domain SSL certificate installed.  I won’t go into that process here, but if I get a few questions I can certainly do a post on that as well.

The first thing I needed to do was run some tests on the local IIS server that provides my Exchange services.  In my case, Exchange and IIS were running on the same server, so I logged in to the server, opened Internet Explorer and typed in:

https://<Servername>/Microsoft-Server-Activesync

You should be prompted for credentials using basic authentication, then you should see an “HTTP 501 Not Implemented/HTTP 505 Version Not Supported Error”

If you see this, ActiveSync itself, which the iPhone relies on for communication with Exchange, should be working correctly.  I did not see this error.  I saw an HTTP 401 file not found error. Now, with Exchange 2007, I generally try not to do a lot of troubleshooting, it’s just easier to start over and reinstall ActiveSync support.

1. On the Exchange server, open the Exchange Management Shell, and run (this command may take a minute to output:

   Get-ActiveSyncVirtualDirectory | fl

2. Search through the text output and look for the line that starts with, Identity, copy/paste the corresponding value into notepad.  It may be something like,  SERVERNAME\Microsoft-Server-ActiveSync (Default Web Site)
3. In Exchange Management Shell, run the command

   Remove-ActiveSyncVirtualDirectory

   1. When prompted, paste in the Identity value you copied in step 2.
   2. Verify that you want to remove ActiveSync
4. Refresh your IIS Admin window to make sure the Microsoft-Server-ActiveSync virtual directory is no longer there.
5. In Exchange Management Shell, run the command

   New-ActiveSyncVirtualDirectory

6. Refresh your IIS Admin window to make sure the Microsoft-Server-ActiveSync virtual directory is back.
7. Close any open Internet Explorer windows and then access https://<Servername>/Microsoft-Server-Activesync again.
8. Hopefully you see the “HTTP 501 Not Implemented/HTTP 505 Version Not Supported” error now.  If you do, your iPhone should be ready to go.  This error means the correct files are there, but that your web request doesn’t include the data that ActiveSync is looking for.

If you didn’t get the 501/505 error, then it’s back to the drawing board.  Post a comment below and I’ll see if I can help out.

Also, check out the link below, it’s a very slick troubleshooting tool from Microsoft that can be used to troubleshoot Exchange 2003/2007 servers for remote connectivity services like Autodiscover, ActiveSync, RPC over HTTP, and many other tests for Exchanged based services.  Its very easy to use and provides detailed test results regarding what works and what doesn’t.

https://www.testexchangeconnectivity.com/

So the question is: Who is my computer connected to and what’s it sending them?

First I needed to know the IP address of my home internet connection.  The home web server is on a Comcast cable modem with DHCP that doesn’t change its IP address very often, but does every once in a while.  To get started I logged in to the home computer via my LogMeIn connection, opened up the web browser, and hit up http://www.whatsmyip.org to verify my IP address, looks like it’s 12.345.678.9 (no, that’s not actually my IP address, but I don’t want to post my real public IP for everyone to see)

Note: I actually use DynDNS to keep track of my home IP address, the whatsmyip.org method is just a little faster if you don’t already have Dynamic DNS running somewhere.

With my remote IP address in hand, I was ready to check out what connections were active.

Open up your Terminal application (Applications -> Utilitys -> Terminal.app) and run,

netstat -napt

Here is what returned:

[goodbadtech@tim:~]$ netstat -napt
netstat: t: unknown or uninstrumented protocol

Oh right, that’s the Linux netstat syntax, it lists all active TCP connections, their process ID, and turns off DNS translations so just the IP address shows up

To get the same output in Mac OS I had to change the syntax a bit:

netstat -na -p tcp

The results this time where much better.  I needed to narrow the results down, 46 TCP connections where too many to scan through.

netstat -na -p tcp | grep 12.345.678.9

Running this command which only outputs connections that contain the IP address I specified, I expected to see an empty result, because I wasn’t aware of any active connections to my home network. However, this is what I saw:

tcp4       0      0  10.1.1.110.50994       12.345.678.9.4242        ESTABLISHED

The destination port was a little suspicious to me, 4242.  I had no idea what the connection was.  I also noticed something else, no process ID was listed.  I forgot about that too.  I’m so used to the Linux version of netstat including PID information, I forget that Mac OS doesn’t include PID.

So how to I find the PID of a TCP connection on a Mac?  Here we turn to lsof.  Note, lsof requires root permission, so we’ll be running the commend with sudo

sudo lsof -i -Pn

-i limits the results to files with Internet connections active
-Pn turns off reverse port and IP address translation which just speeds the results up a bit

Now we’re getting somewhere, expect the list of files returned is still large, 145, and I don’t like to look through so many lines, so let’s get grep involved again to help filter the results

sudo lsof -i -Pn | grep 12.345.678.9

And the one line I was looking for was displayed

java       6756           root   70u  IPv4  0x8c3ce64      0t0    TCP 10.1.1.110:50994->12.345.678.9:4242 (ESTABLISHED)

Okay, process ID 6756, good, that’s the info I was looking for.  However, I saw the process name was java.  Great, that could be anything.  Why in the world was a java process started by root connected to my home computer network?  We go back to lsof to find the answer.  (That sentence makes me think I’ve been watching too much History channel lately)

sudo lsof -p 6756

-p the lower case p limits results to open files in use by process ID 6756.

With a 122 lines returned I saw there was plenty of activity, fortunately, I quickly saw exactly what was going on.

java    6756 root   51u     REG       14,2        44   5116740 /Library/Caches/CrashPlan/cpft366842740763787782x

There were many lines output similar to this one, so I don’t need to include the whole output here, the point is, the line segment /Library/Caches/CrashPlan, tells me that CrashPlan had created the connection.  Okay, I’m cool with that.  I hope you found this useful.  Send me a message on Twitter @goodbadtech if you have any questions.  Back to my original software testing…

Notes:

A quick editorial on CrashPlan, its very slick backup software, especially for those of you that have multiple computers in different locations.  The basic concept is, you backup for your office and your office backs up to your house.  Make sure you at least check out the link.

netstat and lsof are great utilities to get familiar with.  If your computer is running slow or you want to check connections on your web server, they should come to mind right away.  One of my favorites on a Linux web server will list all established connections to your web server (assuming you’re running Apache)

netstat -atp | grep httpd | grep ESTABLISHED

This will count all the established connections to your web server and output the value

netstat -atp | grep httpd | grep ESTABLISHED | wc -l

Here is a great post of netstat commands to try out if you’re looking for some additional reading.

http://www.mydigitallife.info/2007/12/13/how-to-find-and-check-number-of-connections-to-a-server

• Step 1 – Virtual Machine Setup
  
• Step 2 – Finalize the LDAP server
• Step 3 – Finalize the iFolder Web server (you are here)

Step 3 – Finalize the iFolder Web Server

As you’ll recall in (if you don’t recall, don’t miss out on) step 1, we created a very basic OpenSUSE 10.3 installation and converted it to a template before the installation process completed.  Then in step 2 we created the LDAP server. Here we’ll get the web server up and running with iFolder installed.

In the VMWare Infrastructure Client, right-clicking on my OPENSUSE10.3 template, I select “Deploy Virtual Machine from this template…”   The settings you enter in the Deploy Template Wizard will be very specific to your environment so I won’t cover them in detail here.

I made two changes after the deployment process completed.  First, I disconnected the CD / DVD ISO because I won’t be needing it anymore.  Second, I added a second virtual disk to be used as my iFolder data store.  I went with a 250GB virtual disk which should hold all my files, at least for a while anyway.

Power on the virtual machine (mine is named IFOLDERWEB01) and open up the console.

Finish Setup

OpenSUSE will detect that you have not completed the installation process and load up the YaST First run utility.

1. Set your root password, as always, set a good one.
2. Hostname and Domain name: This can anything you want, just remember what the settings are.  I always uncheck “Change hostname via DHCP”
3. Network configuration: You’ll need to set a static IP address, valid DNS servers, and a valid default gateway.
4. Test Internet Connection: I always skip this
5. Authentication Method: LDAP
   1. LDAP Client Configuration wizard
   2. Address of LDAP server: Enter the address assigned to your LDAP server from step 2
   3. You can use “Fetch DN” to get the correct base DN
   4. Uncheck LDAP TLS/SSL
   5. Open Advanced Configuration
      1. View Administration Settings
      2. Enter the full Administrator DN as recorded in step 2
      3. Accept
   6. Select Next
   7. Install any missing packages requested by YaST
6. Release Notes: select Next
7. Finish

At this point you should have a very basic OpenSUSE server up and running and connected to the Internet.  From here, we’ll install the Web server and iFolder services.  You should be back at the login prompt, so login as root, type “yast” (no quotes) and press enter.

Install required packages

In the YaST2 Control Center select Software -> Sofware Management.  Your system may update it’s cache at this point.  After a few moments you should see a list of installed software.  You’ll want to install the following packages and let YaST handle the dependencies:

• apache2-worker
• openssl
• wget
• log4net

After those packages are installed, I recomment creating a temp directory somewhere to download the required iFolder RPM files.  I ran the following…

cd ~
mkdir rpmtmp
cd rpmtmp
mkdir ifolder
mkdir mono
cd mono
wget http://ftp.novell.com/pub/mono/download/x86/mono/1.2.6-4/mono-core-1.2.6-4.novell.i586.rpm
wget http://ftp.novell.com/pub/mono/download/x86/mono/1.2.6-4/mono-data-1.2.6-4.novell.i586.rpm
wget http://ftp.novell.com/pub/mono/download/x86/mono/1.2.6-4/mono-data-sqlite-1.2.6-4.novell.i586.rpm
wget http://ftp.novell.com/pub/mono/download/x86/mono/1.2.6-4/mono-web-1.2.6-4.novell.i586.rpm
wget http://ftp.novell.com/pub/mono/download/x86/mono/1.2.6-4/mono-nunit-1.2.6-4.novell.i586.rpm
wget http://ftp.novell.com/pub/mono/download/x86/mono/1.2.6-4/mono-winforms-1.2.6-4.novell.i586.rpm
wget http://ftp.novell.com/pub/mono/download/noarch/xsp/1.2.6-2/xsp-1.2.6-2.novell.noarch.rpm
wget http://ftp.novell.com/pub/mono/download/suse-103-i586/mod_mono/1.2.6-1/apache2-mod_mono-1.2.6-1.suse103.novell.i586.rpm
rpm -Uvh *.rpm
cd ../ifolder/
wget http://superb-west.dl.sourceforge.net/sourceforge/ifolder3/ifolder3-enterprise-3.7.2.9089.1-0.2.i586.rpm
wget http://superb-east.dl.sourceforge.net/sourceforge/ifolder3/ifolder-enterprise-plugins-3.7.2.9089.1-2.i586.rpm
rpm -Uvh *.rpm

There, iFolder is installed. It’s not too bad once you get the right list of mono packages.  Next we need to configure the iFolder server and link it to our LDAP server. As the ifolder RPM indicates, “Run /usr/bin/simias-server-setup to configure the server”.  But wait, before we do that, that new virtual disk I created in VMWare needs to be formatted so it’s ready to go.

YaST -> System -> Partitioner

1. Create a new Disk
2. Select the disk you created, in my case, /dev/sdb
3. Primary Partition
4. Leave the format defaults as they are.  Note, iFolder requires an Ext3 or Reiser filesystem
5. Leave the size with it’s defaults
6. Set the Mount Point to, /data
7. Select, OK
8. Back in the main partitioner window, select Apply
9. Confirm the changes by selecting Apply again.  Note: I’ve found selecting Finish often ends up requiring a reboot for some reason, so I shy away from it now.
10. Also note, don’t screw this part up or you’ll be starting over by deploying your VM from template again.
11. When the formatting is complete, select Quit to exit the Partitioner wizard

Now, back to the iFolder setup process, here is what I did:

/usr/bin/simias-server-setup
Server Data Path: /data/simias
Server Name: ifolderweb01
SSL: NONSSL
Public URL: http://myip/simias10
Private URL: http://myip/simias10
System Name: ifolder
System Description: iFolder Enterprise System
Use Key Recovery Agent? Y
Recovery Agent Certificate Path? /var/simias/data
Use LDAP? Y
LDAP Server? your ldap server IP
LDAP Secure? N
LDAP Admin DN? This is the full Administrator DN as recorded in step 2
LDAP Admin Password? Your password
System Admin? cn=admin,dc=yourdomain,dc=com (this is a little tricky, just use the same full Administrator DN you used, except swap, admin, in place of, administrator
System Admin Password? whatever you want
LDAP Proxy DN? cn=SimiasProxy,dc=yourdomain,dc=com
LDAP Proxy Password? whatever you want
LDAP Search Context? cn=iFolderUsers,ou=group,dc=mynightowl,dc=com
Naming Attribute? mail
Configure Apache? Y
Ldap Groups Plugin? Y

Whew, you have no idea how many times I ran the setup process to get that to work. The problem is all the default values are for non LDAP installations, and while I’ve very familiar with Windows and Active Directory, I don’t spend a lot of time looking at what all the specific Distinguished Names are in an LDAP directory.

Web Server Configuration

• /usr/bin/ifolder-web-setup
  • Web Alias? /ifolder
  • Require SSL? N
  • Require Server SSL? N
  • iFolder URL? http://youripaddress:80/
  • Redirect URL? leave blank
• /usr/bin/ifolder-admin-setup
  • Web Alias? /admin
  • Require SSL? N
  • Require Server SSL? N
  • iFolder URL?  http://youripaddress:80/
  • Redirect URL? leave blank
• /sbin/chkconfig apache2 on
• /etc/init.d/apache2 start

That is it.  You’re up and running.  Visit the addresses below in your web browser and start clicking around.  Keep in kind, I disabled ALL encryption for this installation.  In my particular case, all traffic will be contained to a trusted local area network.  If you’re doing anything over the Internet you’ll of course want to enable encryption.

I plan to follow up here with a special Step on enabling public encryption.  But up next in this series are the Windows and Mac OS desktop clients for iFolder.  This is where things get really useful.  Check back soon, follow me on Twitter @goodbadtech, or subscribe to Feedburner email notifications to stay informed of new posts.

User Access:  http://youripaddress/ifolder
Admin Access: http://youripaddress/admin

Authentication

The admin user you created has a username of, cn=admin,dc=yourdomain,dc=com, I know that’s a little unusual, but it’s just the default admin.  All other users you add to your LDAP directory will login using their email address.  I suggest logging in as cn=admin,dc=yourdomain,dc=com, then setting that first LDAP user you created as an iFolder admin, then you can use that for administering the system instead of the admin user with the complete distinguished name.

• Step 1 – Virtual Machine Setup
  
• Step 2 – Finalize the LDAP server
• Step 3 – Finalize the iFolder Web server (you are here)

• Step 1 – Virtual Machine Setup
  
• Step 2 – Finalize the LDAP server (you are here)
• Step 3 – Finalize the iFolder Web server

Step 2 – Finalize the LDAP Server

As you’ll recall in (if you don’t recall, don’t miss out on) step 1, we created a very basic OpenSUSE 10.3 installation and converted it to a template before the installation process completed.  I’m going to move on from there with the LDAP server first.

In the VMWare Infrastructure Client I brought up the view of all the templates in my environment.  Right-clicking on my OPENSUSE10.3 template, I select “Deploy Virtual Machine from this template…”   The settings you enter in the Deploy Template Wizard will be very specific to your environment so I won’t cover them in detail here.  The only change I made after the deployment process completed was to disconnect the CD / DVD ISO because I won’t be needing it anymore.

Power on the virtual machine (mine is named IFOLDERLDAP01) and open up the console.

Finish Setup

OpenSUSE will detect that you have not completed the installation process and load up the YaST First run utility.

1. Set your root password, as always, set a good one.
2. Hostname and Domain name: This can anything you want, just remember what the settings are.  I always uncheck “Change hostname via DHCP”
3. Network configuration: You’ll need to set a static IP address, valid DNS servers, and a valid default gateway.
4. Test Internet Connection: I always skip this
5. Authentication Method: Even though we’ll be installing openldap, it’s not installed yet, so set the Authentication Method to local
6. New Local User: Enter in a default first user
7. Release Notes: select Next
8. Finish

At this point you should have a very basic OpenSUSE server up and running and connected to the Internet.  From here, we’ll install the LDAP server.  You should be back at the login prompt, so login as root, type “yast” (no quotes) and press enter.

Install required packages

In the YaST2 Control Center select Software -> Sofware Management.  Your system may update it’s cache at this point.  After a few moments you should see a list of installed software.  Open the search field and type “ldap”.  A list of results will show up, scroll down to openldap2 and press Shitf+=, this will place a + sign next to the package to it’s marked for installation.  Continue scrolling down to “yast2-ldap-server” and press Shift+=  Select Accept.  YaST will auto resolve a few dependencies.  You can accept the changes it suggests.    When the packages are finished being installed, you can exit out of Yast.

Now is a good time to update any basic system settings you normally would, I always update the sshd_config to it’s locked down much better than the default settings.  Also, if you’re running the SuSE Firewall, make sure you have TCP ports 22 and 389 open for SSH and basic LDAP connections.

Configure LDAP Server

Open up yast again and navigate to Network Services -> LDAP Server

Select “Yes” and go into the configuration, then highlight Databases and select “Add Database…”

On the Add Database screen, you’ll need to enter your Base DN, as well as the LDAP root password.  You can leave the Root DN with it’s default value if you like. After you’ve added the Database select Finish to close the LDAP Server Configuration window.

Back at the YaST main Control Center screen, I suggest going into Network Servers -> LDAP Browser to verify your LDAP server is running.

Access Credentials

• LDAP server: 127.0.0.1
• Administrator DN: cn=Administrator,dc=yourdomain,dc=com (use the domain name you entered)
• Password: the password you entered

Note: Make note of the Administrator DN, you’ll need it again in later steps.  Also, if given an TLS/SSL error, it’s okay to retry the connection without encryption enabled.

Exit out of YaST.

There are a few useful steps you can review over on OpenSUSE.org as well.  I do recommend checking the link out, but I’ll show you a different way, using YaST, to add users.

LDAP Client Configuration

In the YaST control center, go to Network Services -> LDAP Client.  In the User Authentication box select “Use LDAP”.  In the LDAP Client box change the LDAP Base DN to the domain you’re using, uncheck LDAP TLS/SSL, and then open up “Advanced Configuration…”

Change from the “Client Configuration” window you start in to “Administration Settings”.  In the Administrator DN field, enter in the same Administrator DN you recorded up in the Access Credentials section above.   Accept the Changes and then select Finish back on the LDAP Client Configuration window.

Here, YaST may notify you that a few missing packages need to be installed, go ahead and continue so they can be installed.

Add a User

First, you need to configure some basic user/group options for LDAP users.  In YaST, navigate to Security and Users -> User Management, then select LDAP Options -> LDAP User and Group Configuration. You’ll need to authenticate before you can proceed.  Notice the Administrator name is pre-populated with the Administrator DN you entered in the LDAP Client Configuration advanced settings.

A warning appears up that “No entry with DN”… exists, Create it Now? You should select Yes.  Select New, leave the susegroupconfiguration Object selected, enter “groupconfiguration”, and select OK

Leave all the default settings for the groupconfiguration.  Select New again, notice only the suseuserconfiguration object is availabe.  Enter, “userconfiguration”, and select OK.  Now, we’ll edit two values in the userconfiguration module.  Set suseminuniqueid to 10000, and set susenextuniqueid to 10000.  Select Accept when you’re finished with the changes.

Set the User Filter to LDAP Users.

Two warnings will appear that No entry with DN…. exists, select Yes for each one and continue.

Select Add, and enter the user information, First Name, Last Name, Username, Password, Confirm Password.  Before selecting Accept, change to the Plug-Ins screen.

Highlight the “Edit Remaining LDAP Attributes” and select Launch, scroll down to the mail Setting, and enter the user’s email address.  Accept the changes, and select Accept again to create the user.

Let’s create a Group too.  The process is pretty much the same as users.  Change over to the groups screen, set the filter to LDAP groups, and Add a new group.  I’ll call mine, “iFolderUsers”, and add the user I just created to the group.

You can add more users and groups here if you like, but at this point, I think I’m done with the LDAP server.  Time to move on to Step 3.

• Step 1 – Virtual Machine Setup
  
• Step 2 – Finalize the LDAP server (you are here)
• Step 3 – Finalize the iFolder Web server

Audio Quality

Starting off with Green Day I sat down about two feet away from the phone, the audio was perfect. I decided to hit up Google Charts to show how the audio quality was as I stepped away from the phone. Overall I was very impressed. I actually had to go outside to find enough room to really test the signal. Note: The audio quality was measured scientifically by me deciding how well I could hear the music compared to how well I thought I should be able to hear it.

I also ran an indoor/outdoor test. With the phone left inside, I was able to take about 8 steps to the door, and then 4 or 5 steps outside before the audio cut out. One last comment, I’m not sure if this is standard or not, but I had to get back within 10 feet or so to reestablish a reliable audio connection after I got out of range. I figured I should test the phone call audio quality too, just to make sure that was still okay. I decided to call my good friend the Billionaire Girl. Here is our conversation:

• Me “Hey Billionaire Girl, Can you hear me now?”
• BG “Yeah, what do you want? I’m crazy busy.”
• Me “I’m testing the stereo bluetooth functionality on the new iPhone OS 3.0″
• BG “I’m jealous, I just have this Blackberry junk that always seems to fall apart”
• Me “Yeah, that sucks. Okay, bye.”
• BG “You suck.”

The Billionaire Girl is amazing, and I suggest you subscribe to her blog, but she hates iPhone talk. At any rate, I’d say the audio quality for the phone works as expected, as well as switching over from iPod to iPhone and back within your Bluetooth headset.

Battery Life

I gave both my iPhone and Headphones a full charge then I let the music play all afternoon with the exception of about 30 minutes in phone use, a couple text messages, and very limited web browsing. Note: My email syncs every hour and I have Wi-Fi, Location Services, 3G, and of course Bluetooth enabled. … A couple hours in, things are looking pretty good. The battery is definitely going down, but it doesn’t appear to be draining any faster than using the iPod with the included wired headphones. … Three and a half hours in I got the 20% Battery remaining warning. I think we’re fading fast now. … Almost exactly 5 hours in my phone went dead. What are your thoughts, is 5 hours a respectable amount of time?

Conclusion

This feature was long overdue in my opinion. I’m very happy it’s here, I just don’t like wires, but it seems that I’ll need charging wires to get through a day of work. Maybe the 3G s will fare better on the batter. In general, I noticed as I was listening throughout the afternoon that my audio would peridocially “skip” like a CD skipping in random places. I wonder if that is just bluetooth cutting out for a moment here and there. The iPhone felt a little snappier than it did yesterday, if that’s from the upgrade to the 3.0 OS I’m happy to take any speed improvements I can get. Last, don’t miss any of the new 3.0 features, here is a great write up I came across today from the folks over at ismashphone.com.

• Step 1 (you are here)
• Step 2 – Finalize the LDAP server
• Step 3 – Finalize the iFolder Web server

Step 1 – The Virtual Machine setup

Since I’m using a separate LDAP server from the iFolder web server, I decided to start with an OpenSUSE 10.3 virtual template that I could then use to customize each server.  Also, this would give me a good fall back point if I decided to start over the build process for either one of them.   Its a pretty basic virtual machine setup.  I started with a 4GB disk, 1024 MB of memory, 2 CPUs, 1 NIC, etc.  I set my guest operating system to “Other Linux 32-bit”.

I set the full ISO for openSUSE-10.3-GM-GNOME-i386.iso to be my Datastore ISO file so I could boot the VM and get the install started.  You could probably get away with the net-install ISO, but this was an ISO I already had a copy of in my datastore. (Note: make sure you set the status of your virtual CD/DVD Drive to both Connected and Connected at power on)

Starting up the VM, I was greated with the OpenSUSE welcome screen.  Even though I have the full ISO downloaded, I like to do network based installs because the CD always seems to be missing a package or two that I’d like to install.  Also, since I’m doing very minimal installs, the download time required is pretty small.  So hit F4 to change your source and enter in the details of your preferred mirror and get the install going…

Installation Steps

1. Select your language
2. Accept the license agreement
3. Select New Installation (this will download lots of files the the online mirror you selected on the Welcome screen.  The downloads took about 3 minutes on my network)
4. Timezone: set your timezone and clock settings
5. Desktop Selection: I use “Other – Text Mode”
6. Installation Settings:
   1. Partitioning: for me, no changes
   2. Software: Since I’m only doing a base installation right now, no changes here
   3. Locale Settings: again, no changes
   4. Click Accept, and then confirm on the popup window that appears
7. Now you get to watch the installation process.  The 210 MB download and install took about 20 minutes for me.  After the install finishes, the system will automatically reboot.  If you want to create a virtual machine template, this is a great spot to do it, power off the virtual machine when it starts the boot up process.
8. Back in your VMWare Infrastructure Client, right-click on your guest, “OPENSUSE10.3″ in my case, and select “Convert to template…”
9. That’s all for Step 1, in Step 2 we’ll tackle the rest of the install for the LDAP server and Web server.

• Step 1 (you are here)
• Step 2 – Finalize the LDAP server
• Step 3 – Finalize the iFolder Web server

1. Check out this link from Google.  It shows you how to add additional domains and update the domain settings to use your Google Apps account, Link
2. Next, setup your account account so it will be able to send emails from the domain name. Link
3. Last, setup a filter+label combination so that emails sent do the new address get labeled with the domain name so they stand out in your inbox.
   Labels: Link
   Filters:  Link

Notes:

• Steps 2 & 3 need to be done in each individual user’s account, it cannot be set globally
• Your email addresses must match across domains, i.e. goodbadtech@domain1.com and goodbadtech@domain2.com.  If you want to support a different address in the second domain, it can be done by adding a matching distribution group in the primary domain.
• You will not be able to send email from your secondary domains in IMAP/POP3 clients like your iPhone or Microsoft Outlook.  Make sure you’re using the web client to respond with the address your email was delivered to.