Posts

Exporting AD membership lists

Rob Engler — Fri, 07 Jan 2011 16:29:41 -0800

Active Directory is great for running your organization smoothly but it has almost no way to allow you to pull meta-data from it easily.

A client asked to have the membership of a few distribution and email-enabled objects pulled so that they could review it for accuracy. Here are a few ways to do it.

Command-line

From the command line on a domain controller, type

net group <AD groupname> > report.txt

This will dump the usernames for the members of that group. Useful but not terribly clean.

Alternately, use the csvde command

csvde -f report.txt -r sAMAccountName=<groupname> -l member

You will get a file that has one entry per member. You can clean up the line in Word using the Replace function (to replace the semicolon with a return, use the ^p value).

Scripting

If you like scripting, you can extract using LDIFDE and VBS to clean it up, or you can script against the LDAP services on your domain controller. Microsoft has a good explanation of the LDIFDE method and clean-up here.

Here is a quick example of using VBScript against LDAP:

Set ObjGroup = GetObject("LDAP://cn=TargetGroup,ou=Groups,dc=company,dc=com")
For Each objMember in objGroup.Members
  WScript.Echo objMember.Name
Next

You will need to know where your object is located and alter the LDAP query to match. A good free tool for figuring this out is made by Softerra and is called LDAP Browser 2.6. This type of tool is invaluable for letting your script access into the data held for your employees in Active Directory and Softerra's implementation is easy to use and works well.

Setting home directories on Windows 7

Rob Engler — Sat, 03 Apr 2010 21:23:17 -0700

A client today needed us to set a home drive mapping from several Windows 7 clients to a share on a Windows 2003 DC. I learned a few things to look out for next time.

Home Directories

If you didn't know this already, you need to set home directory shares so that they allow full offline access. Specifically, this allows the H: drive mapping to occur. This should be the end of the discussion for pre-Win7 clients. User logs in, drive is mapped.

Windows 7 home directory mappings

Windows 7 does not appear to observe home directory mappings when joined to a Windows 2003 AD domain. You can set the home directory mapping in the user account, but the drive will not appear. Some others suggested disabling UAC, but I found this to be true even with UAC disabled.

If you need to map a home directory in this scenario, just do it in a login script.

Setting up SSLVPN for the SonicWall TZ100

Rob Engler — Fri, 19 Feb 2010 22:55:00 -0800

I was trying to enable SSLVPN for the SonicWall TZ100 at a client site and just couldn't get it to go using these directions. I would be able to get the NetExtender software to launch but I couldn't ping across the link to the remote LAN. Looking at the logs on the TZ100 didn't help; the only error listed was "destination for 255.255.255.255 is not allowed by access control". OK, but access control was limiting it from where?

Checking the firewall rules showed the correct SSLVPN->LAN permissions to allow traffic to flow. Checking the LAN DHCP scope showed that the SSLVPN scope wasn't colliding with it. Checked the user account info, it was in the "SSLVPN Services" group. All fine, nothing was different from the official writeup, but no traffic flowing, pings not working.

After poking around at the definitions for each network Address Object, I figured that the user account was only halfway there. The user had been given the rights to the "SSLVPN Services" group so that it could be used to authenticate and connect but also needed to have the "LAN Primary Subnet" listed in the VPN Access tab for the user account to have the rights to pass traffic through to the LAN. And with that change, traffic started to flow.

So, to sum up, the directions to set up a SSL VPN on a TZ100 running SonicOS Enhanced 5.6.0.0-30o are:

Configure SSL VPN Access for Users

Navigate to the Users > Local Users page.
Click on the configure icon for the user you want to edit, or click the Add User button to create a new user. The Edit User window is launched.
Fill out the new username and enter the password, or skip this step if this is an existing user.
Click on the "Group" tab.
In the "User Groups" column, click on "SSLVPN Services" and click the right arrow to move it to the Member Of column.
Click on the "VPN Access" tab.
In the"Networks" column, click on "LAN Primary Subnet" and click the right arrow to move it to the "Access List" column.
Click "OK" to save these changes.

Configure SSLVPN Portal Settings

Under "SSL VPN", choose the "Server Settings" menu item.
Click the "WAN" item to allow the SSLVPN services to accept incoming connections on the WAN port.
On the "Portal Settings" menu item, adjust as you'd like. I'd suggest checking the "Enable HTTP meta tags..." item at least.
Click "Accept" to save your change(s).

Configure SSLVPN Client Settings (IP address range and enable on WAN Interface).

On the "Client Settings" menu item, complete the following fields at least:

Interface: likely X0 if you are using a standard setup (X1 is the WAN port)
NetExtender Start and End IP: make sure that the range given here does not overlap the LAN DHCP scope elsewhere on the router or another server. Also, if this scope is not in the same subnet as the other equipment, you will need to manually make a Client Route.
DNS Server 1 and 2: I used the default public DNS servers for the client's ISP. Just hit the "Default DNS Settings" button to populate these fields.
Click "Accept" to save your change(s).

Enable User HTTPS login on the WAN (or X1) Network Interface

Click on the "Network" menu item and choose "Interfaces" under it.
Edit the X1 interface by clicking the pencil in the right-most column of the X1 row.
I would check both "HTTPS" next to "User Login" and "Add rule to enable redirect...".

Alter the SSLVPN->LAN access rules

Under "Firewall", choose the "Access Rules" item.
Select the "SSLVPN>LAN" item.
Edit the "SSLVPN IP Pool" item and change the "Users" item to "SSLVPN Services".
Click "OK" to save your change(s). Click "OK" on the message that this will require users to log in from the SSLVPN zone; this is a phantom issue.

Configure SSLVPN Client Routes (Optional)

You only need to do this step if you have your SSLVPN clients on a different subnet.

Recovering a VMDK pair

Rob Engler — Wed, 03 Feb 2010 13:05:25 -0800

A client using ESX 3.5u3 had a VM that used a disk file from another defunct (but usable) VM. The defunct VM was finally deleted but the disk descriptor file was trashed in the process. I'm assuming that the only reason the flat VMDK file was still there was because it was in use by the second VM.

After restarting the second VM, it could no longer access or see the first VMs disk file. Looking in the Datastore Browser showed that the VMDK file was still there; what's going on?

The Datastore Browser hides the fact that there are two parts to the virtual disk. The first part is a small file called VMDisk.vmdk and the second part is a large file called VMDisk-flat.vmdk. The first file holds the drive characteristics and geometry, such as sectors and heads. The second file should be the size of the disk as the VM OS sees it.

In this case, the smaller file had been deleted and so the VM couldn't figure out how to address the virtual disk.

Here are links to two very helpful VMwareKB articles:

The first link has the magic on how to recreate a standard header or descriptor file that should match your flat VMDK file. The second link is a good refresher on the file system parts of your VMs.

For this client, I created a new blank VMDK using the -thin option to save on space, deleted the larger VMDK disk file and renamed the smaller VMDK file to match the existing VM disk file.

I also commented out the existing UUID line in the descriptor file when cleaning it up. I've had issues with UUIDs not matching on Ubuntu VMs and didn't want to hit them here.

After that, the VM started up perfectly.

AD permissions and BES on SBS 2003

Rob Engler — Thu, 29 Oct 2009 21:21:50 -0700

In some small firms running Blackberry Enterprise Server or Blackberry Professional, some BES users may be Domain Admins or Admins on the server. A not-so-recent patch to 2003 enables a scavenging operation in Active Directory on accounts for users belonging to protected groups such as Administrators or Domain Admins that will clear the permissions needed by BES to access this user's mailbox. This was meant to be a safeguard against someone escalating their rights, but practically means that Admins need to use a day-to-day account for their email needs (which isn't a bad idea in itself to separate daily ops from God Mode). As with all things, there is a workaround.

You can use the Dsacls.exe utility to add the entries that are being stripped off the Admin's user objects. To do this, change the AdminSDHolder permissions. Then, add the entries that you want. Because all the entries use the security principal SELF, this workaround should not introduce any security problems.

Note: You must run the Dsacls.exe utility one time to add the one access control entry that is missing from the AdminSDHolder security descriptor. For example, if you want to add six different entries, you may run the Dsacls.exe utility six times.

The following workaround changes the AdminSDHolder object. Then, the AdminSDHolder object is propagated to each user account that is a member of a protected group. Follow these steps:

1. Install the Microsoft Windows 2000 Support Tools from the Windows 2000 CD. These tools include the Dsacls.exe utility. You can use the Dsacls.exe utility to view, modify, or remove ACEs on objects in Active Directory.
2. Create a batch file that contains the following code.

       dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send As"
       dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Receive As"
       dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Change Password"
       dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Personal Information"
       dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Phone and Mail Options"
       dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Web Information"

      Note Replace "dc=<mydomain>,dc=com" with the distinguished name of your domain.
   3. Wait for an hour so that Active Directory has time to rewrite the security descriptor of all the user accounts that are members of any propagated groups.
   4. After the ADC replicates the changes, all users appear as "user" instead of as "CUSTOM."

You might also apply security update 916803, security update 912442, or the daylight saving time update for Exchange Server that is described in the following article in the Microsoft Knowledge Base: 926666 (http://support.microsoft.com/kb/926666/ ) Update for daylight saving time changes in 2007 for Exchange 2003 Service Pack 2. If you do this, you must prevent the AdminSDHolder from overwriting permissions that are granted to a BlackBerry Services account on protected groups. To do this, create a batch file that contains the following code:

dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send As" 
dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Receive As" 
dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Change Password" 
dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Personal Information" 
dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Phone and Mail Options" 
dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Web Information" 
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\BlackBerrySA:CA;Send As"

Note: In this batch file, BlackBerrySA is a placeholder for name of the BlackBerry Service account (normally besadmin). If you have accounts in multiple domains, you can also specify the domain in the command line by using the following format:Domain\BlackberrySA.

Alternatively, best practices recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you must have the rights that are given to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group, and one user account that is used for e-mail purposes and at all other times.

Notes on the Iomega ix4-200d

Rob Engler — Thu, 29 Oct 2009 20:50:00 -0700

I still love the ix4-200d NAS, but there are a few things that got left out of the owner's manual that I had to figure out by trial and error.

Rsync only works against unsecured (wide open public) folders.
If you need secured folders to keep your vital files from being accidentally moved/touched/altered/deleted, using CIFS sharing will enable the security, but you may find that file copy or sync operations take longer than just an rsync operation due to additional overhead in the protocol. SMB signaling can get loused up quickly on a slow or unreliable link.
If you absolutely need to move large files between two of these at geographically distant locations, you can set up an rsync or copy operation to a USB-attached hard drive, mail that drive to the other location and rsync them from the drive to the destination folder. A poor-man's workaround for keeping fulls and incrementals in sync when the line just won't pass enough traffic to suit.
Turn off the power saving on the hard disks. Nice idea, but it takes almost a minute to spin all of the drives up so that the share becomes usable. Unless you really love watching the Windows hourglass spin...

Cheap and good SMB storage from Iomega

Rob Engler — Thu, 22 Oct 2009 21:30:00 -0700

A client wanted to set up a backup solution for their VMware environment. My preference on the backup software itself was Vizioncore's vRangerPro software, but I couldn't immediately name a storage device. I've played with the Buffalo Terastation and I have a Netgear ReadyNAS NV+ for my home storage but they both are lacking horsepower being that they are just larger NAS devices.

Another blog pointed out the arrival of the ix4 series from Iomega, which is now owned by EMC, which also owns a large chunk of VMware. Nice synergy, right?

So, not only will the client get a storage device that is built well, supports rsync for offsite replication and offers a good chunk of storage, but they'll also have a DR-worthy pair of devices to use if needed. A thread on the VMware forums seems to support using one of these to run several, if not a dozen, somewhat demanding VMs via iSCSI or NFS mounts. Nice bonus.

The only disappointment is expected: I was hoping for block-level replication, not file-level. I know rsync is file-level, but I was hoping that some of EMC's data de-dupe functionality would trickle down and make the periodic full backups easier to handle.

Update: So much for good testing. The ix4 does support block-level replication, so only the changed portion of a file gets pushed across. Serves me right for using entirely different contents for a file of the same name. Don't do this at home, folks.

Migrating from VMware Server 2.0

Rob Engler — Thu, 22 Oct 2009 20:50:00 -0700

I give in.

I've been running a few virtual machines in Server 2.0 on Ubuntu 9.04 on my Lenovo T500 laptop. It worked well enough when it was working. However, getting Server installed on the 64-bit version of Ubuntu requires some serious manual tweaks. I'd get it working fine, then the tempting offer of an update would cause me to break my instance.

<sigh>

Recompile, move files, cross fingers, get Server running again.

I don't have a real hope that moving to the supported/non-free version of VMware will really fix the issues given what I see in the VMware forums, but the fixes do seem to be easier to deal with.

I'll have to see if Windows 7 seems stable. I'd originally moved to Ubuntu on the perception that it would actually allow me to reliably control my hardware.

Setting up a Plone server

Rob Engler — Wed, 21 Oct 2009 22:05:00 -0700

Introduction

I like to set up my servers to have one or two functions on them, largely to take advantage of application partitioning by virtualizing the servers. This walkthrough will show you most of what you should do in setting up a Ubuntu 9.04 server running Plone 3. We'll have a Ubuntu 9.04 server running in front of this machine as a reverse proxy with some mod_rewrite magic to support running several sites on this Plone server.

Installing Ubuntu

You should be able to find any number of Ubuntu 9.04 "perfect" setup tutorials on the web, so I'll point you at the one that I like and will meet you back here after the OS is installed (HowToForge, stop at the bottom of page three).

Got it installed and ready? Great. I expect that your machine:

is running without errors
has been assigned a local static IP address
has had its hosts file adjusted to refer to itself by name
had its apt sources updated to allow packages from the universe, multiverse and security restricted repositories
has SSH running
has root access available (I run this install as root for sanity's sake, but you are welcome to "sudo" each command if you like)
has apparmor disabled
has NTP running

My next step is to use the console on VMware ESX to install and configure the VMware Tools for this VM. The steps are not included here as VMware is a moving target for installing the latest tools, but again, there are many sites on the web offering help in installing and activating the Tools.

Next, I find it helpful to alter the udev configuration files so that udev doesn't lock out the new MAC address generated by the virtual NIC swap. If you are using a physical machine, you can probably skip this step, but it won't hurt anyways.

Edit "/etc/udev/rules.d/75-persistent-net-generator.rules" and add the following line just below the first comments section to keep this script from firing:

GOTO="persistent_net_generator_end"

Now edit "/etc/udev/rules.d/70-persistent-net.rules" and comment out the devices that may be listed here so that they aren't blackballed on the next restart.

Installing Plone 3

Before we install Plone, let's install some dependencies for Plone. Run the following using sudo or as root:

aptitude install gcc g++ make readline libxml2 wv wget libjpeg62-dev

The easiest way to install Plone is to use one of the Unified Installers that plone.org offers. We'll start collecting the software we need in our current account's user directory. The current version as of this writing is 3.3.

cd ~
mkdir Plone3
cd Plone3
wget http://launchpad.net/plone/3.3/3.3/+download/Plone-3.3-UnifiedInstaller-20090907.tgz
tar zxvf Plone*.tgz

Now we can enter the Plone directory and start the install. My preference is to specify the admin password, install directory, and instance name as I expect to install more than a single instance of Plone on this server. Where the command specifies <pswd> or <instance_name>, pick a password or instance name (with no spaces) that suits you and remember those values.

cd ~
cd Plone*
./install.sh standalone --password=<pswd> --target=/var/plone3 --instance=<instance_name>

The installer will start churning away, installing the Python, Zope and Plone packages. Incidentally, keep this Plone directory around as you will use it when adding another Plone instance. The installer is aware enough to realize that it doesn't need to re-install the Python and Zope packages again and will just create the new instance you requested.

Configuring the instance

With the first Plone instance installed and dormant, we need to adjust the configuration files so that we can arrange the ports used for HTTP traffic. This is done in Plone 3 by editing the buildout.cfg located in the instance directory. Edit the file and then adjust the port to something other than port 80 for simplicity's sake.

cd /var/plone3/<instance_name>
nano ./buildout.cfg

    ...
    http-address = 10080
    ...

Save the change (in nano, Ctrl-O to save, then Ctrl-X to exit). To properly update the instance, run the buildout tool to apply your change to the instance.

./bin/buildout

With these changes applied, you should be able to start the instance by hand and look for any show-stopper errors in the console logging:

/var/plone3/<instance_name>/bin/plonectl start

If the instance starts with no critical errors, you can kill the process using Ctrl-C. We'll set up an init script to start the site on boot and then execute it by hand to start the instance as a service.

ln -s /var/plone3/<instance_name>/bin/plonectl /etc/init.d/<instance_name>
/etc/init.d/<instance_name> start
update-rc.d <instance_name> defaults

You should be able to point a web browser to http://<host_ip>:10080/manage and get an authentication prompt back. Use "admin" with the password you specified above to gain access to the Zope Management Interface (ZMI). From here, you can continue to customize the Plone instance.

Adding another instance to the same server

What's the fun in running one site per server? I'd rather have several sites running next to each other so as to share the installed Zope and Python packages, differentiated only by the port they answer on.

To add another instance, go back to the Plone installation directory (you kept that, right?) and run the install script again with different parameters:

cd ~
cd Plone*
./install.sh standalone --password=<pswd> --target=/var/plone3 --instance=<instance_name>

Next, update this instance's buildout.cfg and use a different port:

cd /var/plone3/<instance_name>
nano ./buildout.cfg

    ...
    http-address = 10081
    ...

Try running it as test instance as in the set up section above, and then create a link in the startup directory and lastly use update-rc.d to add this new instance to the list of services to start at boot. Rinse, repeat until your server runs out of capacity.

Enabling caching for performance improvements

This is assuming that you are using Apache 2.0 or 2.2. First, we'll need to enable disk caching:

a2enmod mod_cache
a2enmod mod_disk_cache

This enables the modules that support caching within Apache. With that done, we'll need to add an enabling section to the config for the particular site we're adding caching to.

 <IfModule mod_cache.c>
    <IfModule mod_disk_cache.c>
      CacheRoot /var/cache/apache2/proxy/<instance_name>
#      CacheSize 100
      CacheEnable disk /
      CacheDirLevels 2
      CacheDirLength 1
#      CacheGcInterval 4
#      CacheMaxExpire 3600
#      CacheLastModifiedFactor 0.1
#      CacheDefaultExpire 60
    </IfModule>
 </IfModule>

Note that some directives, such as CacheSize and CacheGcInterval, have been discontinued with Apache 2. I've set the caching directory for this site to be "/var/cache/apache2/proxy/wgpta"; adjust as you wish to match your site identifier.

Next, you need to create that directory and give the apache process owner rights to use it:

mkdir /var/cache/apache2/proxy/<instance_name>
chown www-data:www-data -R /var/cache/apache2/proxy

Now restart the apache2 service, visit the site and you should see a handful of new directories in the CacheRoot directory.

/etc/init.d/apache2 restart

You can use the "du" command to check on disk space used for your proxy cache:

du -h --max-depth /var/cache/apache2/proxy

Run this occasionally to see if any particular cache directories are getting overly large.

Security Changes

Hardening against spammers

Some of the features of your site can be used against you, such as mis-use of the "Send To" feature. This feature normally allows someone to email a friend a link to the page on your site that they are looking at, largely as a "hey, look at this" gesture. However, the address checking on this page is loose and will normally allow anyone to send to anyone else. As such, it has become a favorite loophole for spammers to use. Let's remove it now.

Here's a checklist to get rid of Plone's send-to functionality:

Take the "send to" ability away from unauthenticated users

In the Zope Management Interface (ZMI) of your Plone site, select the "Security" tab.
Scroll down to the "Allow sendto" permission and uncheck the "Acquire" and "Anonymous" boxes in its row. This will make it so that unauthenticated people can still reach the sendto form, but when they attempt to send, they'll get an error. This is the minimum to fix the problem.

Remove the sendto document action

In the ZMI of your Plone site, select portal_actions
In portal_actions, select document_actions

Do one of the following (the second is recommended)

Delete sendto
Click the "sendto" item to open its properties, then uncheck "visible?" and save

Replace the sendto_form page with a disabled message

In the ZMI of your Plone site, select portal_skins
Select the plone_forms folder
Click the "sendto_form" item, then click the Customize button
In the customizable field, delete the contents between the "<body>" and "</body>" tags and put in "This form/action has been disabled" instead. Save the form. For example:

  <body>

    <div metal:fill-slot="main"
         tal:define="errors options/state/getErrors;">

        This page/feature has been disabled.

    </div>

  </body>

The first step removes a visitor's ability to use the send_to form. The second step hides it from them, and the third step makes those who try to get to it by hand aware of the change.

Cisco/Linksys SPA962 handset

Rob Engler — Wed, 21 Oct 2009 22:05:00 -0700

I got a SPA962 handset in the course of a job and set it up to work with a local provider's Asterisk system. In the course of playing with it, I needed to set it to show an accurate time on the display.

To adjust these settings, you will need to log into the admin interface of the phone. You'll need to know the IP address assigned to it (likely static, as your firewall rules will need to point to it each time, right?) then enter http://<ip address>. My unit came with no passwords set, admin or otherwise.

After the status page is displayed, click on Admin Login, then Advanced in the upper left-hand corner of the page.
Next, click on the System tab. I've entered "us.pool.ntp.org" in the Primary NTP Server field, but you will need to adjust yours for the part of the world you are in. Click the Submit All Changes button at the bottom to commit this edit.
Next, click on the Regional tab. Near the bottom of the page under Miscellaneous you will find three settings to adjust: Time Zone, Time Offset and Daylight Saving Time Rule. The Time Zone for me is "GMT-8:00" and the Time Offset is "0:00:00". The Time Rule requires a bit more explanation.

This rule is asking for details on how your locale observes the start and end of the time adjustment, and how large that adjustment is. For me in San Diego, the rule reads

start=3/2/7:2:0:0;end=11/1/7:2:0:0;save=1

which translates as 'start on the second Sunday in March at 2am, end on the first Sunday in November at 2am, and increase the time by one hour during this period".

This parameter is a rule with 3 fields. Each field is separated by semicolon (;) as shown below:

start=<start-time>;end=<end-time>;save=<save-time>

where:

<start-time> and <end-time> are of the form: <month>/<day>/<weekday>HH:[mm[:ss]]]
<save-time> is of form: |HH:[mm[:ss]]]
<month> = 1,2,3,..,12 (for Jan, Feb, .., Dec)
<day> = |1,2,3,..,31
<weekday> = 1, 2, 3, .., 7 (for Mon, Tue, .., Sun), or 0 which has a special meaning
HH = hour (0-23), mm = minute (0-59), ss = second (0-59)

<start-time> and <end-time> specify the start and end time-date of Daylight Saving time and <save-time> is the amount of hour/min/sec to add to the current time during the Daylight Saving period. The <save-time> value can be preceded by a negative (-) sign if subtraction is desired instead of addition.

If <weekday> is 0, it means the date to start or end Daylight Saving is at exactly the given date. In that case, the value must not be negative. If <weekday> is not zero, then the Daylight Saving starts or ends on or after the given date if <day> is positive, or on or before the given date if <day> is negative. If <day> is -1, it means the <weekday> on or before the end-of-the-month (in other words the last occurrence of <weekday> in that month).

Optional values inside [ ] are assumed to be 0 if they are not specified. Midnight means 0:0:0 of the given date.

Example 1:

Starts at midnight on 1st Sunday of April; ends at midnight on the last Sunday

of October; add 1 hour (USA, N. America). Below are all equivalent rules:


start=4/1/7/0:0:0;end=10/31/7/0:0:0; save=1
start=4/1/7;end=10/-1/7;save=1
start=4/1/7/0;end=10/-1/7/0;save=1

Example 2:

Starts at midnight on last Sunday of April; ends at midnight on the last Sunday

of September; add 1 hour (Egypt):


start=4/-1/7;end=9/-1/7;save=1 (Egypt)

Example 3:

Starts at midnight on first Sunday of October; ends at midnight on the 3rd

Sunday of March; add 1 hour (New Zealand):


start=10/1/7;3/22/7;save=1 (New Zealand)

How to remove Last Modified tagline

Rob Engler — Wed, 21 Oct 2009 22:05:00 -0700

The way it is control in Plone is via the document_byline template macro, invoked in the bottom of the document_view template and other. There are two options to get the date and contributor removed:

Simply remove the reference to document_byline in your template views and you're done.
Modified the ploneCustom.css in your portal_skins/plone_styles add the following line:

.documentByLine { display:none; }

In my opinion this is follows the design of Plone2 which attempts to control everything from CSS.

Source: UC Merced School of Engineering

How to add a new event category

Rob Engler — Wed, 21 Oct 2009 22:05:00 -0700

When adding a new event, you see a list of event categories (Appointment, Convention, Meeting, Social Event, Work). If you want to add your own event types like Fundraiser, Luncheon, or Rally when using Plone 2 do the following:

To add your own event type:

Go to the ZMI for the Plone site (through plone_control_panel),
Click on the portal_metadata tool,
Click on the Elements tab,
Click on the Subject element,
You will see Element Metadata Policy title, click on the subject link
Find the content type event.
Add your new event types, one per line, to the Vocabulary list of the policy,
Click on the Update button for the policy.

Now, go back to your Plone site and add a new event. You should see your new event categories.

By way of further explanation, event types are metadata. Each content type in Plone has a list of metadata patterned after a subset of the Dublin Core standards. The Dublin Core metadata term called "subject" corresponds to "the topic of the content of the resource." In the case of a calendar event "resource", the event type is the Dublin Core "subject."

Source: UC Merced School of Engineering

Now, if you want to add categories or event types in Plone 3, just edit the item, choose the Categories tab and either select an existing category in the left-hand field or type a new category name in the right-hand field and Submit your changes.

Projects underway

Rob Engler — Wed, 21 Oct 2009 22:00:41 -0700

I've worked in a corporate IT department for the last fifteen years and I know what I like to have available in terms of resources. For my home network, some running as virtual machines under VMWare, I've set up the following machines:

a network tap device based on a Soekris 5501
a MySQL 5.0 dedicated machine
an inwardly-facing proxy running Apache 2.0 with mod_rewrite rules
a CMS machine running Plone 3
a logging machine running Splunk
an email server running the AllardSoft Mailserver
a CRM machine running SugarCRM

As much for my practice and reference as for your interest, I'll be making build documents showing how I built each machine and explaining my choices where needed. The OS of choice is Ubuntu server except for the network tap which is running FreeBSD 6.1. Check back occasionally to see what is new!

Opening of the Posting section

Rob Engler — Wed, 21 Oct 2009 21:55:00 -0700

A new logo, a new look and a new focus.

I've been working on presenting a more mature appearance for my company as clipart on your business card just doesn't put your best foot forward. Now I have materials that I'd feel proud to throw on the table at a luncheon or present to a prospect. Take a look around and email me at sales@englerconsulting.com with your thoughts.

Posts

Exporting AD membership lists

Command-line

Scripting

Setting home directories on Windows 7

Home Directories

Windows 7 home directory mappings

Setting up SSLVPN for the SonicWall TZ100

Recovering a VMDK pair

AD permissions and BES on SBS 2003

Notes on the Iomega ix4-200d

Cheap and *good* SMB storage from Iomega

Migrating from VMware Server 2.0

Setting up a Plone server

Introduction

Installing Ubuntu

Installing Plone 3

Configuring the instance

Adding another instance to the same server

Enabling caching for performance improvements

Security Changes

Hardening against spammers

Cisco/Linksys SPA962 handset

How to remove Last Modified tagline

How to add a new event category

Projects underway

Opening of the Posting section

Cheap and good SMB storage from Iomega