Installing SimpleSAMLphp and use it as SP and IdP (for development env. only)
Overview The goal of this walk through is to install SimpleSAML twice to work on a SAML authentication between two systes. We could have an application on one side using SimpleSAML SP and a LDAP, AD, CAS, etc plugged in SimpleSAML configure as an IdP. Installation of Simple SAML (1) Download simplesaml. Untar the package in a folder of your application, for example /var/www/myapp/library/simplesaml Edit your app's Virtual Host so that /simplesaml is accessible Alias /simplesaml /Users/samo/Workspace/simplesamlphp/www <Directory "/Users/samo/Workspace/simplesamlphp/www"> Order deny,allow Allow from all ...
Router, VPN and American IP
I happen to know an American in Paris. Expats have a wide range of specific problems that most people don't really ever worry over, for example : how do you teach a child two languages (hoping the child won't mix them up) do you have to declare/pay taxes in your country of origin ? which address do you give your bank counselor when opening your account ? how do you transfer money from your bank in country A to your bank in country B ? Anyway, one of the problems expats might have is accessing websites who have an IP-based location check (ie bank account ...
Watching movies on the iPad
One of the thing I wanted to do with the iPad was to watch movies on the go (remember the last time you flew transatlantic and you had to watch The Karate Kid ?...) At this point, I had no Movies, nor TV Shows in my iTunes so I am really starting from scratch here. Some of the movies I wanted to have on the iPad came from DVD (no Blu-Ray player for me at this point) and one video was a mkv file. So the first step was to import these files in a format that would suit iTunes. For the ...
MPD: Music Player Daemon
About a year and a half ago, the price of Hard Drives (and their size) suddenly made it possible for us to imagine having most of our content (music, DVDs) archived on Hard Drives and easily accessible across devices. As it turns out, we are still in the process of importing some of our CDs and DVDs on digital media and tagging all of that information. What a job that is... At the same time, we are constantly on the lookout for solutions to enjoy our music collection (and movies collection) across devices, wherever we are. A lot of recent events ...
Installing OpenSSH on Windows 7
Today, I was tempted to take control of a Windows machine remotely in console mode as I'm trying to script the launch and use of VLC. A quick Google search reveleaed the existence of the sshwindows project which is a more lightweight solution than a full cygwin installation. Here are the installation steps : Download and run the sshwindows installer. As the setup will tell you, some simple commands will be needed to complete the installation. Launch the windows command line tool (windows key -> type cmd -> press enter) and head to the directory in which you installed open ssh. [cc lang="bash"] cd \ cd ...
April 16, 2013 | Leave a Comment
Warning : personal life and rant in this post, keep reading at your own risk.
I open Zite once a day and flip through the latest Programming, Movies and Tech news.
This evening – again – I captured a glimpse of an article title something like “Steve Jobs was right: the iPad killed the notebook”.
I am a mac user and an admirer of Steve Jobs but I can’t see the point of such title. Even had Steve Jobs claim the iPad had killed the notebook and that turned out right, I doubt he cares for the applause now. RIP. Second, Apple sells notebooks, too and I’m sure they hope that Notebooks are anything but dead. Actually, when I travel to Paris for work, I am surrounded by people who play on their phones, sometimes read on their iPad and often work on their notebooks.
This is actually why I love Zite, I see what the tech world has to gloat about and I pocket links to valuable articles.
Moving forward, this evening, even though I’d love to go pass out, I try and dedicate a moment to fix my neighbour’s computer.
It is a brand new Sony Vaio notebook with Windows 8. (See, notebooks are still being bought) and it works just fine.
So why should I fix it ?
Because when my neighbour starts it, it says : “Your computer does noto have an antivirus, it is at risk”.
My neighbour is like many Windows users out there, she is not tech savvy but rather worried when it comes to computers. Worried it might break down for obscures reasons leaving her without facebook and MSN access (well, Skype, as it is now).
And like many developers out there, I am always buried under a stack of computers people need me to “fix”.
And therefore, this evening, I am about to protect this little notebook’s life by trying and installing Windows Security Essentials on it.
As I discovered it, this was to be difficult. Windows Security Essentials is not for W8, I must simply use Windows Defender. Simple, right ? WRONG –> RANT !
1/ Dear Microsoft, it took ten years for my neighbour to buy a first notebook, get DSL, go online, open an hotmail account, use outlook, and gather friends on facebook.
I’m sure it took her at least 20 minutes to find out the “Turn Off” was in the “Start” menu but, hey, she got used to it, her friends got used to it, it was “computers” and they all dealt with it.
Now, seriously, why did you change everything ?
2/ Microsoft, can’t you decide how you want your OS to run ? Should it be this weird full screen square interface (let’s call it WFSSI) or should it be my usual Windows 7 desktop ? Switching from one to the other with the Windows and ESC key is just weird.
My neighbour’s email was all over the place. She had them open in the WFSSI and also in a Firefox tab and also in an IE tab and I’m sure she would also have them in Outlook. So how should it be ?
How is it exactly that I access my apps from the desktop ? Oh yeah, I click on Windows Key + C and then start typing it. I’m sure my neighbour will think of typing “winword” to write a letter.
It’s just weird and feels like the decision to break away was not even fully made. It’s a mix of two worlds.
3/ Did you run some kinda of championship at Microsoft’s to elect the engineer who came up with the most hidden place for the new location of the turn off button ? Or did you simply invest in electricity production for the next 5 years ? How do you expect my neighbour to turn off her computer ? Why would she even think of clicking on her name in the top right corner of the WFSSI ? That is providing she find out to get back to the WFSSI in the first place.
But Microsoft is not all to blame here, they are good things in this OS. This laptop runs fast, the app search is actually not far from a launcher or a spotlight geeks love on OS X or Linux.
4/ Dear Sony, why do you install crappy software on your pretty looking hardware ? Why do you install TWO (!) McAfee software which can only protect your notebook for 30 days WHEN WINDOWS 8 SHIPS WITH an antivirus / malware detector software, unlimited and for free ? Do you think of the embarrassment / pain / fear / trouble / waste of time / annoyance / … you are causing to your users ? After 30 days, their shiny notebooks “Maintenance Center” status turn to orange (and later to red) because their computer is not protected.
5/ Yes, I understand business, if McAfee pays you to install their software hoping to grab customers, can you at least make it simple to remove said software ? I mean, when disentailing McAfee, I’d want Windows Defender to work right away.
6/ I suppose Sony is not to blame here but McAfee is the culprit. Yes, after removing McAfee (if you ever stumble on the Control Panel in the new interface) you’ll realize that Windows Defender is still de-activated. You must Google your trouble to find the McAfee removal tool, run it and reboot (how dare you ask me to reboot, I can’t even find the shutdown anyway) and now Windows Defender is rolling.
7/ After doing nothing but REMOVING things, this computer runs better than when she bought it. Tomorrow, my neighbour will feel so safe carrying it back to her house with its little green flag in the task bar.
That’s a class act, guys. Good job.
If you are wondering what’s happening to the PC notebook market, don’t turn your heads to the iTouch devices and co. Just take a look at what you are shipping. My neighbour is 65 years old and she’s telling me : “don’t buy a sony” , “my son says I’d be better of with that iPad thing”, “oh, I see you use Apple”. She couldn’t care less for the tablet vs notebook debate, the Mac or PC thing, she just wanted to go on mail.live.com. You care to help her out ?
Never mind, I’ll run a Linux Mint install party in my backyard next week.
Install node.js and npm
Thanks to this great post by Florian Kubis, this was quicly taken care of
You need XCode and macports installed
# Install Node
sudo port install nodejs
# Check it works with
# Allow your user to write to /opt/local
sudo chmod -R g+w /opt/local/
# Install NPM
curl http://npmjs.org/install.sh | sh
# Check it works
Install JS Hint
# Install JS Hiint using NPM
npm install -g jshint
Adding JS Hint to Sublime
This is detailed on JS Hint Git Hub page and goes like this
- Launch Sublime
- Launch the Package Control > Install Package
- Select JS Hint
Run JS Hint on a JS File
- With an opened JS file in sublime, press Ctrl + J
January 31, 2013 | Leave a Comment
I use Dropbox to sync, among other things, many of my application and profile settings (.bashrc files for example or Sublime Text preferences). I wanted to synchronize these same files with my Debian server even though it does not have a graphical interface installed. Good news, it’s possible. Yes, Dropbox rocks !
- Download the Dropbox package (select the right download : 32 or 64 bits). In my case, it was 64bits, so I ran
1wget -O dropbox.tar.gz "http://www.dropbox.com/download/?plat=lnx.x86_64"
- Extract the package
1tar -xvzf dropbox.tar.gz
- Run dropbox
- Now, it gets funny, you need to go through the login and authorization process of your new client. Leave this shell open and running, it should display : This client is not linked to any account… Please visit https://www.dropbox.com/cli_link?host_id=7d44a557aa58f285f2da0x67334d02c1 to link this machine.
- Open another shell
- Using linx, browse to the URL given in the message above
- Enter your login and password in the fields and submit
- On the next page, scroll a little bit and re-confirm your password
- That’s it, your client is connected and will synchronize.
- A dropbox folder will be cerated in /home/
- Now, you migh want your dropbox client to start automatically… you will need to download this file into /etc/init.d/dropbox.
- Edit the third line of the script to enter your linux username
- Start the service with /etc/init.d/dropbox
That should be it. Great work by the Dropbox team to even consider a solution for windowless setups.
The installer shows you a list of suggested path (in my case, they were all prefixed with the path to my user’s home directory).
I didn’t agree with the suggested solution. To modify this :
I chose  and changed the path prefix to /usr/local/pear and continued installation.
Next, I edited my zshrc (or .bashrc) to update my PATH and include the path to pear.
You can make sure that the path is updated and that pear is found with :
Playing with my brand new ZSH prompt, I needed to get a preview of my terminal colors.
To see the result above, you can :
- download this script [display_colors.py] and save it locally
- run it with python /path/to/display_colors.py –terse
When working on your prompt (or any other output you with to colorize), you can pick the color you wish to use from the list.
Run, python /path/to/display.py without the –terse parameter. You will get a long list of colors, here’s a sample :
From this list, we can tell that 31 is the code for a red and 32 for a greenish yellow. Next in the list, we would see 33 for another shade of yellow.
You can eolorize text using the sequence \033[0;31m where 31 is the color you wish to display (here, the red)
For example, we can do
echo "colors \033[0;33mYellow \033[1;31mRed \033[0;37mcolors"
Follow up (how to bold, underline)
A couple of weeks ago, I switched from bash to zsh on my Mac OS X machine, today, I decided it was time to do the same to my linux server running Debian Squeeze. Here is how to switch :
* As root,
aptitude install zsh
* Enter your user’s password when prompted
* Enter the name of the shell you wish to use : zsh
* Restart your terminal or SSH session, when you return, you will be running zsh
January 4, 2013 | 1 Comment
The goal of this walk through is to install SimpleSAML twice to work on a SAML authentication between two systes.
We could have an application on one side using SimpleSAML SP and a LDAP, AD, CAS, etc plugged in SimpleSAML configure as an IdP.
Installation of Simple SAML (1)
Untar the package in a folder of your application, for example /var/www/myapp/library/simplesaml
Edit your app’s Virtual Host so that /simplesaml is accessible
Alias /simplesaml /Users/samo/Workspace/simplesamlphp/www
Allow from all
Restart Apache if necessary
Setting Up your SP
Edit SimpleSAML’s config file in config/config.php Set the ‘debug’ to ‘TRUE’ Set an admin password ‘auth.adminpassword’ to the password of your choice Set the ‘secretsalt’ Define ‘technicalcontact_name’ and ‘technicalcontact_email’
Installation of Simple SAML (2)
Untar the simple package again, this time, in another folder for example /var/www/simplesaml
Choose a URL for your IdP for example http://auth.saml.net and add this to your hosts file
Create a virtual host for your IdP, it will look something like
Alias /simplesaml /var/www/simplesaml/www
Options Indexes FollowSymlinks multiViews
allow from all
Setting Up your IdP
Again, begin by editing the SimpleSAML config file and repeat the steps listed above This time, you must also set ‘enable.saml20-idp’ to ‘true’
Since all this is just for development and test purposes, I setup my IdP to an exampleauth. The login / password will be matched against a plain list of accounts defined in the authources.php file. First, you need to enable the exempleauth module by doing touch /var/www/simplesaml/modules/exampleauth/enable Second, edit your authsources.php file (in the config directory) and create your users based on the following example :
'example-userpass' => array(
'user1:pwd' => array(
'uid' => array('user1'),
'mail' => 'firstname.lastname@example.org',
'first_name' => 'User',
'last_name' => 'One'
'user2:pwd' => array(
'uid' => array('user2'),
'mail' => 'email@example.com',
'first_name' => 'User',
'last_name' => 'Two'
Next, make sure that the content of metadata/saml2-idp-hosted.php is
$metadata['__DYNAMIC:1__'] = array(
* The hostname of the server (VHOST) that will use this SAML entity.
* Can be '__DEFAULT__', to use this entry by default.
'host' => '__DEFAULT__',
/* X.509 key and certificate. Relative to the cert directory. */
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
* Authentication source to use. Must be one that is configured in
'auth' => 'example-userpass',
/* Uncomment the following to use the uri NameFormat on attributes. */
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
Connecting the dots
Now, let’s connect SP and IdP together. Browse to your IdP for example : auth.saml.net/simplesaml. Connect using the admin password defined in your configuration Click on the Federation tab You should see a SAML 2.0 IdP Metadata line, click on [show metadata] below and copy the metadata URL which should look something like http://auth.saml.net/simplesaml/saml2/idp/metadata.php
Back to the SP, edit the file config/authsources.php and add the declaration of your IdP based on this code sample :
'default-sp' => array(
'entityID' => 'http://auth.saml.net',
'idp' => 'http://auth.saml.net/simplesaml/saml2/idp/metadata.php',
Back to your browser, copy the content of the box “SimpleSAMLphp flat file format” and paste it in the file metadata/saml20-idp-remote.php of your SP.
Back to the browser, go to your applications’s SimpleSAML setup for example http://myapp.localhost.net/simplesaml. Login using the password defined in the configuration file. Browse to the Federation tab and click on the [show metadata] link for your default-sp/
Copy the content of the “SimpleSAMLphp flat flie format” box and paste it in the IdP metadata/saml20-sp-remote.php file.
That should be all for the setup, now you can test it by browsing to your SP side SimpleSAML for example
Login using the password defined in the admin and click on the authentication tab. Click on the link “Test configured authentication sources” and click on your IdP declaration in the list of authsources. This will perform a test SAML authentication process.
If it failed, you should check the logs of both your SimpleSAML and try and get help on the SimpleSamlPHP mailing list.
Time to code
Now that everything works between the SP and the IdP it is time to integrate the SAML auth to your application. You can do so by adding code similar to this to your authentication process :
$authService = new SimpleSAML_Auth_Simple($selectedIdp);
That’s it !
Piwik is an open source Google Analytics like tool. Normally, it works by setting up piwik and adding a tracking code (JS or PHP or any code able to call the API) to record your site’s or app’s usage.
Another option is to use piwik to analyze your webserver’s logs to generate tracking infos for all your websites.
Here is how to set this up :
- Download the project : http://piwik.org/latest.zip
- Unzip the archive in your webroot
- Browse to yourserver.yourdomain.com/piwik (or the URL your setup piwik at).
- Follow the installation steps (database setup and first site creation). Follow the steps and click next on the code tracking page. We will not use this information in this setup.
- Once the setup is done, you need to run the script which will read the access.log file and generate usage data.
The command looks like this1python /path/to/piwik/misc/log-analytics/import_logs.py --url=http://yourserver.yourdomain.net/piwik --add-sites-new-hosts /var/log/apache2/other_vhosts_access.log
Replace /var/log/apache2/other_vhosts_access.log with the path to your apache access.log or apache vhost access logs.
- Browse to your piwik installation again and you should see your stats.
- If everything works fine, you should add a daily task to run this script (using cron)
Add a line similar to10 6 * * * python /path/to/piwik/misc/log-analytics/import_logs.py --url=http://yourserver.yourdomain.net/piwik --add-sites-new-hosts /var/log/apache2/other_vhosts_access.log
<div>Allow from XX.XX.XX.XX</div>
August 18, 2012 | Leave a Comment
Livebox and Freebox are DSL box provided by Orange and Free Internet providers to their customers in France. These boxes allow their owners to connect to the Internet (DSL), create a home network (router, wifi access point), make Voice Over IP calls and watch TV. They are known in France as “quadruple play boxes” and were first released by Free.
Anyway, because these equipments are for French users, I’ll write this one in French.
Comment connecteur les sous-réseaux d’une Livebox et d’une Freebox ?
Comme j’ai la chance de travailler depuis la maison, je dépends professionnellement d’Internet, il est donc capital pour moi que ma connexion fonctionne en permanence.
Comme j’ai en plus la chance de ne pas vivre en zone urbaine, je n’ai pas un débit très important (je suis bien loin des 12Mbps que j’avais au minimum lorsque j’habitais en Ile de France).
Pour ces deux raisons, j’ai deux lignes téléphoniques (deux lignes physiques distinctes entre France Telecom et la maison) et deux abonnements Internet : un avec Orange (livebox, pas d’option TV, débit max autour de 3Mbps) et une avec Free (Freebox Revolution sur une ligne fraichement degroupee et un debit maximum de 5 Mbps).
L’ordi pro est connecté à la Livebox, les ordis persos, iPhones et la Freebox Player passent par la Freebox Revolution. Comme ça, en cas de souci technique chez un opérateur, je peux basculer sur l’autre et surtout, un téléchargement d’une update de Mac OS X sur mon ordi perso ne vient pas perturber mes svn up sur l’ordi pro.
Il me restait un souci, l’ordi pro et les ordis persos ne pouvaient pas communiquer (pas d’accès au disque dur de musique de la maison par exemple).
Jusqu’à ce que je trouve la solution suivante :
Tout d’abord j’ai utilisé un outil pour déterminer les adresses et masques de sous-réseau à utiliser pour créer deux sous-réseaux en 192.168.x.x
Puis, j’ai configuré la Freebox pour qu’elle utilise l’autre sous-réseau et, au niveau du DHCP, elle n’assignera que des IP en 192.168.1.X avec X > 126 et X < 253.
Il restait plus qu’un seul problème, permettre les échanges entre les deux sous-réseaux. Pour une fois, la solution ne se trouve pas implémentée chez Free (??!!) mais dans la Livebox (les appels sur mobiles ne sont pas gratuits, y a pas la TV mais … ) avec l’option de routage.
Tout commence par le branchement d’un câble réseau entre un port ethernet de la Livebox à un port ethernet de la Freebox (un des ports RJ45 numérotés de 1 à 4 comme tout autre ordinateur de votre réseau)
Ensuite , pour ce qui est de la configuration, aller sur l’interface de gestion de la Livebox : http://<IP_Livebox>, entrez votre mot de passe admin et aller dans la partie Configuration.
De là, aller dans l’entrée Livebox puis Paramètres avancés (à gauche) puis dans l’onglet Routage (en haut à droite).
Ici, il faut ajouter une règle de routage :
- réseau de destination : 192.168.1.128 (le sous-réseau de ma freebox)
- masque de sous-réseau de destination : 255.255.255.12
- passerelle : 192.168.1.X (l’IP interne de ma freebox)
- interface : LAN
- métrique : 0 (par défaut)
- activation : activer
J’imagine que ce n’est pas une architecture réseau très répandue mais j’espère que ce guide pourra servir à d’autres.