Enable LDAP authentication in your WSGI applications!

repoze.who.plugins.ldap is an straightforward yet powerful solution to enable LDAP authentication in your WSGI application. It enables you to have LDAP authentication working in your new or existing applications, in few minutes and with few lines of code!

It’s a plugin for the repoze.who framework, featuring not only an LDAP authenticator, but also related utilities. It’s a fully documented project which also ships with a working demo application, so it’d be hard for you to get stuck.

I wrote this plugin in order to enable LDAP authentication in Animador. And in fact, it’s the first application that uses the plugin.

The latest version is 1.0, and you’re highly encouraged to play with it and give feedback!

Visit its website for more information!

Joining the development of TurboGears

I’ve had the great pleasure of being invited by the TurboGears team to become an official committer for the great TurboGears framework.

This is because I’ve been contributing patches for TurboGears 2 and other packages used by Animador (a TurboGears 2 application), since I started its development, in order to fix bugs and/or add new features that I want in Animador. So now I can apply my changes by myself! 😉

And stay tunned, because very soon it’s going to be very easy to add OpenId support to any WSGI application by means of a plugin for the framework-independent repoze.who package!

We need German translators to promote Linux! And others are welcome too

We need people to bring the first GNU/Linux website that doesn’t suck to all possible languages.

Until last year, translations were hard to setup and manage, so we created an special multi-website CMS focused on internationalization, which makes it really easy for translators to preview their work and release websites with a few clicks, and also reports any mistake translators and editors have made (if any), among other things. We also setup a web-based translation interface, for those who don’t want to use the traditional, not-so-easy-to-use CAT applications.

The Castilian and French translations were the first to be ported to the new system, and now the Catalan translation is near completion. But the German translation is just ~60% translated, which means the new edition cannot be released the new way; this has caused some problems since we’re using the new system, because we have to maintain it the old way and the time we spend maintaining one outdated site could be used to improve the system that powers the other websites, so we decided to move on and stop maintaining it the old way – that means that it won’t be linked to from the upgraded websites such as ObtengaLinux.org, until the German translation is complete.

So, if you’re a German speaker, please help us out. But if you speak a language other than German and English, you can help too. Just head on to the GLM website to find out how to be a translator.

PS: We already talked about this on the blog, but only Catalan translators came up. I’m making another try on my blog because I belong to some groups at Mugshot and thus more people can know about this.

Backing up and restoring your Subversion repository

Most tutorials around show how to backup your Subversion repository:

svnadmin dump /path/to/your/repository > ./repository.dump

And how to restore it:

mkdir /new/path/to/your/repository
svnadmin create /new/path/to/your/repository
svnadmin load /new/path/to/your/repository < ./repository.dump

But don’t tell you what to do to solve the problem that will arise when you try to restore it:

svnadmin: Dump stream contains a malformed header (with no ':') at '* Dumped revision 0.'

The solution is too simple; just run:

grep --binary-files=text -v '^* Dumped revision' ./repository.dump > ./repository.clear-dump

Now you should be able to restore your subversion repository with no problems:

svnadmin load /new/path/to/your/repository < ./repository.clear-dump

PS: I don’t use hotcopy because I prefer to have a single file for these backups.

So long Debian servers, welcome Ubuntu

I’ve been assessing the possibility of switching GNU/Linux Matters‘ servers (which are all powered by Debian) to Ubuntu, and I have finally decided to go for it.

They were running Debian for three reasons:

  1. Stability, something Debian is well-known for.
  2. A large user base, which brings two big advantages: A huge amount of packaged applications and a good community support.
  3. I’m only familiar with Debian-based distros :)

And they weren’t running Ubuntu because, to be honest, I didn’t find Ubuntu reliable enough to power a server, mainly because of the cutting-edge applications it includes by default; it was just great for my personal computer. I guess this is mostly due to I’ve been using Kubuntu since Breeze, and it was a highly unreliable system in the early versions – IMHO things begun to take shape in Feisty and now Hardy just rocks.

I’ve started to switch our servers to Ubuntu because I think it’s the best choice, at least for us, because we still have the three advantages of using Debian (it’s based on it after all), plus:

  1. Packaged applications are up-to-date, so I don’t have to compile and maintain software which have a old version in Debian repositories (we often need the latest stable version). Yes, I can use Debian Testing, but this is not the only drawback.
  2. Uncomplicated Firewall. An extremely easy-to-setup, basic firewall. It’s just a front-end to iptables-restore, so you can still add/adjust any rule according to your needs.
  3. Many other tiny (and not so tiny) benefits that together make a big difference.

The migration should take some months because it’s not a top-priority at present. There are many more things that should be done first.

Put simply, it’s not that Ubuntu is much better than Debian on the server, it just happens to make your job easier if you’re the administrator.

Installing Pootle on Debian Etch, The Easiest Way

Pootle is a user-friendly web application for online translation of contents. It’s used by organizations like Creative Commons, OpenOffice.org and GNU/Linux Matters.

I’m going to show you how to install it the easiest way, from my experience with the GLM Translation Service under Debian 4.0 (this guide might also work under Ubuntu, though). I’ll use the sudo utility, so I assume that you’ve already installed and configured sudo accordingly for your user.

Installing dependencies

Some of the Pootle’s dependencies are available in Debian repositories, so we may install them by running:
sudo aptitude install python-dev python-pysqlite2 python-celementtree subversion bzip2 g++ curl

We’re now going to install the other software packages required by Pootle. First, select the directory where you want to download and compile your software, for example:
cd /usr/src

To get the source code of the packages and extract them, run the following commands:
curl http://www.kid-templating.org/dist/0.9.6/kid-0.9.6.tar.gz | tar xzv
curl http://dfn.dl.sourceforge.net/sourceforge/translate/translate-toolkit-1.1.1.tar.bz2 | tar xjv
curl http://garr.dl.sourceforge.net/sourceforge/translate/Pootle-1.1.0.tar.bz2 | tar xjv
curl http://jtoolkit.sourceforge.net/snapshots/jToolkit-0.7.8/jToolkit-0.7.8.tar.gz | tar xzv

Installing the applications:
sudo python translate-toolkit-1.1.1/setup.py install
sudo python kid-0.9.6/setup.py install
sudo Pootle-1.1.0/pootlesetup.py install
sudo jToolkit-0.7.8/jToolkitSetup.py install

Do not install PyLucene

Pootle is supposed to work better with PyLucene, but if you (like me) hate headaches, you won’t install PyLucene on Debian Etch. If you try to install it, you’d get this error:
install: cannot stat `/usr/lib/security/libgcj.security': No such file or directory
make: *** [install] Error 1

There’s nothing you could install that would create that file; don’t you even try to create it as an empty file: You’d be able to install PyLucene, but Pootle won’t work and you’d get this error when you’ll try to run it:
GC Warning: Repeated allocation of very large block (appr. size 65536):
May lead to memory leak and poor performance.

If it’s too late, and you’ve already installed PyLucene with libgcj.security as an empty file (as suggested in some mailing-lists), you may fix it by running the following commands:
sudo mv /usr/lib/python2.4/site-packages/_PyLucene.so /usr/lib/python2.4/site-packages/_PyLucene.so.old
sudo mv /usr/lib/python2.4/site-packages/PyLucene.py /usr/lib/python2.4/site-packages/PyLucene.py.old
sudo mv /usr/lib/python2.4/site-packages/PyLucene.pyc /usr/lib/python2.4/site-packages/PyLucene.pyc.old

Don’t you have a mail server?

If your mail server is not in the same host as Pootle, you’ll need to install one. Just run the command below to install Postfix and then select “Internet website” when asked about what you’ll use postfix for:
sudo apt-get install postfix

Configuring Pootle

To make it easy for you to configure and play with Pootle, I suggest you create softlinks to Pootle’s configuration files in a folder like /etc/pootle:
sudo mkdir /etc/pootle
sudo ln /usr/lib/python2.4/site-packages/Pootle/pootle.prefs -s /etc/pootle/pootle.conf
sudo ln /usr/lib/python2.4/site-packages/Pootle/users.prefs -s /etc/pootle/users.conf
sudo ln /usr/lib/python2.4/site-packages/Pootle/html -s /etc/pootle/html
sudo ln /usr/lib/python2.4/site-packages/Pootle/templates -s /etc/pootle/templates

This way, any file you might ever need to edit will be in /etc/pootle.

Now let’s edit the main configuration file in Pootle: sudo nano /etc/pootle/pootle.conf

It’s well-documented, so I won’t talk a lot about it. I just suggest you only set the following parameters accordingly:

  • description: Describe your website powered by Pootle, with a text aimed at (potential) translators.
  • fromaddress.
  • supportaddress: The email address for translators to make questions. This might be a mailing list.
  • defaultrights: I suggest you set it to defaultrights = "view, suggest, archive, pocompile, translate, commit"
  • podirectory: It’s the path to your translation files. For this HOWTO I’ll use /var/translations.

Your pootle user

I suggest you create a user for running pootle:
sudo adduser --disabled-password --disabled-login pootle

Setting up service scripts for Pootle

Create the file /etc/init.d/pootle as root with the following contents:
# /etc/init.d/pootle: start and stop the Pootle Server
# Pootle runs as user -pootle- via sudo
# This script is based on the one published here http://translate.sourceforge.net/wiki/pootle/service_scripts
test -x /usr/bin/PootleServer || exit 0
. /lib/lsb/init-functions
case "$1" in
log_begin_msg "Starting Pootle Server..."
/usr/bin/sudo -u pootle $PREFIX/start_pootle &
log_end_msg 0
log_begin_msg "Stopping Pootle Server..."
$PREFIX/stop_pootle >/dev/null 2>&1
log_end_msg 0
log_begin_msg "Stopping Pootle Server..."
$PREFIX/stop_pootle >/dev/null 2>&1
log_end_msg 0
log_begin_msg "Starting Pootle Server..."
sudo -u pootle $PREFIX/start_pootle &
log_end_msg 0
log_success_msg "Usage: /etc/init.d/pootle {start|stop|restart|status}"
exit 1
exit 0

Now let’s create, as root, the auxiliary scripts required by the script above:


# $PREFIX/start_pootle
# Start script in port 8080, separates errors from normal logs
# based on a script published here: http://translate.sourceforge.net/wiki/pootle/service_scripts
export HOME="/home/pootle"
/usr/bin/PootleServer -p 8080 $@ >> /var/log/pootle/`date "+%F"` 2>> /var/log/pootle/`date "+%F"`.err


# Stop script $PREFIX/stop_pootle
# based on a script published here: http://translate.sourceforge.net/wiki/pootle/service_scripts
echo "Killing Pootle"
pidpootle=`ps -ef |grep PootleServer |grep python | awk '{print $2}'`
pidpootle2=`ps -ef |grep start_pootle |grep bin | awk '{print $2}'`
kill $pidpootle2 >/dev/null 2>&1
kill $pidpootle >/dev/null 2>&1


# Pootle Status $PREFIX/status_pootle
# based on a script published here: http://translate.sourceforge.net/wiki/pootle/service_scripts
pidpootle=`ps -ef |grep PootleServer |grep python | awk '{print $2}'`
if [ "$pidpootle" != "" ]
echo "Pootle Server running in pid ($pidpootle)"
echo "Pootle Server is not running"

Make them work!

Now we have to make these scripts useful:
sudo chmod +x /etc/init.d/pootle
sudo chmod +x /usr/local/pootle/s*
sudo update-rc.d pootle

Configuring Pootle to use your repository

Pootle supports several VCSs, but I’ll only teach you how to setup a Subversion working copy that Pootle may update and commit. If you don’t use a version control system, I recommend you do so. If you’re sure you don’t need it, you may skip this section. If you’re using another VCS, you’ll need to go to the Pootle’s website to learn how to configure it with Pootle.

Setup your working copy

Let’s create the working copy at, say, /var/translations. To do that in GNU/Linux Matters, we would run:
sudo svn co https://svn.gnulinuxmatters.org:81/i18n /var/translations
You should replace the URL by yours.
And don’t forget to set the pootle user as the owner:
sudo chown pootle -R /var/translations

Create basic cronjobs

We should run from time to time two scripts:

  • One to commit the changes made by translators; ideally, these changes would be committed by translators themselves, but from my experience you should not count on that (most of them forget about it or just don’t know they can do that).
  • Another to update your PO templates from the repository.

So we’re going to ask our pootle user to do this by creating cronjobs. First, become pootle:
sudo su - pootle
Then run crontab -e and add the following two lines:
*/15 * * * * /usr/bin/svn update /var/translations >> /dev/null 2>> /home/pootle/update.err
0 0,8,16 * * * /usr/bin/svn commit -m "Uncommitted translations in the last 8 hours" /var/translations >> /dev/null 2>> /home/pootle/commit.err

Pootle is running on port 8080

For security reasons, if you followed this HOWTO you’ll be running as the pootle user, not as root. And due to a UNIX misfeature, only root may open ports below 1024. So, unless you love appending the port number to your URLs, and if port 80 is available on your system, you’d proxy Pootle through a webserver.

The proxy trick is recommended, but if you cannot do that or just don’t want, you can use iptables to redirect traffic from port 8080 to 80. My suggestion would be to use the next iptables ruleset:
# Generated by iptables-save v1.3.6 on Thu Jan 24 16:40:59 2008
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
# Completed on Thu Jan 24 16:40:59 2008
# Generated by iptables-save v1.3.6 on Thu Jan 24 16:40:59 2008
:OUTPUT ACCEPT [495:60715]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
# Completed on Thu Jan 24 16:40:59 2008

For more information about this basic iptables-based firewall, you may read my Setting up your first server HOWTO.

Criticism? Suggestions? Complaints?

Leave a comment!