Apple Wireless Keyboard on Windows [AppleKeyboardInstaller.exe]

At the weekend I found a solution to a long lasting problem of mine. I have a Apple Wireless Keyboard, because two years ago it was the best Bluetooth keyboard on the market (Currently I can't say, didn't checked again). So, I use the keyboard every day mostly for writing text ;), but the device doens't posess a DEL, POS1 and END-Key and thus it is hard to navigate during typing.

The solution is install the keyboard driver provided by Apple in the Bootcamp package. The driver I use is from a OS X Leopard installation disc.
Or download it here: http://www.happytocode.com/post/Apple-Aluminium-keyboard-Boot-Camp-20-Windows-drivers.aspx

PS: After I found the solution myself, I had the correct google search term and solutions older than my keyboard. But it works.

UPDATE:
The keyboard driver sometimes leads to Bluescreens, so I am back using the standard windows drivers without the additional keyboard shortcuts.

Credit card: Visualize your money

Some time ago I had a discussion about (dis-)advantages of physical against non-physical stuff. She argued that non-physical is mostly too abstract for the user and thus not that easy to use in daily life.
We argued about "real" money as physical and credit cards as non-physical example. The advantages of real money are that you see what you have and you can only spend that. The advantages of the credit card are that the payment is easier and payment via internet is possible.

The main disadvantage is that you as user can't see how much money you spend or you have available. The card looks always the same.

Assume that materials are available that could either shrink or change it's color. Using this the credit card will get smaller if you pay with it and slowly reach your limit. Or the card could get orange if are in reaching line of credit and red if your are in.
Thus you as user would "feel" how much money is available and it is much easier to cope with the abstraction from real money.

PS: Only an experiment in mind.

Windows shell (cmd) and loops

FOR %t in (1, 2, 3, 4, 5, 6, 7, 8, 9, 10)
DO FOR %g IN (1,2,3,4,5,6,7,8,9,10) DO ECHO %t %g

Hopefully I have never to use the windows shell again!

JSF 2.0: Mojarra and multipart/form-data (File Upload) [Glassfish]

It is a quite a mess that Mojarra doesn't support h:forms that use enctyp multipart/form-data, because you can't access possible available parts in the JSF Controllers.

The following wrapper extends a HttpServletRequest so that getParameter also uses available data in HttpServletRequest.getParts().

You can than access the HttpServletRequest via
FacesContext.getCurrentInstance().getExternalContext() and use getParts own your own.

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.util.HashMap;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.Part;

/**
 * The mojarra implementation does not parse POST request that are multipart encoded, 
 * because the parameters are not accessable via getParameter().
 *
 * This class extends the HttpServletRequest to provide access to the parameters
 * which are encoded accessable via getParts.
 *
 * All parts are made visible that have contentType == null && size < 300.
 *
 * If the request is not multipart encoded, the wrapper doesn't modify the behavior of the original HttpServletRequest.
 * @author dennis
 */
public class MultipartHTTPServletRequest extends HttpServletRequestWrapper {

    protected Map parameterParts = new HashMap();

    public MultipartHTTPServletRequest(HttpServletRequest request) {
        super(request);

        if (getContentType() == null) {
            return;
        }
        if (!getContentType().toLowerCase().startsWith("multipart/")) {
            return;
        }
        try {
            for (Part i : getParts()) {
                if (i.getContentType() == null && i.getSize() < 300) {
                    parameterParts.put(i.getName(), getData(i.getInputStream()));
                }
            }
        } catch (IOException ex) {
            Logger.getLogger(MultipartHTTPServletRequest.class.getName()).log(Level.SEVERE, null, ex);
        } catch (ServletException ex) {
            Logger.getLogger(MultipartHTTPServletRequest.class.getName()).log(Level.SEVERE, null, ex);
        }
    }

    private static String getData(InputStream input) throws IOException {
        String data = "";
        String line = "";
        BufferedReader reader = new BufferedReader(new InputStreamReader(input));
        while ((line = reader.readLine()) != null) {
            data += line;
        }
        return data;
    }

    @Override
    public String getParameter(String name) {
        String result = super.getParameter(name);
        if (result == null) {
            return parameterParts.get(name);
        }
        return result;
    }
}

Java Servlet (3.0): How can I access multipart encoded content provided by a http post request?

At the last friday i stood right before a tricky problem: How can I save a image provided via HTTP post into a database?
I had three problems:
1. How to upload a file via HTML?
2. How to access the data at the server side?
3. How to put in the database using JPA?

The first one was easy, just create a html form add a input field (type='file') and a submit button.

The second one cost me one day. And it was really simple: Just place the @MultipartConfig annotation at the class definition of the servlet and use HTTPRequest.getPart[s]() methods to access the data as an inputstream.

The last part was straight forward: use a InputStreamReader to copy the data into a byte[] and add @Lob byte[] field to the entity class.

Because I use MySQL it was necessary to change the columnt type from TEXT to MEDIUMBLOB.

Java: CDI & ConversationScope

Yesterday I recreated my web app project with maven. Now CDI is available and @ConversationScoped is really nice and makes the development a lot easier.
I used Glassfish v3.

... Post my pom.xml tomorrow again.

Goodbye 85.214.89.182 (g00se.org)

It's the last day of my good old vServer for g00se.org.
Tonight they will come and cut him off.

To keep him in memory old.g00se.org points to his former home adress.

Windows 7: Share your internet uplink via wireless ad-hoc network (ICS)

Scenario
You have one windows 7 device with a direct internet connection like UMTS and you won't to share the connection via an ad-hoc wireless network with another device. In my case it is a XDA neo.
Everything happens in the Network and Sharing center.

1. Properties section of the network device with the uplink:
   under sharing active ICS and re-connect the device to internet
   
2. Create a new ad-hoc network (use encryption!)
   
3. Join with another device the network
4. Set the wireless ad-hoc network location to "Home"
5. Disconnect from the ad-hoc network and rejoin (device with uplink)

The internet sharing should now work.

Ubuntu-vm-builder default login

Today I created a ubuntu virtual machines with ubuntu-vm-builder. When I tried to login nothing worked. I searched the web and found only the parameter --username, --password and --name. But I can't recreate two VM using an UMTS uplink :(.

I booted one machine (ubuntu jaunty VM) and used the password reset procedure to get a running root shell. In the passwd I found a user ubuntu. I rebooted and used ubuntu:ubuntu as credentials.
Default username: ubuntu
Default password: ubuntu

Thanks to NO documentation and man pages for ubuntu-vm-builder... Addon:
The packet is named python-vm-builder. See also https://help.ubuntu.com/community/JeOSVMBuilder.

CSS cheat sheet

Found by SOW: CSS cheat sheet.

SQL cheat sheet

Found by SOW: SQL cheat sheet.

HTML cheat sheet

Found by SOW: HTML cheat sheet.

PHP cheat sheet

Found by SOW: PHP cheat sheet.

Power consumption of the internet

Nice article....

SIP client for Windows (using ekiga SIP service)

After long time of crawling the web, I have found a solution to use the ekiga.net SIP service from Windows. Many of my friends use skype, but it is an annoying part of software. So I started using ekiga and ekiga.net as provider.

Microsoft itselfs provides a SIP client (netmeeting). The developer of Ekiga provides a nice howto.

Getting DBUS Messages from Networkmanager (Python)

I had some spare time and so I started playing with DBUS. I was annoyed that after NetworkManager established a connection I always start the same programs like ekiga, pidgin, firefox and evolution. So I wrote a small python program that start software if the NetworkManager singals an open connection via DBUS. The NetworkManager DBUS-API is available. The hardest part was to find the docs.

#!/usr/bin/python
from dbus.mainloop.glib import DBusGMainLoop
import gobject
import dbus
import subprocess

def signal_deviceNowActive(data=None):
  if data is not None and data[dbus.String("State")] == 2 :
    subprocess.Popen("ps -C pidgin    || pidgin &", shell=True)
    subprocess.Popen("ps -C ekiga     || ekiga &", shell=True)
    subprocess.Popen("ps -C evolution || evolution &", shell=True)

print "init loop"

DBusGMainLoop(set_as_default=True)

loop = gobject.MainLoop();

print "init dbus"

dbus.SystemBus().add_signal_receiver(signal_deviceNowActive, signal_name=None, dbus_interface="org.freedesktop.NetworkManager.Connection.Active")

print "start loop"

loop.run() //UPDATE: thanks for your comment

Cort Dougan: Good Programmers are Not Lazy

Made me knowingly  smile...

Book: Domain-Driven Design (Eric Evans)

In the last summer ('08) I had the time to read that book. A friend of mine (thanks to Thorben) suggested that the book is really worth a try. The cover says: "Tackling complexity in the Heart of Software". And that is a really summary.

Evans describes with short examples situations in software development projects which can lead to critical problems later. He uses the short stories to analyze the situation, make the problem and cause clear. Based upon that he describes a pattern (a style to develop software; mostly organizational stuff) to get rid of it.

The first one he suggests is a "ubiquitous language". In short he says that all people connected to the project should use the same language, so that everyone can talk to everyone about the domain. That is not about technical stuff or infrastructure. It is mere that all know all what the software should / will be used to.

It's a quite good book with well choosen practical examples and it helped to understand that real development differs from educational stuff in a sense of organization, time and size. It would have been helpful, if I read it earlier.

Lecture: Open Wins – the Future of Software & Technology (Scott McNealy, SUN)

Scott McNealy the chairmen and a co-founder of SUN visited the TU Berlin on 06-11-08. He visited the university to give a short talk about open source software and why it became and will be  a pushing element for technical innovations. Because he is with SUN the content of the talk was mostly about how  SUN was, is and will be involved in the development of open source.
The essance of the talk was:
    Open Source is good (not only code, also products [specifications])
        reducing the dependency between the developer and the user
        programmers improve their code style (someone else can read your stuff)
    Strategy of SUN
        He anwsered the question why SUN is doing open-source

Interesting points:
    Java
        happens transparently (ref: mobile phone and blue-ray players)
        is running on 6^9 devices (hope I got it right)
    Oracle Enterprise Edition costs 400.000 $ per core(!)
    
Cool quotes:
    "Free is the new black!"
    "Return on no-investment."
    "Steal software legally"
    "We don't want you to do .NET! Watch your hands!"

Provided links during the talk:
    Netbeans.tv: the community site of Netbeans.
    Solaris Express Developer Edition (SXDE) A developer edition of solaris with many tools

All in all I can say that Scott is a really good entertainer. It was a really nice talk!

Thanks to Prof. Brandenburg for the information.

JTree on an JScrollPane and resizing

Early on the morning I read my early morning bug reports ;).

It was about an JTree on a JScrollPane. The model of the will be modified during runtime and fires events if something is changes. So far everything looks pretty straight forward and it works.

The problem occured if the tree gots larger than the parent scrollpane, so I believed the scrollpane starts to activate the scrollbars and everything stays cool... But the tree never changed it's size. It simple stayed in the old size and the scrollpane didn't start scrolling. And so some items of the tree were invisible.

TreeModel model = new DefaultTreeModel();
JTree tree = new JTree(model);
tree.setPreferredSize(new Dimension(100, 100));
JScrollPane pane = new JScrollPane(tree);

The model fires an TreeModelEvent (DefaultTreeModel.nodeStructureChanged) and the tree get's an JTree.treeDidChange() so it can recompute it's size.

This doesn't work out. It was necessary to set the preferred size of the tree to null before excecuting treeDidChange...

Why? I honestly don't know...

VOIP for GNOME Desktop: Ekiga

Yesterday I got some time to start playing with SIP. I used Ekiga a SIP client for the gnome-desktop. After installation I got an account on ekiga.net and everything went fine. The provided configuration wizard is really cool stuff. The hole action consumed 10 minutes and afterwards I spent 1 hour to get the sound devices working. And it did, but it was really annoying. The only problem now is that my built-in (Thinkpad X60) microphone produces a feedback if I use the internal speakers. The only solution is to use headphones and don't type or click during a call.

At last: sip:500@ekiga.net is a echo service, so you can test your configuration. Next week I will try to get my bluetooth headset running.

JAX-WS: ORA-31011

Today, I tried to do something useful for my bachelor thesis. I tried to query a Oracle 11G DBMS via a SOAP-based Webservice. Using the instruction from Andrea and Oracle I got the service up and running. The Webservice was reachable under http://localhost:8080/orawsv and presented it's wsdl via http://localhost:8080/orawsv?wsdl.

Now the trouble started:
The URL from the Oracle HTTP-Server is secured via HTTP-Authentification. Ok so I downloaded the WSDL and created the stubs from a local file with the JDK's wsimport. Now I needed to tell the Webservice Client Provider to authenticate if necessary:

ORAWSVPortType port = new ORAWSVService().getORAWSVPort();
Map<String, Object> requestCtx = ((BindingProvider) port).getRequestContext();
requestCtx.put(BindingProvider.USERNAME_PROPERTY, "user");
requestCtx.put(BindingProvider.PASSWORD_PROPERTY, "password");

The first test ended with a desaster:

Exception in thread "main" java.lang.IllegalArgumentException: faultCode argument for createFault was passed NULL
at com.sun.xml.messaging.saaj.soap.ver1_1.SOAPFactory1_1Impl.createFault(SOAPFactory1_1Impl.java:56)
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:108)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:254)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:224)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:117)
at $Proxy32.xmlFromQuery(Unknown Source)
at productcatalogws.Main.main(Main.java:49)
Java Result: 1

I couldn't make anything useful out of these messages. The only thing I found was a dead end: bug_id=6587659.

So I started debugging:

First view the SOAPMessages:
I used the cool charles proxy.
Configuration for JAVA:

System.getProperties().put("proxySet", "true");
System.getProperties().put("proxyHost", "localhost");
System.getProperties().put("proxyPort", "8888");

After viewing the messages without noticing anything of interesst except:
ORA-31011: XML parsing error, but without any reference to the Webservice.

I found a cool tool to use webservices: soapUI (you can do everything I needed using it!!) and queried the Oracle Webservice by hand. And it worked!

The problem was that the default JAX-WS Provider does send:
Content-Type: text/xml;charset="utf-8"

And the Oracle HTTP Server expects:
Content-Type: text/xml;charset=UTF-8

An example SOAPMessage (including the header):

Authorization: Basic XXXXX
Host: localhost:8080
Content-Length: 314
SOAPAction: "http://localhost:8080/orawsv"
User-Agent: Jakarta Commons-HttpClient/3.0.1
Content-Type: text/xml;charset=UTF-8

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:oraw="http://xmlns.oracle.com/orawsv">
<soapenv:Header/>
<soapenv:Body>
<oraw:query>
<oraw:query_text type="SQL">SELECT * FROM PRODUCT</oraw:query_text>
</oraw:query>
</soapenv:Body>
</soapenv:Envelope>

The questions are:
Does JAX-WS something wrong during the request or is the DB Webservice the bad guy?
And why doesn't JAX-WS handle the SOAPfault correctly?

Used software:

javac --version:

java version "1.6.0_04"
Java(TM) SE Runtime Environment (build 1.6.0_04-b12)
Java HotSpot(TM) Client VM (build 10.0-b19, mixed mode)

Oracle 11G DBMS:

Oracle Database 11g Release 1 for 32-bit Windows.

OpenSSH using Kerberos via GSSAPI

I missed to activate a small and tiny feature during the update to Debian Etch: OpenSSH with GSSAPI support. What does sat mean?

1. g00se.org uses Kerberos for authentification.
   
2. Kerberos offers Single-Sign-On.

I missed to upload my subversion working copies over ssh without typping my password everytime. So I installed ssh-krb5 to add the cool behavior.

Cyrus and Exim4 authentification using Kerberos via GSSAPI

Today I used my spare time to let the SMTP and the IMAP server of g00se.org using the GSSAPI for authentification.
The necessary cyrus-sasl libaries were already installed. So I really don't know which are exactly required. I suppose the cyrus-sasl gssapi libary should meet all requirements. I needed to install the exi4-daemon-heavy instead of the light one. The the heavy one does support authentification using the cyrus-sasl libary.
I created the principals imap/g00se.org and smtp/g00se.org and put them into the default keytab.
And modified the configuration files of both services to let them propose GSSAPI as alternate authentification mechanism:
(cyrus): imapd.conf:
sasl_mech_list: PLAIN GSSAPI
and
(exim4): [/etc/exim4/conf.d/auth/01_exim4-config_gssapi]
gssapi_server:
driver = cyrus_sasl
public_name = GSSAPI
server_mech = gssapi
server_hostname = g00se.org
#server_realm = G00SE.ORG
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
Thanks to Sean for a short and easy description.
PS: Exim4 does use the splitted configuration file option of Debian. So you can put the lines anywhere into the authentification section.

Apache with Kerberos authentification

Special thanks to the guys who invented mod_auth_kerb. I removed the PAM authentification modules, which I only used as wrapper to get Kerberos auth through PAM and replaced it with mod_auth_kerb.
Here is the small configuration:

Krb5Keytab /etc/apache2/krb5.keytab
KrbAuthRealms G00SE.ORG
KrbServiceName HTTP
<Directory /x>
AuthType Kerberos
Require valid-user
</Directory>
That's all! Cool.

The Firefox bundled into my OpenSUSE 10.3 does already contain all necessary configurations. I only needed to add g00se.org to network.negotiate-auth.trusted-uris in about:config. So he does accept the offer to do GSSAPI authentification  with these URIS. And that's pretty cool. At least I need to figure a way to get my M$ system use such cool stuff.

Exim4 and Saslauthd [service=]

Hello! Since I upgraded g00se.org from Debian Sarge to Etch the authentification mechanism of my exim mail server doesn't run properly. I used as I descriped early the saslauthd to authentificate against the pam. Everything went fine. I believed, but a few weeks later (I used all the time my webinterface to send mails.) the exim couldn't use the same credentials as the imap server. The saslauthd always claimed that my credentials are false and so exim awnsered with a SMTP Error 535: Authentification failure. Tonight I managed to look into the problem and it's source. I checked the saslauthd using testsaslauthd. If I used: testsaslauthd -s smtp -u XXX - p XXX everything went fine and the saslauthd replied with credentials ok. But if I issued testsaslauthd -s "" -u XXX - p XXX I got a pam authentification error. I tried the same using exim and same behavior appeared, exim doesn't set the name of the service and so all authentification will fail. The problem is that the saslauthd will try to authenticate against a pam configuration which is not available. Note: I have in /etc/pam.d/ a file called smtp which defines the pam behavior for my smtp service ;). The messages (/var/log/auth.log): Dec 3 00:55:50 h1206589 saslauthd[22244]: do_auth : auth failure: [user=XXX] [service=] [realm=] [mech=pam] [reason=PAM auth error] Dec 3 01:18:45 h1206589 saslauthd[22247]: do_auth : auth success: [user=XXX] [service=imap] [realm=] [mech=pam] As you can see the name of the service is in the first log empty. I found a solution you can tell the exim how to call the saslauthd (Snip of the authentification part of my exim service): plain_saslauthd_server: driver = plaintext public_name = PLAIN server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}} server_set_id = $auth2 server_prompts = : .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} .endif login_saslauthd_server: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" # don't send system passwords over unencrypted connections server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}} server_set_id = $auth1 .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} .endif Now tell exim that he have to use a service for saslauthd change: server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}} into server_condition = ${if saslauthd{{$auth2}{$auth3}{smtp}}{1}{0}}. smtp have to be the name of the pam configuration file. That's all. Everythings work as expected.

JOptionPane and the Focus

I started to write a login screen (NEED: two input field [username, password]and two buttons [ok, cancel]). Since a login is a blocking panel I created a JPanel and put that on a JOptionPane.showDialog(...). Everything looked quite fine, but the default focus was set on the OK-Button. So I tried to requestDefaultFocus, but nothing worked. Mark provides a running solution. And it works!

WebSVN vs. ViewCVS

Tonight I removed ViewCVS and started using WebSVN. It's nice simple and in PHP :D... Take a look!

Java Base64 encoding (sun.misc.Base64Encoder)

Today I would like to say some words about BASE64 encoding and JAVA. Let me introduce a cool class to encode a string: sun.misc.Base64Encoder
This class seams to work quite all right for some weeks. So, today we transfered our JEE server from a linux to windows (not my idea). Till now I have assumed that the mythos of the JAVA plattform independence is not only a myth. During the check of the application (the deployed JEE project) it showed up error messages that the base64 coded strings doesn't match.
On the first look everything seemed to be fine. The second showed up that the strings on the windows machine were one (!) character longer. Two hours later we found the problem: Does RFC 3548 say something about line feeds and carriage return?
So why does the base64 coded strings contain some?
The anwser is: Because the encode method of the Base64Enconder split the string after some characters (I suppose at char 76 / 77, but I'm not quite sure). So if you switch the operation system and the new system uses another encoding for the line break, your old base64 encoded data is worthless.
To solve this problem I used the java mail api (cause JEE server needs to implement these):

StringOutputStream output = new StringOutputStream();
OutputStream encoding = MimeUtility.encode(output, "base64");
encoding.write("Hello World");
result = output.toString();

import java.io.IOException; import java.io.OutputStream;
/** * * @author Dennis Guse * */
public class StringOutputStream extends OutputStream {
  private StringBuffer data = new StringBuffer();
  public StringOutputStream() {}
  public String toString() {
    return data.toString();
  }
  public void write(int b) throws IOException { data.append((char)b); } }

So a half day of work for nothing....
PS: Feel free to use this stuff.

Authentification Server via Kerberos (Heimdal) and LDAP backend

Today morning I configured heimdal KDC and as storage the openldap slapd. Slapd stores the user information and holds the kerberos authentification information. The public URI is ldaps://g00se.org. Kerberos realm: G00SE.ORG. KDC: g00se.org The openldap server uses TLS and authenfication and authorisation with the SASL GSSAPI (package (debian): libsasl2-modules-gssapi-heimdal). First I installed slapd (slapd and the above package). Added the krb5-kdc.schema. Configurated SASL support and added authorisation rules. With slapadd -f "backup.ldif" I installed my backup (without internal kerberos accounts). Modified /etc/default/slapd to let the slapd listen on ldaps:// and ldapi://. Reloaded the configuration. Second I installed the heimdal-kdc. Configured the realm. Configured database backend to use the ldapi:// socket. Reloaded. Init the realm and create necessary kerberos host accounts (with random keys): kadmin -l > init G00SE.ORG > add -r host/g00se.org > ext_keytab host/g00se.org > add -r ldap/g00se.org > ext_keytab ldap/g00se.org Reloaded everything and the authenfication server was up and running! Have a nice one!!

Authenfication client via Kerberos (Heimdal) and LDAP backend

To use the provided authenfication mechanism from g00se.org on g00se.org :D I installed libpam-heimdal and configured nss. Kerberos configuration: cat /etc/krb5.conf [libdefaults] default_realm = G00SE.ORG default_keytab_name = /etc/krb5.keytab ticket_lifetime = 28800 default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_etypes_des = des3-hmac-sha1 des-cbc-crc des-cbc-md5 [realms] G00SE.ORG = { kdc = g00se.org admin_server = g00se.org } [domain_realm] g00se.org = G00SE.ORG .g00se.org = G00SE.ORG The pam configuration to use the heimdal KDC: cat /etc/pam.d/kerberos #@include common-auth #@include common-account auth required pam_krb5.so account required pam_krb5.so Configuration of the nss-ldap plugin: cat /etc/libnss-ldap.conf uri ldaps://g00se.org/ ldap_version 3 base dc=g00se,dc=org scope sub pam_filter objectclass=account pam_login_attribute uid pam_min_uid 1000 pam_max_uid 2000 nss_base_passwd ou=People,dc=g00se,dc=org?one nss_base_group ou=group,dc=g00se,dc=org?oneh Let nss know that there is a second source which provide authorisation data. cat /etc/nsswitch.conf passwd: compat ldap group: compat ldap That's all! As root you can now check if everything runs: getent passwd and you will see all your local accounts and the provided central ones! I hope everything is cool!!!