≡ Menu


Redmine LDAP Integration – Active Directory Configuration

After you have Redmine installed and configured to the point where you can log in – go ahead and do so. Browse to Administration>Settings>Authentication tab>LDAP Configuration (in the bottom right).

Before you go and start changing things here, there are a few things you should keep in mind that will save you some time. Realize that you can’t do an anonymous bind to Active Directory. So, you need to actually specify a valid set of credentials for the service account. Now, I suppose they could have done something different here to reduce the configuration work… like relying on user login credentials and passing them to query AD. But in any event, you just need a normal domain user account should do just fine – anything that can query Active Directory. Why a domain account? Think about it another way… if someone plugged their laptop into your network, would they be able to query AD for user or computer objects? No… they wouldn’t, because they’d be anonymous. Even if they knew your domain name, had a domain controller’s IP address, the distinguished name, etc… no luck. So create a service account. Just FYI, my domain was at 2003 domain functional level.

As far as the Base DN – keep it simple… base DN means base. You probably don’t want CN=users, or CN=MyBusiness, or anything like that. In my case, I specified DC=domain,DC=local. As for the the attributes, they all come right out of Active Directory… there’s a bunch of places youcould find these if you wanted to spend the time to find them. Or, there’s a bunch of sites that already have this stuff listed (see the below for my config).

When you’re specifying the attributes, keep in mind that you don’t want any extra spaces (blank spaces) after the attributes. For instance, it should be ‘SAMAccountName’ (no quotes), NOT ‘SAMAccountName ‘. If you add a space, it breaks. If you don’t have those “optional” attributes, it breaks. Also – just FYI… if you’re under Authentication, and trying to run a “Test” of authentication, and it say’s successful – that doesn’t mean it’s actually working. You need to test Active Directory account logins from back on the main menu.

If you want to use on-the-fly account creation… you’ll need to make sure all of your Attributes are set correctly and that within Active Directory the attribute fields actually contain data for your users. This is very important. For example, if you have a user trying to login, but their account has “First Name”, and/or “Last Name”, and/or “E-mail” address fields blank (like if you have a “test” user account) – automatic user account creation in Redmine will fail. On top of that – it’s not very verbose about why it failed. So that might be something to file away in the back of your mind, so that when you find one account (or a group of accounts) somewhere that won’t login – you can make sure to check that they have all of the Active Directory attributes specified (just open up Active Directory Users and Computers and check-out the user object that is having a problem).

My Settings:

  • Name: YourDomainOrWhateverYouWant
  • Host: IP address of a Domain Controller (name is probably best)
  • Port: 389
  • Account: Domain\ServiceAccountRedmine01
  • Password: SavedPassword
  • Base DN: DC=domain,DC=local
  • Login: SAMAccountName
  • First Name: givenName
  • Last Name: SN
  • Email: mail

AD: How to Determine the Last Logon time of users

Your ability to determine last logon time really depends on the AD level that you’re at.

For information on the below attributes (and more), check here.

Pre-2003 AD: You can’t do it.
2003 AD: Look at the lastlogon attribute on all DCs.
2003 AD functional level: Look at the last-logon-timestamp
2008: Check the msDS-LastSuccessfulInteractiveLogonTime 

If you’re not at 2008, or 2003 domain functional level, and you want to determine the last logon time, you can use AD-FIND to query each DC, get the time stamp in the nt time epoch format (the time measured in seconds since 1/1/1601) and then usew32tm /ntte to convert the stamp into a readable format… Date, Hour:min:second.

adfind -h DC1:389 -b dc=domain, dc=local -f “objectcategory=person” lastlogon >DC1.txt

adfind -h DC2:389 -b dc=domain, dc=local -f “objectcategory=person” lastlogon >DC2.txt

… and so on for each DC.

To convert lastlogon time, take the time stamps for the user’s that you’re interested in and convert them…

w32tm /ntte value1
w32tm /ntte value2

… and so on.

Then you can compare each. At 2003 functional level the attribute lastlogontimestamp is replicated to each DC – so it’s a single source of truth. In 2008 it gets even better with last logons, last failed logons, and more. With some diligence, you can probably take the above steps do some further learning around them to improve things a bit, and then script the the logic. But for one-offs, and small networks this works.

pfSense: Editing /conf/config.xml file

The ISP’s internet connection runs on port expecting a 10MB Full-duplex device to be plugged into it. The WAN interface on my pfSense box is a 10/100 NIC, which when uplinked without making any configuration changes, I found that I was only getting about 25% of the capacity I was expecting. The only way to force the WAN interface to 10MB/Full-duplex is via the /conf/config.xml file. There are two way to edit this… one is using vi from SSH.

To enable SSH do this from the PFSense web-interface:
Click System>Advanced>Secure Shell, Enable Secure Shell

Even if you prefer to use the PFSense web-interface to edit your config.xml file (make a backup copy first), the shell came in handy a few times throughout my configuration process. The other option to edit the config file is using the editor in the PFSense web-interface.

The editor is available here:
Diagnostics>Edit File. The Load/Save path is “/conf/config.xml”.

Scroll down until you find the tag. Then remove the lines that start with <media/> and <mediaopt/> and replace them with ones that say this:


Then click Save. You can check to see if this took effect by clicking Status, Interfaces. The WAN interface should now read “10baseT/UTP ”. This change should take effect immediately – if not, give the box a reboot (Diagnostics>Reboot System).

vSphere: VM Stuck during Power down at 95%

Occasionally I’ve run into a VM that gets stuck at 95% while powering down (or during a vMotion).  I know the issue isn’t unheard of, but I didn’t run into it until working with a few ESXi 4.0.0 208167 servers. So – if you have a virtual machine hangs while shutting down – and you’re certain that you’re just not waiting for it to finish powering down, and you’ve already tried to “power off” from the client- but the power-off command is stuck at 95%, you may have to manually kill the hung VM.


  1. Login to the host with the hung machine via SSH (enable SSH if you haven’t already)
  2. do a /sbin/ restart (or services vmware-mgmt restart on ESX)… which is the same thing as doing this from the ESXi console
  3. This command will restart the agents that are installed in /etc/init.d/ … including hostd, ntpd, sfcbd, sfcbd-watchdog, slpd and wsmand (and HA if you have it)
  4. When you do this, the VI/vsphere client will loose connectivity as those services restart, but VM’s that are running will not be affected
  5. After the services have restarted, you can re-connect via the VI client.
  6. Via SSH, go to the right datastore (such as, /vmfs/volumes/DatastoreName/VMname), and delete (rm -r) the *.vswp file (the swap file).
  7. If you can’t delete it, and you’re getting an error message to the effect… can not remove VM: device or resource busy… go find the processes associated with the VM.
  8. “ps auxfww|grep “vmname”
  9. “kill -9 ProcessIDNumber”
  10. After doing so, remove the orphaned VM from inventory… just right-click the “unknown” VM, and select “remove from inventory”, being careful to not delete it.
  11. Then delete the *.log, and *.0*. If you don’t, re-adding the VM may cause the interface to hang, and you’ll have to go through some of this all over again.
  12. Add the VM back to the inventory, and you should be able to start the VM.

I have run into a situation once, where a host reboot was the only way to solve the problem. But other than that, this seems to be quite effective.  The short version – see steps 8 & 9.

Don’t ditch your dress code

You work for a technology company… of course you don’t have a dress code.  

Is that what you thought I was going to say?

(Give this clip a run)

Would you show up for an interviews wearing jeans and a polo?  Unless you actually didn’t want the job, why would anyone show-up dressed to the lowest common denominator?  It’s almost as if people think that being competent in your technical area of expertise gives you a free pass.  A professional wears a suit (or jacket and tie) to an interview… it’s that simple.  I don’t want to hear “… but I write code“, or I’m a sysadmin, or fill-in-the-blank… if you’re a professional, you should act as if you’re a professional.  You should not dress like children.  I’m continually amazed that I have to tell people this.  And no, I don’t care what you think the “corporate culture”  dictates.   My team needs to be better than the “average corporate culture” that we encounter… we need to be professionals.

Look at it this way… remember the saying… “Nobody ever got fired for buying Microsoft/IBM?“.  Have you ever heard of someone being fired because they dressed, and acted too professionally? Does this sound like a conversation that might ever occur in the real word?  “Oh no, count that guy out, he just dressed and acted too much the part.  No, I’d much rather have the guy that I’m actually embarrassed for… yeah, that one… the one that I just I know I’ll never be able to put in front of a client.”  What employer doesn’t want someone who takes himself and his/her profession seriously? The way you dress sends a message to the people around you about who you are and what you stand for… it just does.  People who dress like professionals, get treated like professionals.

What’s that?  You really are different?  You actually are that mythical 10x employee?  Then by all means, secure some VC funding and get out of my office.  Oh, not your thing?  Then go interview at Facebook, Microsoft, or Google … I hear that works out great for rock star employees.  But if you’re going to live in something that looks like the real-world, or isn’t adjacent to San Francisco, then you really should start doing yourself a favor and dressing like a professional.  It’s never going to be counted against you.  To be clear… the suit won’t get you the job, but it will give you an edge over the next guy who’s equally as a smart.  The tie won’t keep the incompetent employed, but  it is a reminder to leadership that you have the potential to be more than whatever role you were hired to fill.  It’s all of the little edges that add up in life.

So by all means, show up for your interview dressed like a child.  That way, I won’t loose a wink of sleep when I offer exactly what your book value appears to be.

Visit Us On Twitter