Early this month, I discovered a few open source social networking frameworks that could power my new website.  After investigating them in depth, I decided to use Elgg since it proved extremely easy to implement and customize.  It's almost a month later, and after working only a few hours here and there, in the middle of the night, my site is nearly finished.  I am very pleased with the results.

I decided to create a site that I (and my readers) could use to keep in touch with family and friends.  There are plenty of social networks out there for friends to swear and share drunk pictures.  My site OakPages.com, however,  lives under a different concept.  OakPages aims to keep the whole family closer through the Internet, which is why Elgg with its countless plug-ins is a very good fit.  Functions like blogs, web pages and private groups, plus an easy infrastructure for widgets with family trees, video mail and photo sharing, make Elgg the ideal platform for OakPages.

Overall, I am very happy with Elgg for allowing me to implement a powerful website with so little effort.  It does have some issues to work out, but the active community is fixing them as quickly as they are reported.  There are countless enhancements well on their way to production.  I have already helped enhance many plug-ins and provided code that I wrote in just a few minutes, even without knowing much about the Elgg framework.  As I keep programming away, I hope Elgg will keep growing and providing even more powerful tools for OakPages.

[Transferred from http://blog-gabriel.mongefranco.com; originally published on June 23, 2008]

JasperServer is an excellent reporting server. It provides fast, easy and flexible reporting capabilities for businesses of all sizes. It has everything from support for OLAP cubes and data marts, to charts, to sub reports, to dashboards. Wait, did I say dashboards? Scratch that. JasperServer Professional has support for dashboards, but not JasperServer Community Edition.

Dashboards, a simple an intuitive function that one would expect to find in any sub-mature BI product, is not present in the "open source" edition of JasperServer. So essentially, the open source community only gets a taste of the pro version. If users want a fully functional, usable, enterprise-ready product, they must pay to obtain the Professional Edition. So in a way, JasperSoft has not captured the true sense of "open source." JasperSoft’s "community edition" software is nothing more than shareware. It is shareware in the sense that you only get a peek into the product, but you can't get the essential features -- such as dashboards -- unless you pay. Therefore, JasperServer Community Edition, although by all legal means "open source," is morally and functionally nothing more than shareware with viewable source code.

[Transferred from http://blog-gabriel.mongefranco.com; originally published on June 22, 2008]

Introduction

The new JasperServer 3 business intelligence (BI) and report server was released this month. And the first thing I attempted right after installing it was setting up Active Directory integration. As it turns out, AD integration is not an easy project, especially due to the lack of documentation. After almost a week of intensive research, I finally figured out the essentials to get AD authentication working. AD authorization, on the other hand, is still far beyond my reach. In this post, I briefly document my findings to[!]st others in setting up AD authentication with JasperServer 3.

Background

The first important point to notice is that JasperServer authentication is based on Spring (formerly Acegis). As such, LDAP authentication comes built out of the box. Of course, it still requires some tweaking. All configuration is performed inside of two XML files under JasperServer's WEB-INF directory.

JasperServer makes use of roles to provide access. The default roles are ROLE_ADMIN (used for administrators), ROLE_USER (used for regular users), and ROLE_ANONYMOUS (not really used at all). After a user is authenticated, his/her roles are checked to determine what resources are accessible. In the case of LDAP, users are automatically added as new external users upon a successful authentication. Moreover, they are[!]gned the ROLE_USER role by default, which might be undesirable.

In my test server, all the users are located under an organizational unit called BlogUsers. Thus, the complete path to my user ID would be: cn=gabriel,ou=BlogUsers,dc=mongefranco,dc=com. Moreover, I have different security groups setup under a different OU. My group would be: cn=Developers,ou=DepartmentGroups,ou=Groups,dc=mongefranco,dc=com.

Authentication Configuration

The first file to configure is ApplicationContext-security.xml, which is located in the WEB-INF directory. In the Authentication section, there is a bean called "authenticationManager." This bean contains a list of authentication providers, that is, plug-ins that provide access to different protocols. When a user hits login on the home page, his credentials are authenticated by each of these providers, top to bottom, until a positive match is found. If none of the providers returns a positive match, the user is denied access.

Since Active Directory uses the LDAP protocol, I enabled "ldapAuthenticationProvider." I also left "daoAuthenticationProvider" enabled so I could create local accounts that are no in AD, such as the jasperadmin administrative account. Also, for added security, I disabled the anonymousAuthenticationProvider." Thus, my authenticationManager bean looks like this:

<!-- ======================== AUTHENTICATION ======================= -->
<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref local="ldapAuthenticationProvider"/>
<ref local="daoAuthenticationProvider"/>
<!--ref local="anonymousAuthenticationProvider"/-->
<!--ref local="jaasAuthenticationProvider"/-->
</list>
</property>
</bean>

The next bean is the "initialDirContextFactory" which sets up LDAP access for Spring. The first constructor-arg should contain only the Active Directory domain controller address, port number (usually 389), and the DC portion of the DN (do not include organizational units here!). The next two properties, "managerDN" and "managerPassword," are the user name and password of the account used to query Active Directory. In my test system, this is a service account used exclusively to query AD. The complete bean looks as follows:

<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
<constructor-arg value="ldap://ADSERVER:389/dc=mongefranco,dc=com"/>
<property name="managerDn"><value>svc_ldap@mongefranco.com</value></property>
<property name="managerPassword"><value>password123!</value></property>
</bean>

After a user clicks login on the home page, Spring first attempts to connect to AD using the settings above. After a successful connection, in re-binds using the user-supplied user name and password. In order to do this, it needs to know where and how to find the user. That is where the "userSearch" bean comes in. Composed of 3 constructors, it defines what attribute in AD contains the user name and also how to find it. In my system, the attribute is CN, so I put "cn={0}" where "{0}" is replaced by the user name entered by the user. The "searchSubtree" option will allow Spring to dig into sub-groups.

<bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0">
<value></value>
</constructor-arg>
<constructor-arg index="1">
<value>cn={0}</value>
</constructor-arg>
<constructor-arg index="2">
<ref local="initialDirContextFactory" />
</constructor-arg>
<property name="searchSubtree">
<value>true</value>
</property>
</bean>

The next bean, ldapAuthenticationProvider, is a bit sensitive so you must be extra careful. It contains two other beans. The first has a "userDnPatterns" property used to find a user in the directory. After Spring successfully binds to AD using the user name and password provided, it checks the userDnPatterns to find the user in the directory. If it cannot find the user, it immediately denies access. Since in my system all users are contained in the BlogUsers OU, I constructed the parameters as follows:

<constructor-arg>
<bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
<property name="userDnPatterns"><list>
<value>cn={0},ou=BlogUsers</value>
</list></property>
</bean>
</constructor-arg>

The next bean is used for authorization and to map a user's AD group or OU to a JasperServer role. For the love of God, I could not get this to work. So if you know how.... please let me know. :) The only thing I was able to configure was a defaultRole property, which causes JasperServer to automatically[!]gn this role to a user upon a first time successful login.

<constructor-arg>
<bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg index="0"><ref local="initialDirContextFactory"/></constructor-arg>
<constructor-arg index="1"><value>ou=DepartmentGroups,ou=Groups</value></constructor-arg>
<property name="groupRoleAttribute"><value>cn</value></property>
<property name="groupSearchFilter"><value>((member={1})(cn=*))</value></property>
<property name="searchSubtree"><value>true</value></property>
<property name="rolePrefix"><value></value></property>
<property name="defaultRole"><value>ROLE_ANONYMOUS</value></property>
<property name="convertToUpperCase"><value>true</value></property>
</bean>
</constructor-arg>

In addition to the defaultRole setup above, JasperServer also[!]gns a "ROLE_USER" which may be undesirable. At least in my case, I would not want every user to stumble upon the JasperServer URL, login and have access to all reports. So after a couple of days of unsuccessful research, I simply searched for all references to "ROLE_USER" in all the XML files on the server. Eventually, I discovered that this second default role is configured in the ApplicationContext.xml file. After changing it to ROLE_ANONYMOUS, I denied access to every resource (including the root directory) to this role. That way, even though anyone with an AD account can login, he/she will get an "Access Denied" message.

Hopefully, my short experience with AD, LDAP, Spring and JasperServer will help someone out there. Believe me, the lack of documentation in the subject is astonishing, so I am hoping this will help the open source community.

[Transferred from http://blog-gabriel.mongefranco.com; originally published on June 21, 2008]

Today, I tried reading the sacred book of the Maya, the Popol Vuh. Needless to say, I found out it is not light reading. :)

The book relates the Maya's tales of creation, conflicts both on Heaven and on Earth, and genealogy of the ancient people. What I found interesting so far is that the tale of creation is remarkably similar to the beginning of Genesis in the Christian bible. Both relate a vast void and darkness in the beginning, followed by how Jehovah (or the Heart of Heaven) decided to create the universe. They relate the creation of the universe and the world in stages -- first, light and dark in the sky; then the Earth and the Sea; then the mountains; then all that covers the earth and finally all the beings that live in the oceans and on the land.

Where the Bible and the Popol Vuh differ is in the creation of humankind. In the Popol Vuh, the Heart of Heaven (that's God's name), the Creator and the Maker first created men from mud. That didn't work, so the men of mud were destroyed. Then, they tried wood but the beings of wood did not have hearts or souls and were unable to thank their creators. So a big flood was sent down to Earth to destroy them, and their only descendants are what we now know as the monkeys on the trees. Lastly, and after many cool tales of things that happened in heaven and on earth (including the fall of an evil God), four men were created from maize. These corn-flesh men could speak and feel and see. They thanked their creators for giving them life, and for allowing them to see near, far and beyond. Some of the God's were worried that men were too knowing, too God-like, so they covered their eyes with dust so they could only see near but not far.

Some other stories that seem to overlap the Bible include:

• The time when the gods confused people by making them speak different languages (Babylon)
• The people of the East (Noah, Abraham), their 13 tribes (Isaac), and the kingdoms they had to deal with (Ur, Egypt)
• Deluge (Noah's Ark)
• And they even overlap other cultures, such as ancient Egypt, the ancient people of the Arctic, the ancient people of Chile/Peru, Mongolians, and Africans, among others.

The tales in the book can be hard to follow, especially when one encounters poor translations. In my opinion, the Spanish version is easier to read than the English version. This is probably because the original translation into Western languages was done from Quiche to Spanish.

I will keep reading this book until I can make complete sense of it. :) But so far, I can definitely recommend it as a must-read.

[Transferred from http://blog-gabriel.mongefranco.com; originally published on June 21, 2008]

It is a good idea to have a contact link on every page on your site to make your visitors feel welcome. However, a link to a contact form on another page would take your visitors away from your site's contents. Some web masters overcome this problem by opening a pop up windows with a contact form. However, we all know how annoying pop ups can be -- let alone the fact that most browsers nowadays would block the pop up window.

So how can you make it easy but not annoying or distracting for your visitors to contact you? Here's a small script to accomplish this while making your site look more professional.


Shoot me an <a href="#" onClick = "javascript:document.getElementById('Mail').style.visibility = 'visible';">email</a>
<div id = "Mail" style = "position:absolute; top:10px; right:10; visibility:hidden;">
<pre>
*** This is a hidden block.<br />
You could put your form here or use an<br />
iframe tag to open an external e-mail form. ***
</pre>
<a href = "#" onClick = "javascript:document.getElementById('Mail').style.visibility = 'hidden';">Close</a>
</div>


This script will open a floating frame that can contain your contact form, contact information or even an <iframe> tag with a remote contact form. The close link can be used to close the form, and can also be activated after your visitor submits the form.

[Transferred from http://blog-gabriel.mongefranco.com; originally published on June 15, 2008]

[Transferred from http://blog-gabriel.mongefranco.com; originally published on June 15, 2008]

Mozilla Firefox is ready to release version 3 of its popular open source web browser on June 17, 2008. The new browser features GUI, performance and security improvements that can easily transform it into the most powerful browser on Earth. As it prepares for its release, the Mozilla Foundation is running a worldwide marketing campaign by attempting to break the world record for the most software downloads in a single day.

How can you help? It's easy: simply download Firefox between June 17 and June 18. Download, install, and enjoy. It's that simple.

[Transferred from http://blog-gabriel.mongefranco.com; originally published on June 13, 2008]

All right, it's official: a blog can definitely increase search engine ratings and even provide direct revenue. I started this blog last month, and this is only my 10th post. I have not done much to publicize my blog except for adding my URL to Google, Yahoo, and a couple of blog directories. I also added a link to my blog from a couple of Wikipedia pages. After less than a month, my site ranks top 10 in several search engines.

That makes me wonder -- can businesses advertise for free using Web 2.0 technologies? I truly believe the answer is yes! Blogs, video sites, social networking sites and other similar technologies can help companies rank higher in search engines, increasing their customer base. Additionally, advertising programs from major Internet companies can allow bloggers to make money. And as blogs grow, revenue increases. Thus, companies have two good reasons to get on board with Web 2.0: free money and free advertising!

[Transferred from http://blog-gabriel.mongefranco.com; originally published on June 10, 2008]

As I finish my bachelor's in Network Administration and in Information Security at Davenport University, I start to realize that perhaps I chose the wrong college. During my short time at this school, I have only found a handful of challenging courses. Most of the time, I just sit in class wondering when the instructor will get to the nifty details. I sit there waiting, and waiting, and waiting.... And as you can guess, I'm still waiting.

I feel like all my courses gave me information smashed, condensed, prepackaged, and with no flavor. I was only presented with the surface of networking, network defense, databases, computer security, encryption, professional writing, project management, computer forensics and wireless security, among others. Besides the lack of labs on many courses, I also felt that some basic concepts were emphasized in every class and never in detail. This took time away from the meat of the courses -- that is, when there was any. I think The Mentor put this in some very nice words over two decades ago in The Conscience of a Hacker:

"You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless."

It's too bad that over 20 years later, a post-secondary school specializing in technology and belonging to a world super power still has not learned this lesson.

So right now, as I am sitting in my database design class, I can only say: I am so bored! I need more challenge! I want to learn more! I need better tools! Come on, Davenport, where is the meat?!!!

[Transferred from http://blog-gabriel.mongefranco.com; originally published on June 6, 2008]

The Problem: Google Sites currently has a very annoying restriction -- it will not let you include iframe, script or embed tags in your pages! After attempting different ways to overcome it, including faking links to actually include scripts when the page is expecting an image, I finally found one way that works. As it turns out, the solution, ironically, is also a Google service. ;)

The Solution: Google Gadgets You can create your own gadget using the Google Gadgets Editor. Gadgets allow you can create a mini-web page complete with scripts, Flash animations, and everything needed to spice up your site. You can also load a page or animation residing on a different site, and you can even pass it parameters through the URL.

• To create a mini-page, use the <Content type="html"><![CDATA[ <your HTML code goes here> ]]</Content> tags.
• To load another page, you can either use an <iframe> tag, load page contents via scripts, or simply load a complete separate page or animation using the <Content type="url" src="http://yourSite.com?your=parameters"></Content> tags.

Once you are done, save and publish your gadget. Google will give you a permanent URL to the gadget's XML definition. On your web page, go to Insert ->More, select Add by URL, enter your gadget's address and vioala! You now have scripts, iframes and more on your Google Sites page!!!

For more hacks, be sure to visit the Projects section at Gabriel Monge-Franco's Home Page.