Re: [gentoo-user] Heads up: Video mode and booting with KVM switch

2015-11-14 Thread Peter Humphrey 
On Friday 13 Nov 2015 15:54:02 Walter Dnes wrote:
>   I have 3 machines kicking around.  One is a Dell Inspiron 530 from
> June 2008 that simply refuses to die.  The others are more recent.
> On my desk (actually a re-purposed kitchen table) I only have room for 1
> 24 inch monitor, 1 big Unicomp "IBM-like clickety-clack" USB keyboard
> 
http://www.pckeyboard.com/mm5/merchant.mvc?Screen=PROD_code=UNI041
> A and 1 trackball.
> 
>   I got an IOGear 4-port USB KVM.  It has a remote clicker to switch
> between the 4 ports; no icky escape/control sequences.  Because it's
> hardware-controlled, there are no drivers required.  It works great
> with one exception, which is a linux kernel problem, not a switch
> problem.  The problem I've found occurs when booting a machine that is
> not currently selected by the KVM switch.  I found the BIOS settings to
> eliminate the...
> 
> Keyboard failure
> Select F1 to continue; F2 to enter SETUP
> 
> ...message.  The linux kernel problem is that it doesn't detect the
> display when that particular machine is not selected at bootup
> (du), and assumes 1024x768 console and graphics video.  If the
> machine is selected by the switch at bootup, things work properly.
> 
>   But don't panic.  Even if I boot into 1024x768 text mode, and default
> to 1024x768 graphics, running "xrandr -s 1920x1080" gets me 1920x1080
> X Window display.  The available modes for your display may be
> different.  Just run "xrandr" for a list of available modes.

I don't think there's a problem at all. I have a 2-port USB KVM too, but I 
don't have any difficulty with the keyboard. Of course I get the 80x24 
screen if the monitor isn't connected to the PC at boot time. I just make 
sure I do have that PC selected when I boot it - or if I can't, such as 
after a power cut while I'm out, I just reboot it when I can.

There's a kernel config option somewhere, I think, about choosing whether to 
read the EDID from the screen or to use a preset value, but I haven't 
bothered with it for the few occasions I might need it.

Can your PC BIOS start in headless mode? That would sidestep the missing-
keyboard problem.

-- 
Rgds
Peter

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

2015-11-14 Thread Mick 
On Saturday 14 Nov 2015 06:49:22 the...@sys-concept.com wrote:
> Thelma
> 
> On 11/13/2015 11:08 PM, the...@sys-concept.com wrote:
> > I'm running: nxserver-freenx-0.7.3_p104-r7
> > After recent upgrade, system installed new stable openssh-7.1_p1-r2
> > 
> > The problem is the new openssh-7.1_p1-r2 will not allow my my "nxserver"
> > to connect, I get an error: Permission denied
> > (publickey,keyboard-interactive) see below:
> > 
> > nxsetup --test
> > ...
> > < done
> > 
> > > Testing your nxserver connection ...
> > Permission denied (publickey,keyboard-interactive).
> > Fatal error: Could not connect to NX Server.
> > 
> > Please check your ssh setup:
> > 
> > The following are _examples_ of what you might need to check.
> > 
> > - Make sure "nx" is one of the AllowUsers in sshd_config.
> > 
> > (or that the line is outcommented/not there)
> > 
> > - Make sure "nx" is one of the AllowGroups in sshd_config.
> > 
> > (or that the line is outcommented/not there)
> > 
> > - Make sure your sshd allows public key authentication.
> > - Make sure your sshd is really running on port 22.
> > - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set 
to
> > authorized_keys2.
> > 
> > (this should be a filename not a pathname+filename)
> >   
> >   - Make sure you allow ssh on localhost, this could come from some
> >   
> > restriction of:
> >   -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
> >   
> >   -the iptables. add to it:
> >  $ iptables -A INPUT  -i lo -j ACCEPT
> >  $ iptables -A OUTPUT -o lo -j ACCEPT
> > 
> > What I should be getting is this:
> > > Testing your nxserver connection ...
> > HELLO NXSERVER - Version 3.2.0-74-TEAMBZR104 OS (GPL, using backend:
> > 3.5.0) NX> 105 quit
> > Quit
> > NX> 999 Bye
> > <--- done
> > 
> > I did not change anything in sshd_config.
> > But I downgraded to: openssh-6.9_p1-r2 and nxserver connects OK.
> > 
> > What could be the problem with new: openssh-7.1_p1-r2
> 
> I think the reason is that OpenSSH 7.0 disables ssh-dss keys by default
> https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html
> 
> And and nxserver is using ssh-dss keys by default.
> 
> I have to find a way a way to replace the ssh-dss key in: /etc/nxserver/
> with RSA one.
> 
> Do I just run: ssh-keygen -t rsa
> and copy the key pair to /etc/nxserver/ directory?
> 
> --
> Thelma

Since openssh-7.0 DSS keys are disabled and about time too!

==
if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388
elog "Starting with openssh-7.0, support for ssh-dss keys were 
disabled due to their"
elog "weak sizes.  If you rely on these key types, you can re-enable 
the key types by"
elog "adding to your sshd_config:"
elog "  PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
fi
==


Also SHA1 hashes are disabled and you will get errors like these when you try 
to login to a server which is still using deprecated ciphers:

Unable to negotiate with XXX.XX.XXX.X: no matching host key type found. Their 
offer: ssh-dss

Unable to negotiate with XXX.XX.XXX.X: no matching key exchange method found. 
Their offer: diffie-hellman-group1-sha1

If this is within your LAN and therefore relatively protected, you could 
specify deprecated ciphers and hashes like so:

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss 
my_u...@xxx.xx.xxx.X


Alternatively, after you create a strong prime:

ssh-keygen -t rsa -b 4096


or probably better to use ed25519:

ssh-keygen -t ed25519

HTH.
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Heads up: Video mode and booting with KVM switch

2015-11-14 Thread Matti Nykyri 
On Fri, Nov 13, 2015 at 03:54:02PM -0500, Walter Dnes wrote:
>   I have 3 machines kicking around.  One is a Dell Inspiron 530 from
> June 2008 that simply refuses to die.  The others are more recent.
> On my desk (actually a re-purposed kitchen table) I only have room for 1
> 24 inch monitor, 1 big Unicomp "IBM-like clickety-clack" USB keyboard
> http://www.pckeyboard.com/mm5/merchant.mvc?Screen=PROD_code=UNI041A
> and 1 trackball.
> 
>   I got an IOGear 4-port USB KVM.  It has a remote clicker to switch
> between the 4 ports; no icky escape/control sequences.  Because it's
> hardware-controlled, there are no drivers required.  It works great
> with one exception, which is a linux kernel problem, not a switch
> problem.  The problem I've found occurs when booting a machine that is
> not currently selected by the KVM switch.  I found the BIOS settings to
> eliminate the...
> 
> Keyboard failure
> Select F1 to continue; F2 to enter SETUP
> 
> ...message.  The linux kernel problem is that it doesn't detect the
> display when that particular machine is not selected at bootup
> (du), and assumes 1024x768 console and graphics video.  If the
> machine is selected by the switch at bootup, things work properly.
> 
>   But don't panic.  Even if I boot into 1024x768 text mode, and default
> to 1024x768 graphics, running "xrandr -s 1920x1080" gets me 1920x1080
> X Window display.  The available modes for your display may be
> different.  Just run "xrandr" for a list of available modes.

Don't panic!

There is a simple solution to this... Kernel developers have foreseen this 
problem already! In your situation your graphics hardware is not getting 
the EDID of your display, decause it is physically not connected to the 
monitor when you boot up. See /Documentation/EDID for details.

Set DRM_LOAD_EDID_FIRMWARE=y

You can use x11-misc/read-edid to fetch edid from your monitor: 
get-edid > your_edid.bin. Or you can use modedebug in xorg.conf and get 
edid from Xorg.0.log

Save the edid from your monitor to /lib/firmware/edid/ and include in your 
kernel commandline "drm_kms_helper.edid_firmware=edid/your_edid.bin". You 
can also set your video mode in comman line "video=DVI-I-1:1024x768@85". 
The names for your connectors are found in "/sys/class/drm/*/status". 

https://wiki.archlinux.org/index.php/Kernel_mode_setting

These work with kernel mode setting. If you are using some proprietary 
driver, see the documentation of that driver. At least with nvidia you 
can set your custom edid in xorg.conf "Option CustomEDID DFP-0:/your_edid.bin"
and force monitors to be detected as connected at all times 
"Option ConnectedMonitor DFP".

-- 
-M

Re: [gentoo-user] Heads up: Video mode and booting with KVM switch

2015-11-14 Thread Walter Dnes 
On Sat, Nov 14, 2015 at 02:56:09PM -0500, Walter Dnes wrote
>   Thanks for the ideas.  "video=VGA-1:1920x1080@60" (as indicated by
> xrandr) didn't work well.  The text console showed 2 copies of the
> screen side-by each.  Imagine working with the "screen" or "tmux"
> program, or the vim ":vsplit" command.  And it was offset 3/4 inch down
> and to the right.  X Window showed only one image, but the down and
> right shift was still there.  I couldn't see the autoraising menubar at
> the bottom of the screen in ICEWM, so it was unusable.
> 
>   "video=VGA-1:1920x1080@60m", where the "m" is to allow some margin in
> the calculations, got rid of the double image in text console, but the
> down and right shift was still there in both the text console, and X.
> 
>   I tried sticking "xrandr -s 1920x1080" in my .xinitrc.  It "works",
> but the fonts are noticably "fatter" after a disconnected boot versus
> a connected boot.
> 
>   I ran "cp /sys/class/drm/card0/card0-VGA-1/edid my_edid.bin" and I'll
> try loading it in the kernel later today.

  Plan A

[d531][root][~] get-edid > my_edid.bin
This is read-edid version 3.0.1. Prepare for some fun.
Attempting to use i2c interface
Looks like no busses have an EDID. Sorry!
Attempting to use the classical VBE interface
Illegal instruction

  Plan B

  I generated an xorg.conf file (Xorg -configure), dumped it in /etc/X11
and inserted...
Option   "ModeDebug" "True" 
as per https://forums.gentoo.org/viewtopic-t-992752.html

  The result I got in the log was...

(WW) intel(0): Option "ModeDebug" is not used

...this was getting annoying

  Remember what I mentioned about "fatter" fonts?  This brought back
memories of the bad old days when we needed a /etc/X11/xorg.conf file
to run X.  DPI was one of the things we worried about.  After much
experimentation, I inserted the line...

/usr/bin/xterm -e xrandr -s 1920x1080 && xrandr --dpi 96 &

...into my .xinitrc, and every thing looks just fine inside X.  In case
you were wondering, no...

/usr/bin/xterm -e xrandr -s 1920x1080 --dpi 96 &

...does *NOT* work.  Yes, the setup is a kludge, but it works.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

[gentoo-user] Problems while updateing screen (tool not monitor)

2015-11-14 Thread Meino . Cramer 
Hi,

screen refuses update due to an compilation error:

Then type 'make' to make screen. Good luck.

>>> Source configured.
>>> Compiling source in 
>>> /var/tmp/portage/app-misc/screen-4.3.1-r1/work/screen-4.3.1 ...
make -j6 comm.h term.h 
AWK=gawk CC="x86_64-pc-linux-gnu-gcc -march=native -O2 -pipe -msse3 -ggdb 
-D_GNU_SOURCE" srcdir=. sh ./comm.sh
AWK=gawk srcdir=. sh ./term.sh
make -j6 osdef.h 
CPP="x86_64-pc-linux-gnu-gcc -E -DMAXWIN=100 -DNONETHACK 
-DETCSCREENRC='"/etc/screenrc"' 
-DSCREENENCODINGS='"/usr/share/screen/utf8encodings"'" srcdir=. sh ./osdef.sh
make -j6 -C doc screen.info 
make: Entering directory 
'/var/tmp/portage/app-misc/screen-4.3.1-r1/work/screen-4.3.1/doc'
makeinfo ./screen.texinfo -o screen.info
./screen.texinfo:3150: `@end' expected `deffn', but saw `example'
./screen.texinfo:3150: unmatched `@end example'
./screen.texinfo:3152: unmatched `@end deffn'
Makefile:30: recipe for target 'screen.info' failed
make: *** [screen.info] Error 1
make: Leaving directory 
'/var/tmp/portage/app-misc/screen-4.3.1-r1/work/screen-4.3.1/doc'
 * ERROR: app-misc/screen-4.3.1-r1::gentoo failed (compile phase):
 *   emake failed
 * 
 * If you need support, post the output of `emerge --info 
'=app-misc/screen-4.3.1-r1::gentoo'`,
 * the complete build log and the output of `emerge -pqv 
'=app-misc/screen-4.3.1-r1::gentoo'`.
 * The complete build log is located at 
'/var/tmp/portage/app-misc/screen-4.3.1-r1/temp/build.log'.
 * The ebuild environment file is located at 
'/var/tmp/portage/app-misc/screen-4.3.1-r1/temp/environment'.
 * Working directory: 
'/var/tmp/portage/app-misc/screen-4.3.1-r1/work/screen-4.3.1'
 * S: '/var/tmp/portage/app-misc/screen-4.3.1-r1/work/screen-4.3.1'

>>> Failed to emerge app-misc/screen-4.3.1-r1, Log file:

>>>  '/var/tmp/portage/app-misc/screen-4.3.1-r1/temp/build.log'
 * 
 * The following 2 packages have failed to build, install, or execute
 * postinst:
 * 
 *  (sys-apps/busybox-1.23.1-r1:0/0::gentoo, ebuild scheduled for merge)
 *  (app-misc/screen-4.3.1-r1:0/0::gentoo, ebuild scheduled for merge), Log 
file:
 *   '/var/tmp/portage/app-misc/screen-4.3.1-r1/temp/build.log'
 * 

 * GNU info directory index is up-to-date.
 * After world updates, it is important to remove obsolete packages with
 * emerge --depclean. Refer to `man emerge` for more information.
[1]13277 exit 1 emerge --update --newuse --deep --with-bdeps=y --tree 
--keep-going  --exclude

This happens since some time when I update my Gentoo...

Is a fix for that known?

Best regards,
Meino

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

2015-11-14 Thread thelma 

On 11/14/2015 04:11 AM, Mick wrote:
[snip]
> 
> Since openssh-7.0 DSS keys are disabled and about time too!
> 
> ==
> if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388
> elog "Starting with openssh-7.0, support for ssh-dss keys were 
> disabled due to their"
> elog "weak sizes.  If you rely on these key types, you can re-enable 
> the key types by"
> elog "adding to your sshd_config:"
> elog "  PubkeyAcceptedKeyTypes=+ssh-dss"
> elog "You should however generate new keys using rsa or ed25519."
> fi
> ==
> 
> 
> Also SHA1 hashes are disabled and you will get errors like these when you try 
> to login to a server which is still using deprecated ciphers:
> 
> Unable to negotiate with XXX.XX.XXX.X: no matching host key type found. Their 
> offer: ssh-dss
> 
> Unable to negotiate with XXX.XX.XXX.X: no matching key exchange method found. 
> Their offer: diffie-hellman-group1-sha1
> 
> If this is within your LAN and therefore relatively protected, you could 
> specify deprecated ciphers and hashes like so:
> 
> ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o 
> HostKeyAlgorithms=+ssh-dss 
> my_u...@xxx.xx.xxx.X
> 
> 
> Alternatively, after you create a strong prime:
> 
> ssh-keygen -t rsa -b 4096
> 
> 
> or probably better to use ed25519:
> 
> ssh-keygen -t ed25519
> 
> HTH.

The only software that uses ssh-dss key and I need is nxserver.

I just added a line to my: sshd_config
PubkeyAcceptedKeyTypes=+ssh-dss

restarted "sshd and nxserver" but I nxserver still doesn't work,
running:  nxsetup --test (I get):

> Testing your nxserver connection ...
Permission denied (publickey,password,keyboard-interactive).
Fatal error: Could not connect to NX Server.

--
Thelma

Re: [gentoo-user] Heads up: Video mode and booting with KVM switch

2015-11-14 Thread Walter Dnes 
  Thanks for the ideas.  "video=VGA-1:1920x1080@60" (as indicated by
xrandr) didn't work well.  The text console showed 2 copies of the
screen side-by each.  Imagine working with the "screen" or "tmux"
program, or the vim ":vsplit" command.  And it was offset 3/4 inch down
and to the right.  X Window showed only one image, but the down and
right shift was still there.  I couldn't see the autoraising menubar at
the bottom of the screen in ICEWM, so it was unusable.

  "video=VGA-1:1920x1080@60m", where the "m" is to allow some margin in
the calculations, got rid of the double image in text console, but the
down and right shift was still there in both the text console, and X.

  I tried sticking "xrandr -s 1920x1080" in my .xinitrc.  It "works",
but the fonts are noticably "fatter" after a disconnected boot versus
a connected boot.

  I ran "cp /sys/class/drm/card0/card0-VGA-1/edid my_edid.bin" and I'll
try loading it in the kernel later today.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

2015-11-14 Thread Neil Bothwick 
On Sat, 14 Nov 2015 08:54:38 -0700, the...@sys-concept.com wrote:

> The only software that uses ssh-dss key and I need is nxserver.
> 
> I just added a line to my: sshd_config
> PubkeyAcceptedKeyTypes=+ssh-dss

You should add this to a Host section, so it only enables the wek
encryption for that host.

> restarted "sshd and nxserver" but I nxserver still doesn't work,
> running:  nxsetup --test (I get):
> 
> > Testing your nxserver connection ...  
> Permission denied (publickey,password,keyboard-interactive).
> Fatal error: Could not connect to NX Server.

That doesn't look like the error you get from an unsupported key, which
is something like

Unable to negotiate with x.x.x.x: no matching host key type found. Their offer: 
ssh-dss

Is nxserver trying to connect as root? It looks more like the disabling
of passworded root logins in OpenSSH.


-- 
Neil Bothwick

What do you get if you cross an agnostic, an insomniac and adyslexic?
Someone who lies awake at night wondering if there really is a dog.


pgp2e6tycZpN0.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

2015-11-14 Thread thelma 
On 11/14/2015 02:22 PM, Neil Bothwick wrote:
> On Sat, 14 Nov 2015 08:54:38 -0700, the...@sys-concept.com wrote:
> 
>> The only software that uses ssh-dss key and I need is nxserver.
>>
>> I just added a line to my: sshd_config
>> PubkeyAcceptedKeyTypes=+ssh-dss
> 
> You should add this to a Host section, so it only enables the wek
> encryption for that host.
> 
>> restarted "sshd and nxserver" but I nxserver still doesn't work,
>> running:  nxsetup --test (I get):
>>
>> > Testing your nxserver connection ...  
>> Permission denied (publickey,password,keyboard-interactive).
>> Fatal error: Could not connect to NX Server.
> 
> That doesn't look like the error you get from an unsupported key, which
> is something like
> 
> Unable to negotiate with x.x.x.x: no matching host key type found. Their 
> offer: ssh-dss
> 
> Is nxserver trying to connect as root? It looks more like the disabling
> of passworded root logins in OpenSSH.



Here is my sshd_config: (nxserver works with openssh-6.9_p1-r2)
As soon as I upgrade to openssh-7, enable:
PubkeyAcceptedKeyTypes=+ssh-dss

restart: sshd
and nxserver gives me an error message (like above).

Yes, I'm running "nxsetup --test" as root.

#   $OpenBSD: sshd_config,v 1.95 2015/04/27 21:42:48 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and
.ssh/authorized_keys2
# but this is overridden so installations will only check
.ssh/authorized_keys
#AuthorizedKeysFile .ssh/authorized_keys

# Added Nov 14/15, needed for nxserver to work
# PubkeyAcceptedKeyTypes=+ssh-dss

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog no
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox  # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# here are the new patched ldap related tokens
# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
#UseLPK yes
#LpkLdapConf /etc/ldap.conf
#LpkServers  ldap://10.1.7.1/ ldap://10.1.7.2/
#LpkUserDN   ou=users,dc=phear,dc=org
#LpkGroupDN  ou=groups,dc=phear,dc=org
#LpkBindDN