Continue reading »]]> I recently had to undertake some work to enable users to seamlessly authenticate to Google Apps using an identity stored in a custom Secure Token Service such as the excellent IdentityServer open source STS by Dominick Baier.  The work involved is mostly configuration in Google Apps and ADFS but there are quite a number of steps and as it was non-trivial I thought I’d document it here for reference.  Note that Google Apps uses SAML 2.0 tokens and because ADFS is brokering the authentication, you shouldn’t have any problems with compatibility as ADFS 2.0 can issue SAML 2.0 tokens.

Here’s a quick architecture diagram:

Key:

Green arrows = user request flow

Blue arrows = service response flow

Overview

For those of you impatient, here’s a quick overview of the steps required:

1. Enable SSO in Google Apps
2. Enter correct ADFS urls into Google Apps
3. Upload ADFS Token Signing Certificate so Google Apps can verify the SAML tokens
4. Add Google Apps as a Relying Party in ADFS
5. Test

I will now walk through each stage in detail, for those who like the details.

Enable SSO in Google Apps

The first stage is to enable Single Sign-on in Google Apps.  Log in to your administration console at /">http://www.google.com/a/<your-domain>/.  Click on Advanced Tools and in the Authentication section click on Set up single sign-on (SSO):

This will take you through to a configuration screen.  Make sure the checkbox next to Enable Single Sign-on is ticked, and then enter the following values:

Sign-in page URL: https://adfs.yourdomain.com/adfs/ls/

Sign-out page URL: https://adfs.yourdomain.com/adfs/ls/

Change password URL: https://sts.yourdomain.com/startersts/users/password.aspx

Verification certificate: Upload the ADFS Token Signing cert (.cer file) which you can obtain from the AD FS 2.0 Management Console (under Service > Certificates).  Remember to click Upload.

Check the box next to “Use a domain specific issuer”.

Enter some network addresses into the Network masks box if you wish.

At this point Single sign-on is configured and enabled.  Note that this will take immediate effect on your access to Google Apps services so beware!  However it does not affect your login to the admin console – that is always accessed via a manual login, so you can get in and turn it off again.

Configure ADFS

Open up the AD FS 2.0 Management Console and navigate to the Relying Parties section.  Click Add Relying Party Trust and follow these steps:

Choose Enter data about the relying party manually

Provide a name for the trust (not important, only so you can easily identify it)

Choose AD FS 2.0 profile

Tick Enable support for the SAML 2.0 WebSSO protocol and enter /acs">https://www.google.com/a/<your-domain>/acs into the Relying party SAML 2.0 SSO service URL

Enter google.com/a/<your-domain> as the relying party identifier

Complete the wizard.

Then click on the newly added item and click Properties.  Click on the Signature tab and click add:

Here we add the Token Signing Certificate – it must be the same one that we uploaded in the Google admin console, and this should be the ADFS Token Signing Certificate.

Once you’ve done that click OK to close the Properties dialog.

Now click Edit Claim Rules and click Add Rule:

Select Transform an Incoming Claim from the Claim rule template drop-down:

Give the rule a name, select E-Mail Address as the Incoming Claim Type, set the Outgoing claim type to Name ID and the Outgoing name ID format to Email:

Finish the wizard.

Test

I’ve assumed here that you’ve already got your custom STS configured as a Claims Provider in ADFS.  To test the end-to-end service, visit http://mail.google.com/a/<your-domain>.  You should get redirected to ADFS.  Choose your STS and then enter your credentials.  You should then be redirected back to Google Apps and arrive at your mailbox, logged in.

If you hit problems, check these items:

- You’ve got the correct certificate uploaded to Google Apps and configured in ADFS

- The time on the ADFS server and custom STS servers is correct

- Google Apps SSO configuration is correct

- If all else fails, try Googling!

Continue reading »]]> I’ve been using the awesome StarterSTS project created by Dominick Baier.  In the words of Dominick:

StarterSTS is a compact, easy to use security token service that is completely based on the ASP.NET provider infrastructure. It is built using the Windows Identity Foundation and supports WS-Federation., WS-Trust, REST, OpenId and Information Cards.

The StarterSTS System Requirements specify IIS 7.x which implies a Windows 2008 variant operating system.  I recently had a requirement to get it running on a Windows 2003 server (with IIS 6), and it isn’t all that straightforward so I thought I’d post the steps (and as much reasoning as possible here).

Prerequisites

You’ll need the following things to hand to get going:

• StarterSTS download (I’ve tested with StarterSTS 1.2)
• A certificate for IIS (can be self-signed)
• Windows Identity Foundation for Windows 2003
• WinHTTPCerfCfg tool

Installation

Follow the StarterSTS instructions to extract the web package and create the site in IIS.  Make sure you install the SSL certificate on the IIS web site, and follow the subsequent instructions to set up the relevant StarterSTS configuration files.

If you haven’t installed the WIF package you’ll get an error similar to this:

Could not load file or assembly Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 or one of its dependencies. The system cannot find the file specified.

Run the WIF install package and that error will go away.

You should then be able to bring up the StarterSTS homepage:

Go ahead and create yourself a user account by visiting /signup.aspx (remember to create the database as in the StarterSTS instructions):

Token Issuance

This is where the configuration gets a bit more involved.

Note: The auto-generation of federation meta-data doesn’t work on IIS 6 (normally you would hit /FederationMetadata/2007-06/FederationMetadata.xml).

Try visiting the following URL:

https://sts.gws.lab.local/startersts/users/issue.aspx?wa=wsignin1.0&wtrealm=http://adfs.leastprivilege.vm/adfs/services/trust

(Remember to replace the first part with the address of your server.  The value of wtrealm depends on what you’ve put in the configuration/relyingParties.config file in StarterSTS.  In this example I’m just using the sample entry that comes with the source download.)

The first error you’ll see is:

The handle is invalid. System.Security.Cryptography.CryptographicException: The handle is invalid.

This error comes about because the identity of the IIS Process executing the StarterSTS code cannot access the private key of your signing certificate (as specified in configuration/certificates.config).  In Windows 2008, this is easily fixed using the Certificates MMC Snap-In, but not so in Windows 2003 (the option isn’t available).  This is where the WinHTTPCertCfg tool comes in handy.  It allows us to check and set the user identities with access to certificates installed on the machine [read X509 Certificates on Windows Server 2003 for more info].

If you followed the default install settings, then the tool will have installed to c:\Program Files\Windows Resource Kits\tools\.  Open a Command Prompt, switch to this directory and run the following command to see which user identities have access to the certificate:

winhttpcertcfg.exe -l -c LOCAL_MACHINE\My -s "sts.gws.lab.local"

Note: Replace the “sts.gws.lab.local” with the Common Name on your certificate.

Now you need to check which user is running IIS.  This is done by looking at the properties on the Application Pool assigned to the StarterSTS virtual directory:

My server is running with the out-of-the-box account Network Service.  Now that we know this, we can go back to the Command Prompt and grant this account permissions over the private key:

winhttpcertcfg.exe -g -c LOCAL_MACHINE\My -s "sts.gws.lab.local" -a "NetworkService"

Restart IIS and go back to the the issue.aspx URL and you’ll likely get this error now:

Object identified (OID) is unknown. System.Security.Cryptography.CryptographicException: Object identifier (OID) is unknown.

This comes about due to the need to configure RSA-SHA256 on Windows 2003.  For more details on this see this MSDN Forum Post – CryptographicException – Object identifier (OID) is unknown.  Follow the steps in the forum answer:

• Download Security.Cryptography.dll from http://clrsecurity.codeplex.com/releases/view/28365
• Create a new .NET 3.5 Console Application
• Add a reference to the Security.Cryptography.dll
• Add the following code:

using Security.Cryptography;

class Program
{
    static void Main(string[] args)
    {
        Oid2.RegisterSha2OidInformationForRsa();
    }
}

• Build and run the console application (alongside the DLL) on the server

Alternatively, save yourself the hassle and download the ZIP that I made earlier.

After that, everything should fly, and StarterSTS should issue a token and redirect you back to the relying party specified in the wtrealm parameter.  I grabbed a couple of screenshots using Fiddler to show it working:

And that’s it!  I hope this has been helpful, it was very rewarding when I got this working and I have repeated it several times on different boxes.

Continue reading »]]>

Last night, with a couple of hours to spare, I decided to get on and move my blog away from WordPress.com to my own hosting.  Why do this?

• Access to my own Google Analytics data
• Use of any plugin I like
• Association my content with my domain name
• Greater control over the site, to, for example, add Google Authorship links

I’ve been running the blog on WordPress.com since 6th December 2007, but time has come to move to new pastures.   The move process was very simple:

1. Set up WordPress on my Linux server (5 minutes)
2. Export existing blog content using WordPress XML export
3. Import XML into new blog
4. Pay $12 / year to 301 all pages / posts from the old blog to the new domain

Continue reading »]]> I’ve recently made a foray into the world of Zend Framework.  If you’ve not come across it, it is one of several popular PHP frameworks that implements the Model View Controller software architecture.

By day I’m mostly devoted to hacking ASP.NET MVC, but having had some experience with PHP I decided to get my teeth stuck into Zend for a new PHP project I’ve been working on.  Somewhere in my head I have another blog post to write about the dyer state that is documentation for Zend, but that’s a topic for another night.

This post details my journey through figuring out how PHP sessions really work and how to fix them for properly bringing down a user’s session after a period of inactivity, in the context of Zend Framework (although most of the post applies to PHP proper).

Get your server’s clock synchronised

The PHP session files are date-stamped when they are created/updated.  The PHP Session cookie that gets sent to the browser has an expiry date-stamp on it.  While you can’t rely on the client’s system clock to be correct, making sure your server’s is makes debugging less of a headache.

On a Windows server this should already be set up – if not check the Date & Time Properties in Control Panel and pay attention to the Internet Time tab.  On a Linux server it’s a case of installing and configuring the ntp package – a bit of Googling should show you the way with whichever distribution you are using.

The options for session timeouts

There are a number of options as to how you can handle session timeouts, as I see it:

1. Keep the session alive until the user closes their browser
2. End the session after a fixed period of time (regardless of activity)
3. End the session after a fixed period of time with no activity
4. Some combination of the above

I’d put my money on the best user experience being a combination of point 1) and point 3).  This, rather surprisingly, isn’t as straightforward as you would hope.

PHP Session Settings – What they mean

There are a handful of PHP settings relating to sessions, and understanding how sessions work and what these settings do is critical to getting the behaviour you desire.

PHP sessions are stored as files (by default) – the files contain a serialised version of the $_SESSION superglobal arrray.  The path to these files is set by session.save_path.

N.B. Security Warning – make sure no other users can get to the session directory.  Files are stored unencrypted and therefore should be treated with the same caution as password files.

An interesting side note: if you inspect the cookie PHPSESSID (the default name for the PHP Session Cookie), you’ll notice a funny looking value.  Now take a look at the contents of the PHP session directory – hey presto, there’s a file called sess_<SESSIONID>. Simple eh.

Each time PHP session_start() is called (which is not just when you first start a session, but every time you want to load session data into your app, i.e. on every request for most apps), PHP works out whether or not it should run the session garbage collector.

Garbage – what garbage?

The session garbage collector runs around and checks all of the timestamps on the session files and compares them to the current time less the session.gc_maxlifetime value, to work out if a file should be deleted (because it has exceeded it’s lifetime).

You might think that the garbage collector would run on every session_start(), to avoid any expired session files being left hanging around.  However there is a performance overhead with this and so PHP uses two settings, session.gc_probability and session.gc_divisor to calculate the probability that it should run the garbage collector (it does this by dividing the two and then rolling it’s own dice to see whether it should run).

N.B. Remember that each time you access the session the timestamp on the session file gets updated, this stops the garbage collector from killing a user’s session while they are still active.

This all sounds very cosy and like it will do just what I want – dump the user’s session after a period of inactivity (as specified by session.gc_maxlifetime).  And on low volume sites you could force the garbage collector to run every time by making the probability 100%.

However, all is not quite so straightforward!

The order of things

I’m sure there’s a good reason for this, but I’m not aware of what it is.  PHP first loads up the session, then works out if it should run the garbage collector.  So even if the garbage collector runs every time and the session file has expired, on the first request the user will appear to still have a session, and then only on the next request they won’t.

Imagine this scenario.  A user has logged in to your site.  They go away for lunch, and during that time their session has expired.  They come back and hit refresh – the screen reloads with their session apparently intact.  All is looking good.  Then they click somewhere else and bam – their session is gone.  Kinda confusing really.

In an ideal world there would be a way to check for dead sessions before the session fires up, and in fact there is, but you have to roll it yourself.

Did I mention Zend Framework?

So far everything I have covered is PHP proper, no mention of Zend.  However the Zend_Session object is based on all of these settings, and therefore it warrants understanding the underlying PHP behaviour first.

The solution to this problem is to roll your own inactivity timeout check.  I needed this to implement inactivity logouts.  I used the following code to do my tracking:

$idleTimeout = 3600; // timeout after 1 hour</span>

if(isset($_SESSION['timeout_idle']) &amp;&amp; $_SESSION['timeout_idle'] &lt; time()) {
Zend_Session::destroy();
Zend_Session::regenerateId();
header('Location: /account/signin');
exit();
}

$_SESSION['timeout_idle'] = time() + $idleTimeout;

N.B. If you’re not using Zend Framework you can exchange the Zend_Session lines for their standard PHP equivalents.

All this does is check if we have an idle timeout set in our session (remember this gets loaded even if the session has technically expired) and if it has fallen past the current time we tear down the session, regenerate the session ID (to avoid picking up the existing session file) and head off to the log in screen.

Specifically to Zend, you can set the following settings in the application.ini file:

resources.session.gc_probability = 1
resources.session.gc_divisor = 1
resources.session.gc_maxlifetime = 3600
resources.session.idle_timeout = 3600

And then place the custom idle time out code inside this function in Bootstrap.php:

protected function _initSession()
{
# set up the session as per the config.
$options = $this->getOptions();
$sessionOptions = array(
'gc_probability'    =>    $options['resources']['session']['gc_probability'],
'gc_divisor'        =>    $options['resources']['session']['gc_divisor'],
'gc_maxlifetime'    =>    $options['resources']['session']['gc_maxlifetime']
);

$idleTimeout = $options['resources']['session']['idle_timeout'];

Zend_Session::setOptions($sessionOptions);
Zend_Session::start();

# now check for idle timeout.
if(isset($_SESSION['timeout_idle']) && $_SESSION['timeout_idle'] < time()) {
Zend_Session::destroy();
Zend_Session::regenerateId();
header('Location: /account/signin');
exit();
}

$_SESSION['timeout_idle'] = time() + $idleTimeout;
}

And that’s all there is to it!

If you know the reasoning behind some of these apparently strange PHP session operations then please post them here – I’m left scratching my head in a daze at how complex a matter it has been to implement such a standard bit of user experience.

Continue reading »]]> A few days ago I took the leap and upgraded my Macbook Air to OS X Lion.  After a seamless (and typically Apple) upgrade process, I was enjoying the benefits of an even more refined operating system.

However, one of the first things I did was test out my mobile broadband – and there the problem began.

I have an O2 mobile broadband dongle, the ZTE MF100 USB stick. When I originally installed it a small application called O2 Mobile Connect installed and worked a treat for connecting to the O2 service.

After upgrading to OS X Lion the application crashed as soon as it opened – I assume because of a change in an API somewhere. After hunting around the O2 site (and Google) I could find no update on getting the Mobile Connect application to work on Lion, or even where to download it.  It would appear that O2 have ditched supplying the ZTE dongles in favour of Huwaei branded sticks.

Anyway, I was damned if I was going to lose my mobile broadband (and I certainly didn’t want to uninstall Lion), so here’s how I eventually got the stick working:

1. Open System Preferences
2. Click on the plus sign to Create a new service
3. Choose ZTEUSBModem as the interface
4. Name the service O2 Mobile Broadband (or something recognisable)
5. Set Telephone Number to *99#
6. Set Account name to 02web
7. Set Password to password

Note that this is for Pay Monthly Broadband – I think the details are different for Pay & Go customers.

Key step: set DNS server to 193.113.200.201

And hey presto, I now have mobile broadband working again.

Hope this helps anyone out there trying to get it working.

Continue reading »]]> In late April (this year) I started out as a novice replacing our main bathroom. Last night I finished the bathroom project, and although still a novice, I’ve certainly learned a thing or two.

The Motivation

It’s taken me two months, and a lots of hours of work, late at night and during weekends. I could have paid someone to do this, but I wanted the satisfaction of understanding how it works, and it’s been a nice distraction from work.

The Final Outcome

The bathroom now looks nice and clean, spacious and modern, while retaining some of the history of the house (I’ve left the old radiator in, the door and window frames are the same).  We have a new toilet, sink and taps, bath and taps, new floor, new tiles, new light, new mirror and rails.  We’ve kept the old shower (which is actually quite new).

It should be good for many years (and baths) to come!

Laying the new floor

What I’ve Enjoyed

The most rewarding moments have been grouting the tiles (turns an ugly looking wall into a very nice finish), fitting the skirting board and connecting up the taps.  The one job I paid for was fitting the tiles – this took an experienced handyman a whole day just to cut and fix the tiles – I did most of the grouting.  This would have taken me at least twice as long to do.

In goes the bath

What I’ve Learned

Ripping out the bathroom initially took a lot longer and was a lot more difficult than I had anticipated.  This may have been in large part to problems with leaking pipe stops and not having the right tool to undo the bath taps.

Almost every plumbing joint I made leaked the first time around. Compression fittings like to be nice and tight, then they work fine without any PTFE tape or sealant. However, plastic pipe fittings (in particular the water inlet to the toilet cistern and the bath waste) took several attempts to get them sealed. I naively assumed that just fitting the supplied rubber washers would do the job. In the end I resorted to large amounts of silicone sealant – I’d pump this in first time from now on.

Continue reading »]]> The Background

One of the projects that I’ve been working on recently requires a lot of interaction between different systems, and in order to roll-out changes and carry out integration testing I needed a replica of our production environment.  However the challenge was that it required 7 machines to replicate production.

In the past I’ve happily run a few virtual images on my desktop machine, albeit paired back to 500MB RAM each.  But 7, there’s no way that’s going to run on my current desktop, even if I had enough RAM.

So I decided it was time to invest in some hardware to give me the flexibility to build larger virtual environments.

This is where VMware’s awesome ESXi product comes in (which I see has now been renamed to vSphere Hypervisor 4.1).

ESXi 101

I won’t repeat what many excellent blog posts have already said about ESXi, but essentially it’s a small operating system which can run multiple virtualised machines on top it – by providing a virtual hardware layer to the virtual machines, it can share the underlying physical system resources out. The sweet thing about this is that you can start and stop virtual machines in a matter of seconds, and very easily duplicate machines. So on one reasonably powered server, you can run a bunch of virtual machines thereby reducing your hardware overheads.

This kind of approach is great both for business line systems and development environments.  I will of course be using it for the latter.

The Hardware

One of my big concerns was getting compatible hardware, and not paying too much for it. After some Googling and talking to fellow geeks I settled on the HP Proliant ML110 G6.  This is an entry level HP server and the base build comes with a 250GB SATA drive and 1GB RAM.

Whilst I couldn’t do much about the processor, the main two limiting factors were the disk space and RAM.  Most of the virtual machines I want to create are circa 50GB each, so 250GB would run out very quickly.

Therefore I made two upgrades: I bought a Western Digital 1TB ‘green’ SATA drive (only 5400 RPM) and 8GB RAM (2x4GB).

I bought the server and the SATA drive from eBuyer and the RAM from Crucial – total spend approximately £400.

Installation

With the new hardware in place I needed one other item – a 2GB USB stick.  Yes, to make life easier you can install and boot ESXi from a USB stick, rather than take up space on your image storage drives. And the HP machine’s motherboard came with an on-board USB socket – so I simply plugged the stick into the motherboard.

I initially installed the special HP version of ESXi – supposedly it is preferable because it comes with all of the HP drivers.  However after one hour of running I discovered the kernel had performed a memory dump, and after several reoccurrences I ditched it and went back to the vanilla ESXi image and haven’t had any problems since.

Once booted it’s best to assign a static IP address to your ESXi box and then that’s it – I’ve stashed mine away in the garage.

Day-to-day use

Once the server is set up you can forget about needing to be near it, as you do everything from the equally awesome (although sometimes annoyingly sluggish) VMWare vSphere Center program. This tool allows you to create new virtual machines, upload ISO images to the datastore (you’ll need these to install any software, i.e. the operating systems for your virtual machines).

So now when I’m ready, I fire up my the virtual lab in question and I can happily run all 7 virtual images on 1GB RAM each.

And when I’m ready, I can max the RAM up to 16GB!

Happy ESXing!

Another useful reference:

Techhead – Installing VMWare ESXi 4.0 on a USB Memory Stick

Continue reading »]]> Background: In Part 1 of this series I wrote about a recent project that I worked on to synchronise contact data between a number of web applications, and how I had to work around the (current) shortcomings of their APIs.

As Scott Hanselman says, “talk is cheap – show me the code”.  So here we go…

Basecamp & Highrise APIs

Implementing an interface to the Basecamp & Highrise APIs is relatively straightforward – I did it using PHP’s curl().  My implementation doesn’t support all of the API’s functions, but you should be able to easily add any additional calls that you need.

The functions centre around a single function which does the hard work on making the request:

private function _getData($uriExtension) {
$base_url = $this->url.$uriExtension;
$session = curl_init();
curl_setopt($session, CURLOPT_URL, $base_url);
curl_setopt($session, CURLOPT_USERPWD, $this->apiKey.':X');
curl_setopt($session, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($session, CURLOPT_HEADER, false);
curl_setopt($session, CURLOPT_HTTPGET, 1);
curl_setopt($session, CURLOPT_HTTPHEADER, array('Accept: application/xml', 'Content-Type: application/xml'));
curl_setopt($session, CURLOPT_RETURNTRANSFER, true);
curl_setopt($session, CURLOPT_SSL_VERIFYPEER,false);
curl_setopt($session, CURLOPT_FRESH_CONNECT, true);
$response = curl_exec($session);
curl_close($session);
$xmlObj = new SimpleXMLElement($response);
return ($xmlObj);
}

Google Shared Contacts

This was simply done using the Zend GData classes which you can grab here.  Here’s some sample code for updating a shared contact in Google:

$client=$this->googleClientAuth('cp');
$client->setHeaders('If-Match: *');
$gdata=new Zend_Gdata($client);
$gdata->setMajorProtocolVersion(3);
// get the existing contact.
$query = new Zend_Gdata_Query($id);
$entry = $gdata->getEntry($query);
$xml = simplexml_load_string($entry->getXML());
// update title.
$xnl->title = $title;
// update the fullname.
$xml->name->fullName = $title;
// update entry.
$entryResult = $gdata->updateEntry($xml->saveXML(), $entry->getEditLink()->href);

Get more details over at the Google Apps Shared Contacts API page.

Basecamp & Highrise – Filling in the API gaps

So the big problem with the Basecamp & Highrise APIs is that they have bits missing – rather significant bits it turns out.  In particular the ability to create and update companies.

To get around this I wrote a couple of classes that use a combination of curl() and the awesome phpQuery to walk through the front-end pages and execute URLs just as a real user would.

Whilst this is not impervious to UI changes by 37Signals, it’s a fairly generic implementation and it’s a best endeavours approach given the current lack in the APIs.

Here’s some sample code:

public function createCompany($companyName) {

$success = true;

// go to the company page first, to get the token.
$resp = $this->_fetchUrl($this->_urls['base'].$this->_urls['companies'], 'GET', array(), false, $this->_ch);

phpQuery::newDocument($resp['data']);
$authToken = pq('input[name=authenticity_token]')->val();

$formFields = array(
'authenticity_token' => $authToken,
'company[name]' => $companyName,
'commit' => 'Create Company'
);

$resp = $this->_fetchUrl($this->_urls['base'].$this->_urls['companies'], 'POST', $formFields, false, $this->_ch);

// check - has this company already been created?
phpQuery::newDocument($resp['data']);
if(pq('div.flash_alert')->text() != '') {
$success = false;
$this->_errMsg = pq('div.flash_alert')->text();
}

return $success;
}

Show me the code!

So, in the hope of helping others to get synchronisation working (and work around the lack in the APIs) you can download the code at GitHub for your own use.

Enjoy!

Continue reading »]]> Yes, bank holiday weekend. Time for Easter reflections, visiting family, putting your feet up.

Also a great opportunity to get some DIY done. And with the wife and son away for the weekend, I decided to start one of several pending projects: replacing the main bathroom.

A bit of background

Our house was built in 1988, and both the main bathroom and the en-suite had not been touched since. From the beautiful stripy toothpaste style tiles to the faded pink sanitary ware, they were relics of a by-gone era of interior design, albeit functional relics.  When we moved in we had the en-suite re-fitted (I only did the flooring and painting), so the other bathroom has continued to age over the last 12 months.

My background in DIY is fairly limited – I can paint, lay laminate flooring, and generally solve most basic household problems. However I’ve never done any plumbing, tiling or bathroom work.

The (Rough) Plan

So the rough plan was to:

• Replace the bath, hand basin and toilet
• Replace the light fittings
• Keep the existing electric shower
• Re-paint and re-tile

We only decided to get on with this early in the week, so we got a move on with choosing colours, flooring and tiling.  We’ve had the toilet and hand basin in the garage since we moved in.

Sequence of Events

So I started off by removing the light fittings (after turning off the circuits of course) and the radiator.  Removing a radiator is easy – but don’t make my mistake which was answering the door, chatting for 10 minutes, and then hearing the pitter-patter of water dripping through the kitchen because I hadn’t fully tightened up the water pipe valves.

Next I removed the electric shower – again this was easy, but I had to take note of how it all went together.  And of course turn off the water before hand (and drain the system).

Then I attacked the tiles with a bolster chisel and club hammer – most of them came off fairly easily (although it’s still hard work).

So far so good.

Then came the plumbing.

I cut the pipes to the sink taps with a pipe slice, unscrewed the supporting bolts and disconnected the waste pipe. Out came the basin and pedestal. Easy.

I popped two pipe caps over the supply pipes and moved on.

Off came the side of the bath and more pipes to disconnect.  In the following two hours I used up my quota of expletives as I wrestled with getting a spanner (which had to be the largest one I had) into an impossibly small hole behind the bath with an overflow pipe in the way.

One blistered hand later, I got the bath out (gingerly moving it and hopping it over the waste pipe).

At 10pm last night I was feeling very pleased with myself – all pipes capped, two units removed, most of the tiles off. I had even turned the water back on to check the pipe work was OK and no leaks.

Then pop, and splash, and more dripping.

One of the pipe caps had come off.

A cycle that I’ve been through many times: switch off the water, drain, mop up, catch the drips in the kitchen and fixing isolation valves.  Switch the water back on, wait and check for leaks.

Today the toilet came out (surprisingly easily) leaving more pipes to sort out. 

New building regulations state that isolation valves should be fitted to all water pipes in new bathrooms.  These valves mean that you can switch off the water supply to an appliance without having to turn off the mains water supply.

I’ve spent hours today testing, tightening and re-testing these valves (and some deal of mopping up).

My conclusion: wires are nice as they bend and you can disconnect them. Pipes do not bend and cannot be turned off.  Electricity can only spark – water drips everywhere.

Electrics = good

Plumbing = bad

Top Tips

My top tips from two days’ of bathroom work:

• Check your pipe sizes before buying anything – don’t rely on B&Q advice (like I did).  This probably means removing the side of your bath to have a look (my hot water was 22mm rather than 15mm).
• Cut pipes as carefully as possibly to avoid deforming them and cutting them square
• Remove the door – space becomes limited very quickly
• Give yourself plenty of time!

References

A couple of sites that have been very useful:

How to find a bathroom suite – DIY Doctor

Remove and Replace a Toilet – DIY How To

More?

Now that I’ve removed the old bathroom, I’ve got to fit the new one, decorate and finish off…

Continue reading »]]> NOTE: You can read part 2 here or just simply get the code.

I recently worked on a project where we needed to synchronise contact data between Highrise CRM (the source), Basecamp (for project management) and Google Shared Contacts (for email).  This is a common issue for small businesses – how to keep disparate systems in sync.  There are already some proprietary systems out there which help with this but they didn’t fulfil the needs of this client so we opted for a custom tool.

I’ll write up the steps I took to get all of this working in a series of posts, but the overall architecture is thus:

Feasibility

At the time of writing I determined the feasibility of synchronising all of these three systems by looking in detail at the APIs provided.  I’ve summarised my findings here:

Google Shared Contacts

It’s worth pointing out that we needed to load up NOT Google’s personal contacts, but the domain shared contacts.  This is a repository of contacts that Google provides on its Google Apps product, and works like a Global Address List, providing a single store of contact data to all domain users.  However, for some puzzling reason Google does not provide any user interface to manage this database.  Instead you must use the Google Shared Contacts API.

IMPORTANT POINT: I got very confused as to which versions of Google Apps supports the Google Shared Contacts API. Even though the documentation pages state that it is only supported by Apps for Business (Premium) and Education, the confusing point is that YOU CAN EXECUTE THE API CALLS SUCCESSFULLY and the data IS PERSISTED.

What I later discovered was that although all of the API calls work, the data is not exposed in Google Apps.  This is very frustrating and I wish Google would make this clearer in their documentation.

Also don’t get confused between the Google Contacts Data API and the Google Shared Contacts API.

Highrise & Basecamp

Both of these products are made by 37Signals, and if you’ve ever read their books, you’ll know that they are keen proponents of open systems.  They have well documented APIs which are very easy to get up and working with.

However, when you start to use them, you discover that some key elements are missing. The APIs they have provided allow you to get all information out, but when it comes to creating data, the calls just aren’t there. Despite numerous forum posts, 37Signals have not yet given good reasons for the lack of these API calls.

To get around this, I wrote a cheeky HTTP GET, Parse and Re-POST class which effectively walks through the front-end of the site programmatically, as if it were a standard user. Whilst this has been very stable so far, if either of the products publish changes to their UI then this code may need modification.

Coding Approach

I wrote all of the code in PHP 5, so all the samples here will be in PHP, but you could easily apply the concepts to different programming languages.

I built singelton classes for each of the products, and then a controlling class to tie them up all to achieve the synchronisation. I used PHP curl() to do the web requests, and for the Google API stuff I used Zend’s GData classes to speed up the development.

Synchronisation Approach

In order to synchronise these systems I took the following approach:

• Get all Highrise Contacts
• Add to Basecamp, storing the IDs of the two data objects in a synchronisation file
• Add to Google Contacts, storing the ID of the Highrise Contact in the Notes field

Next Steps

In the next post I’ll start introducing the code I wrote to hook up to the Basecamp and Highrise APIs.