Determine CSN update time from CSR in Directory Server 5/6

Published by Mike on December 22, 2008 under ldap, replication, sun

I needed to determine the update time for a particular attribute for one of my customers.  I knew I had ran across how to get it from a csn attribute.

If you can obtain the CSN of an attribute, ie: from the nscpentrywsi operational attribute), the timestamp is the first 8 bytes of the CSN, in hex format.

ie:

nscpentrywsi: cn;adcsn-494d685d000000010000;vucsn-494d685d000000010000: The K

The timestamp in hex is: 494d685d

With a bit of perl magic, we can obtain the localtime value:

perl -e ‘print localtime(hex(”494d685d”)) . “\n”;’

Which returns:

Sat Dec 20 16:49:17 2008

No Comments »

Longer term self-signed OpenSSL Certificates and Sun DSEE Directory Server

Published by Mike on December 10, 2008 under ldap, sun

I’ve long had an itch to scratch about the default 3-month duration of self-signed certificates available in Sun DSEE 6.x.

For the initial part, I’ve followed the instructions available at http://www.akadia.com/services/ssh_test_certificate.html.

Create your server’s key

# openssl genrsa -des3 -out server.key 1024

<it will ask for a password, twice>

Make the key use no password, one less thing to remember.

# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key

We need to generate a certificate signing request, from the Sun Directory Server (DSEE).

cd /path/to/dsadm

./dsadm request-cert –name “ldap.example.com” –org “Example.com” –org-unit “IT” –city “New York” –state “New York” –country “USA” /path/to/ldap > /tmp/server.csr

Sign the certificate request locally, using the key we generated ourselves.  In my case, I’m making it good for approximate 10y (3650 days)

# openssl x509 -req -days 3650 -in /tmp/server.csr -signkey server.key -out
server.crt

We now have a cert as server.crt we need to add to the directory keystore

./dsadm add-cert /path/to/ldap ‘ldap.example.com’ server.crt

./dsadm restart /path/to/ldap
./dsconf set-server-prop -h hostname -p 389
ssl-rsa-cert-name:ldap.example.com

Thats all it takes to get your server running with a self-signed 10y certificate.

No Comments »

Directory Server 6.3 released

Published by mike on April 16, 2008 under ldap, sun

Sun released their Directory Server Enterprise Edition 6.3. This fixes at least one critical issue with database corruption.

You can get the full version from Sun at: http://www.sun.com/software/products/directory_srvr_ee/index.jsp.
Patches are available via Sunsolve:

Source available here.

No Comments »

APC Network Shutdown and Solaris 10 firewall

Published by Mike on March 26, 2008 under random, sun

One day, not too long ago, when the power went out in my neighborhood (for some unknown reason), I was pondering whether or not the machines here would shutdown cleanly.  I knew I had a reasonable amount of battery life, but that wouldn’t be enough if the outage was extensive.I had already configured the APC UPS (with the network card) to my satisfaction, and also loaded the APC Network Shutdown software into the root zone of my Solaris 10 x86 box.  Over the course of many tests, I realized that my Solaris 10 firewall was in the way.  I had to create a new rule to allow any UDP traffic, originating from the APC network interface, to allow communication to the broadcast IP address of my local network.  At first, I only allowed specific communication between the two via UDP, but after much examination, realized it was broadcasting.Here are my IPF rules: 

pass  in  quick on nge0 proto udp from 10.0.0.10 to any port = 3052
pass  in  quick on nge0 proto tcp from 10.0.0.10/32 to 10.0.0.2 port = 2161 flags S keep state
pass  in  quick on nge0 proto tcp from 10.0.0.10/32 to 110.0.0.2 port = 3052 flags S keep state
pass  in  quick on nge0 proto tcp from 10.0.0.10/32 to 10.0.0.2 port = 6547 flags S keep state

Hope this saves someone some headaches in the future.

No Comments »

Blocking E-Mail By Sender Domain using Sun Java Messaging Server

Published by Mike on December 13, 2007 under E-Mail, sun

With the Sun Java Messaging Server, you can block inbound mail based on the senders E-Mail domain (as self-reported in their E-Mail), also known as their From: address. In the example here, I want to block all inbound email with a From: address from Zambia (TLD: .za). It doesn’t matter where in the world it is sent from, any inbound E-Mail that is said to be from a .za domain will get blocked automatically.

In order to keep my mappings file (/opt/msg/msg-test/config/mappings) more readable, and to keep the items organized, I created a file of domains that I block, and include it in my mappings file in the right section. I named my file /opt/msg/msg-test/config/orig_send_access_block.txt .

I do an include of the file in the ORIG_SEND_ACCESS section of the mappings file. It is the first content line, as such:

ORIG_SEND_ACCESS

</opt/msg/msg-test/config/orig_send_access_block.txt
tcp_local|*|tcp_local|* $N$D30|Relaying$ not$ allowed

The contents of the orig_send_access_block.txt file are as follows (each line is indented 2 spaces):

tcp_local|*.za|*|* $NNo$ thank$ you$ Zambia

I ensured the files were readable by the id that runs Sun Java Messaging Server, then re-compiled and restarted the imsimta dispatcher.

./imsimta cnbuild

./imsimta chbuild

./imsimta restart

No Comments »

Next Page »