Archive for the 'ldap' Category

Determine CSN update time from CSR in Directory Server 5/6

Published by Mike on December 22, 2008 under ldap, replication, sun

I needed to determine the update time for a particular attribute for one of my customers.  I knew I had ran across how to get it from a csn attribute.

If you can obtain the CSN of an attribute, ie: from the nscpentrywsi operational attribute), the timestamp is the first 8 bytes of the CSN, in hex format.

ie:

nscpentrywsi: cn;adcsn-494d685d000000010000;vucsn-494d685d000000010000: The K

The timestamp in hex is: 494d685d

With a bit of perl magic, we can obtain the localtime value:

perl -e ‘print localtime(hex(”494d685d”)) . “\n”;’

Which returns:

Sat Dec 20 16:49:17 2008

Longer term self-signed OpenSSL Certificates and Sun DSEE Directory Server

Published by Mike on December 10, 2008 under ldap, sun

I’ve long had an itch to scratch about the default 3-month duration of self-signed certificates available in Sun DSEE 6.x.

For the initial part, I’ve followed the instructions available at http://www.akadia.com/services/ssh_test_certificate.html.

Create your server’s key

# openssl genrsa -des3 -out server.key 1024

<it will ask for a password, twice>

Make the key use no password, one less thing to remember.

# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key

We need to generate a certificate signing request, from the Sun Directory Server (DSEE).

cd /path/to/dsadm

./dsadm request-cert –name “ldap.example.com” –org “Example.com” –org-unit “IT” –city “New York” –state “New York” –country “USA” /path/to/ldap > /tmp/server.csr

Sign the certificate request locally, using the key we generated ourselves.  In my case, I’m making it good for approximate 10y (3650 days)

# openssl x509 -req -days 3650 -in /tmp/server.csr -signkey server.key -out
server.crt

We now have a cert as server.crt we need to add to the directory keystore

./dsadm add-cert /path/to/ldap ‘ldap.example.com’ server.crt

./dsadm restart /path/to/ldap
./dsconf set-server-prop -h hostname -p 389
ssl-rsa-cert-name:ldap.example.com

Thats all it takes to get your server running with a self-signed 10y certificate.

Directory Server 6.3 released

Published by mike on April 16, 2008 under ldap, sun

Sun released their Directory Server Enterprise Edition 6.3. This fixes at least one critical issue with database corruption.

You can get the full version from Sun at: http://www.sun.com/software/products/directory_srvr_ee/index.jsp.
Patches are available via Sunsolve:

Source available here.

Backing up and Restoring data from Directory Server 6

Published by Mike on November 26, 2007 under ldap, replication, sun

One of the largest problems that I have noticed when doing directory deployments, are either invalid, or non-existent backups of their directory information.  They often assure peace of mind when things unexpectedly go wrong (a la unexpected power outages).

I’ve found a good reference to how to do backups with Directory Server 6; and won’t rehash them here.

In essence, it may become necessary to have a single instance dedicated to doing routine backups in a large environment.  This is because you need to be able to turn the instance to read-only for the duration of the backup.

What I like about Directory Server 6

Published by Mike on November 21, 2007 under ldap, sun

I’ve installed many, many Sun/Netscape/Fedora Directory Server instances. There has been plenty to like, and much to dislike as well. I’m big on not using the console for most things, as by nature, I’m a command line type person. The most compelling reasons for me to move to Directory Server 6:

Much improved command line functionality

It is now possible to install the directory server bits, create a new directory server instance, and perform configuration commands on the directory server using command line tools. While you could do some of the features before using things like an installation script, or using LDIF, these commands are called directly from the command line without superb internal knowledge of how to implement these functions.

As an example, creating a new directory server instance with pre-DS6 used to require either a trip to the console (if you were lucky enough to have enough access to the machine); or the use of an silent installation script.

By contrast, you are able to create a new instance with DS6 with a simple command (albeit, it does ask for the directory manager password) (these commands assume it was installed in /opt/ldap):

cd /opt/ldap/ds6/bin

./dsadm create -p 389 -P 636 /opt/ldap/slapd-test

And create a new suffix with another simple command (you’ll need the directory manager password):

cd /opt/ldap/ds6/bin

./dsconf create-suffix -h localhost ‘dc=domain,dc=com’

There are plenty of other examples that can be had, such as creating and initializing replication agreements, but those can be left for another day.

Unlimited number of masters in Multi-Master Replication

With the release of DS6, the number of masers in an MMR increased from a maximum of 4 to unlimited. This can result in each instance in your environment being promoted to a master instance. Practically, this may not suit all environments, as WAN traffic and such comes into play with how your replication agreements are configured.

I’ll probably revisit this topic again in the future.

Next Page »