The K Blag » ldap

Determine CSN update time from CSR in Directory Server 5/6

Mike — Mon, 22 Dec 2008 16:50:38 +0000

I needed to determine the update time for a particular attribute for one of my customers. I knew I had ran across how to get it from a csn attribute.

If you can obtain the CSN of an attribute, ie: from the nscpentrywsi operational attribute), the timestamp is the first 8 bytes of the CSN, in hex format.

ie:

nscpentrywsi: cn;adcsn-494d685d000000010000;vucsn-494d685d000000010000: The K

The timestamp in hex is: 494d685d

With a bit of perl magic, we can obtain the localtime value:

perl -e ‘print localtime(hex(”494d685d”)) . “\n”;’

Which returns:

Sat Dec 20 16:49:17 2008

bookmark to

Longer term self-signed OpenSSL Certificates and Sun DSEE Directory Server

Mike — Wed, 10 Dec 2008 14:28:15 +0000

I’ve long had an itch to scratch about the default 3-month duration of self-signed certificates available in Sun DSEE 6.x.

For the initial part, I’ve followed the instructions available at http://www.akadia.com/services/ssh_test_certificate.html.

Create your server’s key

# openssl genrsa -des3 -out server.key 1024

Make the key use no password, one less thing to remember.

# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key

We need to generate a certificate signing request, from the Sun Directory Server (DSEE).

cd /path/to/dsadm

./dsadm request-cert –name “ldap.example.com” –org “Example.com” –org-unit “IT” –city “New York” –state “New York” –country “USA” /path/to/ldap > /tmp/server.csr

Sign the certificate request locally, using the key we generated ourselves. In my case, I’m making it good for approximate 10y (3650 days)

# openssl x509 -req -days 3650 -in /tmp/server.csr -signkey server.key -out
server.crt

We now have a cert as server.crt we need to add to the directory keystore

./dsadm import-selfsign-cert /path/to/ldap ‘ldap.example.com’ server.crt

./dsadm restart /path/to/ldap
./dsconf set-server-prop -h hostname -p 389
ssl-rsa-cert-name:ldap.example.com

Thats all it takes to get your server running with a self-signed 10y certificate.

bookmark to

Directory Server 6.3 released

mike — Wed, 16 Apr 2008 16:51:48 +0000

Sun released their Directory Server Enterprise Edition 6.3. This fixes at least one critical issue with database corruption.

You can get the full version from Sun at: http://www.sun.com/software/products/directory_srvr_ee/index.jsp.
Patches are available via Sunsolve:

Source available here.

bookmark to

Backing up and Restoring data from Directory Server 6

Mike — Mon, 26 Nov 2007 19:54:10 +0000

One of the largest problems that I have noticed when doing directory deployments, are either invalid, or non-existent backups of their directory information. They often assure peace of mind when things unexpectedly go wrong (a la unexpected power outages).

I’ve found a good reference to how to do backups with Directory Server 6; and won’t rehash them here.

In essence, it may become necessary to have a single instance dedicated to doing routine backups in a large environment. This is because you need to be able to turn the instance to read-only for the duration of the backup.

bookmark to

What I like about Directory Server 6

Mike — Wed, 21 Nov 2007 18:46:23 +0000

I’ve installed many, many Sun/Netscape/Fedora Directory Server instances. There has been plenty to like, and much to dislike as well. I’m big on not using the console for most things, as by nature, I’m a command line type person. The most compelling reasons for me to move to Directory Server 6:

Much improved command line functionality

It is now possible to install the directory server bits, create a new directory server instance, and perform configuration commands on the directory server using command line tools. While you could do some of the features before using things like an installation script, or using LDIF, these commands are called directly from the command line without superb internal knowledge of how to implement these functions.

As an example, creating a new directory server instance with pre-DS6 used to require either a trip to the console (if you were lucky enough to have enough access to the machine); or the use of an silent installation script.

By contrast, you are able to create a new instance with DS6 with a simple command (albeit, it does ask for the directory manager password) (these commands assume it was installed in /opt/ldap):

cd /opt/ldap/ds6/bin

./dsadm create -p 389 -P 636 /opt/ldap/slapd-test

And create a new suffix with another simple command (you’ll need the directory manager password):

cd /opt/ldap/ds6/bin

./dsconf create-suffix -h localhost ‘dc=domain,dc=com’

There are plenty of other examples that can be had, such as creating and initializing replication agreements, but those can be left for another day.

Unlimited number of masters in Multi-Master Replication

With the release of DS6, the number of masers in an MMR increased from a maximum of 4 to unlimited. This can result in each instance in your environment being promoted to a master instance. Practically, this may not suit all environments, as WAN traffic and such comes into play with how your replication agreements are configured.

I’ll probably revisit this topic again in the future.

bookmark to

Sun Directory Server 5.2 6-Way MMR – part 8 – Enable Directory Server backends for updates

Mike — Tue, 20 Nov 2007 15:00:24 +0000

Once the directory server replica’s are configured and initialized, the final step is to enable them to accept updates.

This step was added as there is a necessary catch-up time when initializing MMR (especially in a busy environment); where by the time an instance is initialized, it is out-of-date until all the subsequent updates have been propagated. When I had to do this the first time, I was working off static data, and didn’t need to worry about performing this when the updates have been propagated, as there were no updates.

The only instance and suffixes that do not need to be enabled are those on ultimate master, which had all the data initially. All other instances need to be enabled after the replica’s have caught up.

In summary, those instances are:

ds0: nothing needs to be enabled

ds1: user/group, o=internet, o=piserverdb, o=pab, o=comms-config, o=netscaperoot

ds2: user/group, o=internet, o=piserverdb, o=pab, o=comms-config, o=netscaperoot

ds3: user/group, o=internet, o=piserverdb, o=pab, o=comms-config, o=netscaperoot

ds4: user/group, o=internet, o=piserverdb, o=pab, o=comms-config, o=netscaperoot

ds5: user/group, o=internet, o=piserverdb, o=pab, o=comms-config, o=netscaperoot

I’ve created an example command set to enable a directory server backend.

bookmark to

Enable Directory Server 5.2 database back-end

Mike — Mon, 19 Nov 2007 15:43:32 +0000

In a MMR agreement, the consumer instance backend that has been initialized needs to be enabled before it can begin accepting replication updates. This is a feature to allow a newly replicated master to catch-up on changes that have occurred during the initialization.

An example LDIF of how to enable a backend:

dn: cn=replica, cn=“suffix“,cn=mapping tree,cn=config
changetype: modify
add: ds5BeginReplicaAcceptUpdates
ds5BeginReplicaAcceptUpdates: start

I created and saved the LDIF to enable this backend suffix as /tmp/enablesuffix.ldif; and ran the ldapmodify command to perform the enable.

/usr/bin/ldapmodify -h host -p port -D ‘rootdn‘ -w ‘password‘ -c -f /tmp/enablesuffix.ldif

More information about MMR convergence from Sun.

bookmark to

Sun Directory Server 5.2 6-Way MMR – part 7 – Initialize replication agreements

Mike — Fri, 16 Nov 2007 15:03:03 +0000

To be usable in an MMR, all the suffixes on each instance that are part of the MMR (or replication in general) need to be initialized from the ultimate master (where the data was initially loaded). As some of the instances are not directly replicated from this instance (as there are a maximum of 3 MMR agreements from this instance); but instances which do replicate to them can initialize that data.

In order to successfully initialize all the replica’s in a short amount of time, the first master ( where all the initial data was loaded ), first replicates to a counterpart; then they both replicate to another instance that had not been replicated before. With alot of data, this can take hours to perform.

One methodology I’ve used is:

ds0 initializes all suffixes on ds3
ds0 initializes all suffixes on ds1 & ds3 initializes all suffixes on ds4
ds0 initializes all suffixes on ds5 & ds3 initializes all suffixes on ds2

Do so in this manner will allow you to initialize all the instance suffices in a relatively short amount of time.

After initializing a suffix, before it can accept updates, it needs to have its database back-end enabled, which I’ll write about at a different time.

I’ve created a short example of how to initialize a replica.

bookmark to

Initialize a database suffix in Directory Server 5.2

Mike — Thu, 15 Nov 2007 15:13:11 +0000

In a replicated environment, all (initial) data should flow from a single master to all other instances. After preparing the (destination) directory server for replication, the remote instance database needs to be initialized.

An example replication initialization:

dn: cn=replication agreement name:389,cn=replica,cn=suffix,cn=mapping tree,cn=config
changetype: modify
replace: nsds5BeginReplicaRefresh
nsds5BeginReplicaRefresh: start

With our LDIF written as /tmp/reinit.ldif; run the following ldapmodify command:

/usr/bin/ldapmodify -h host -p port -D ‘rootdn‘ -w ‘password‘ -c -f /tmp/reinit.ldif

bookmark to

Sun Directory Server 5.2 6-Way MMR – part 6 – Create replication agreements

Mike — Wed, 14 Nov 2007 14:42:03 +0000

Up until now, we’ve been preparing each of our instances to participate in MMR; at this point, we create the replication topology and the replication agreements.

Being as each of our 6 instances will be masters, and with Directory Server 5.2, there is a limit of 4 masters in an MMR, a bit of creativity must be employed. Each of the master instances will replicate each of its back-end databases (user/group, o=internet, o=pab, o=piserverdb, o=comms-config and o=netscaperoot) to each of its immediate peer instances, meaning those that are numbered sequentially lower and higher; as well as another instance that is neither sequentially lower or higher.

The replication agreement list is defined below.

ds0 -> ds5 / ds1 / ds3

ds1 -> ds0 / ds2 / ds4

ds2 -> ds1 / ds3 / ds5

ds3 -> ds2 / ds4 / ds0

ds4 -> ds3 / ds5 / ds1

ds5 -> ds4 / ds0 / ds2

So, the instances on the instance ds0 will replicate each of its back-end databases to ds5, ds1 and ds3. Being as each master has only 3 MMR replication agreements per backend, they each believe they are in a 4-way MMR; while in actuality, there are 6 masters serving the data.

For information on how to create the actual replication agreement LDIF; please follow my instructions.

bookmark to