UNIX Consulting and Expertise
Golden Apple Enterprises Ltd. » Posts for tag 'LDAP'

Flash Storage fun – and some NIS+ news Comments Off on Flash Storage fun – and some NIS+ news

A couple of Sun blog posts that make excellent Friday reading. Sun are coming up with some great applications of Flash storage technology, and it’s gratifying to see this sort of “Mad Science” R&D resulting in some solid commercial solutions.

First up, Benoit Chaffanjon explores the Sun Flash Accelerator F20 cards, which are used inside the Sun Oracle Database Machine.

Next, Adam Leventhal explores the pros and cons of mirroring or striping Logzilla devices in the Sun Storage 7000s.

Both posts are a great read and give solid examples of the ways solid state storage can be exploited for some really big performance and scalability gains.

And, on a totally unrelated note, a loathsome technology that I have long had a hate-hate affair with, NIS+, has been removed from Solaris! Ironic that NIS+ has been outlived by NIS, the technology it was designed to replace.

OpenDS 2.0 is now out Comments Off on OpenDS 2.0 is now out

OpenDS is Sun’s open source LDAP directory server. It’s lightweight, fast and – thankfully after Directory Server 5.2 in particular – it’s very easy to install and use.

Have a look through the initial announcement, download OpenDS 2.0 then grab the release notes and have a quick look through the documentation.

As always with OpenDS the install is very straightforward and painless. Once up and running the GUI makes a nice change from the slow, cluttered mess of the old Directory Server. I’d now rate OpenDS is a solid, mature offering, and I’ll be looking at replacing some of my aging DS 5.2 installs with it.

Sun OpenDS Control Panel

OpenDS qualifies for support from Sun, in it’s Sun OpenDS Standard Edition guise, so there’s no reason not to look at production deployments. For the more esoteric installs, you’ll still want Sun Directory Server (v.7 is being working on at the moment) but for a smaller or more straightforward install, OpenDS will fit the bill nicely.

Empty config file: ‘/var/ldap/ldap_client_file’ 1 comment

It’s an annoying and recurring problem – your previously configured and well behaved Solaris machine has now dropped off the network, and no-one can log in. Going in via the console shows that all LDAP lookups fail, and that’s why no-one can log in.

/var/adm/messages is filled with cheery messages like this:

ldap_cachemgr[173]: [ID 293258 daemon.error] libsldap: Status: 0 \
 Mesg: Empty config file: '/var/ldap/ldap_client_file'

You’ll also find the LDAP client SMF service has gone into maintenance mode:

bash-3.00$ svcs ldap/client
STATE          STIME    FMRI
maintenance    17:17:42 svc:/network/ldap/client:default

So what happened? The Solaris ldap_cachemgr process regularly talks to your LDAP servers, and at a pre-defined interval (usually 12 hours) it refreshes the client config. This has a number of benefits, not least of which is that you can make one change in the LDAP directory, and the have your clients all update themselves automatically.

This is great for putting a new LDAP server into play, or for doing a server migration.

The problem arises when /var, where the two LDAP configuration files are stored, is full. Unfortunately ldap_cachemgr doesn’t bother to check that it can save the new config – so it tries to replace the two existing config files, fails, and ends up writing zero byte files in their place.

Luckily the fix is a simple one – simply copy ldap_client_cred and ldap_client_file from another working server into /var/ldap, and then restart the ldap_cachemgr.

bash-3.00$ svcadm clear ldap/client
bash-3.00$ svcs ldap/client
STATE          STIME    FMRI
online         17:17:42 svc:/network/ldap/client:default

The workaround is to make sure that the /var partition never fills up. If it’s 100% full it’s bad for a number of reasons, and you need to put processes in place to trigger alerts to stop this happening.

The bug in ldap_cachemgr is being tracked with SunSolve Bug ID 6495683 – “LDAP client files & cred files are deleted when /var is full”

The ldap_cachemgr can also be queried to find out who it’s bound to – and also when it will next be refreshing the LDAP client configuration. Pass it the -g option:

bash-3.00$ /usr/lib/ldap/ldap_cachemgr -g
cachemgr configuration:
server debug level          0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr         30
cachemgr cache data statistics:
Configuration refresh information: 
  Previous refresh time: 2009/06/03 05:17:42
  Next refresh time:     2009/06/03 17:17:42
Server information: 
  Previous refresh time: 2009/06/03 09:57:42
  Next refresh time:     2009/06/03 11:17:42
  server:, status: UP
Cache data information: 
  Maximum cache entries:          256
  Number of cache entries:          0

A Rough Guide to LDAP Comments Off on A Rough Guide to LDAP

I’ve been working on some Rough Guides – high level overviews to introduce a particular technology or tool. These are not particularly technical or indepth – instead, I want to introduce new technology topics and hopefully you’ll be interested enough to find out more (and start using them yourself).

This is the first in (what I hope will become) a series of them, and provides a high level introduction to LDAP.

Please have a read and let me know what you think in the comments section.

Edit: Quick update to the PDF, please re-download again to get the changes.

A Rough Guide to LDAP

A quick introduction to Solaris Comments Off on A quick introduction to Solaris

One last post before Christmas. Lately I’ve been seeing lots of Linux admins coming to Solaris boxes and getting confused – unable to find the right commands, unaware of the Solaris tools, generally just struggling to get to grips with an unfamiliar operating environment.

I rate Solaris very highly – it comes with some amazing tools, and is superbly tuned to the needs of the enterprise. This isn’t always aligned with the needs of developers and hackers, though – but once you get comfortable with the tools in Solaris, you’ll start to wonder how you managed without them.

I was going to type up a nice long document, but then I remembered that Ben Rockwood, over at Cuddletech, had already written An Accelerated Introduction to Solaris 10.

It’s a good read, and should help bring anyone up to speed who has a Linux background. One thing – please please take the time to read up on RBAC (linked from Ben’s post). RBAC is infinitely more powerful than sudo, and you will find RBAC+LDAP a totally invaluable skill to use within the datacentre.

Top of page / Subscribe to new Entries (RSS)