UNIX Consulting and Expertise
Golden Apple Enterprises Ltd. » Archive of 'Oct, 2008'

Modifying LDAP entries in Sun’s Directory Server Comments Off on Modifying LDAP entries in Sun’s Directory Server

In this post I’m going to quickly show how to use the tools ldapaddent and ldapmodify to change an existing LDAP entry. Specifically this relates to Sun’s stupidly named Java Enterprise Directory Server 5.2, which I’ve been doing a lot of work with recently. However the ldapmodify command that comes with Solaris basically does the same job regardless of which LDAP server you’re talking to.

If an entry already exists in the LDAP directory, then ldapaddent will fail when trying to add the data. So we need to use another method.

The basic steps are:

  1. use ldapaddent to dump out the existing entry (BACKUPS!)
  2. construct a temporary data file with our changes
  3. use ldapmodify to load this data into LDAP and modify the entry
  4. use ldaplist to see the changes

Let’s look at changing the RBAC profiles that a user has access to.

First we can use ldaplist to check out their details:

bash-3.00$ ldaplist -l passwd tomk
dn: uid=tomk,ou=people,dc=siliconbunny,dc=org
SolarisAttrKeyValue: type=normal;profiles=JET
SolarisUserQualifier:
cn: tomk
uidNumber: 1001
gidNumber: 14
gecos: Tom Kranz
homeDirectory: /home/tomk
loginShell: /bin/ksh
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
objectClass: SolarisUserAttr
uid: tomk
shadowLastChange: 13122
shadowFlag: 0

We can see they have the JET profile – let’s add the System Administrator profile too.

We can redirect the output from ldaplist direct to a text file for direct use as a backup, as this is already in LDIF format:

bash-3.00$ ldaplist -l passwd tomk > /var/tmp/tomk.ldif

If we really got things wrong we could just delete the entry from the directory, and then use ldapddent to add our backed-up entry and get back to where we started.

Now we need to create a change file, which will contain the data we want to modify. Again, this file will be a text file with the LDIF syntax, and it will have some specific keywords that define the type of change and the data that should be modified.

In this instance, we want to add another profile, so we create a file called tomk.ldif with the following contents:

dn: uid=tomk,ou=people,dc=siliconbunny,dc=org
changetype: modify
replace: SolarisAttrKeyValue
SolarisAttrKeyValue: type=normal;profiles=JET,System Administrator

The format of the file is straightforward. The first line contains the file context of the object to be modified. The second line shows the action to be taken on the object. The third line shows the specific action to be taken for an entry, and the fourth line has the new data.

Note that, within this file, we could modify several entries at once – we would just need multiple ‘replace’ and attribute lines to detail the data.

Once we have this file we can call ldapmodify to load this data into the LDAP directory, modifying the user’s details:

bash-3.00$ ldapmodify -D “cn=Directory Manager” -r -f /tmp/tomk.ldif

ldapmodify will prompt us for the Directory Manager’s password, and then carry out the changes.

We can check this by called ldaplist again and examining the output:

bash-3.00$ ldaplist -l passwd tomk
dn: uid=tomk,ou=people,dc=siliconbunny,dc=org
SolarisAttrKeyValue: type=normal;profiles=JET,System Administrator
SolarisUserQualifier:
cn: tomk
uidNumber: 1001
gidNumber: 14
gecos: Tom Kranz
homeDirectory: /home/tomk
loginShell: /bin/ksh
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
objectClass: SolarisUserAttr
uid: tomk
shadowLastChange: 13122
shadowFlag: 0

ldapmodify will also allow us to edit multiple entries at once. For example, let’s look at not only adding the System Administrator RBAC role, but also adding a title for use with an internal phone book app.

We’d build our file like this:

dn: uid=tomk,ou=people,dc=siliconbunny,dc=org
changetype: modify
replace: SolarisAttrKeyValue
SolarisAttrKeyValue: type=normal;profiles=JET,System Administrator

add: title
title: UNIX dude

By using the fairly simple LDIF syntax in plain text files, it becomes very quick and easy to use ldapmodify from the command line to change LDAP entries in the Directory Server.

Automatically Configuring ce Cards in Solaris Comments Off on Automatically Configuring ce Cards in Solaris

In 2005 I was having some issues with big F15k domains. They have a mix of 1gb/s and 100mb/s network cards, which all used the same Solaris driver family. Setting the port speeds meant editing the ce.conf file, and any typos or mistakes here either hung the kernel on boot (not good news in a big F15k domain) or just ignored the settings.

I ended up writing a script that would automatically work out what ce cards were present in the Solaris domain, and then automatically generate a ce.conf configuration file. The script grew in complexity when it became clear the F15ks and mid-frame machines (SF6500 etc.) had a radically different PCI addressing scheme.

I ended up writing and submitting a tech tip to Sun’s BigAdmin website. You can read the whole sordid story at http://www.sun.com/bigadmin/content/submitted/config_ce_cards.html

Scripts and Tools Comments Off on Scripts and Tools

This is a collection of scripts and tools developed by us, which are freely available for download.

All scripts and tools are copyright © G.A.E. Ltd
You may distribute under the terms of the GNU General Public License with the exception that it cannot be placed on a CD-ROM or similar media for commercial distribution without the prior approval of the author.
This code is provided with no warranty of any kind, and is used entirely at your own risk.

More tools, FAQs, and information can be found on SiliconBunny, our Silicon Graphics information site.

ods_breakage.ksh

Description: Used on hosts with Solaris Disksuite volume management. The script parses metastat output and checks the status of metadevices. Any errors are collated and a status report is emailed.
Platform: Solaris
Installation: Edit the SYSADMINS variable, changing it to an email address where you want alerts sent.
Usage: Run from cron every hour, takes no command line options
Download: ods_breakage.ksh

ce_settings.ksh

Description: Sun’s Cassini Ethernet (ce) cards are available in either 100mb or 1gb versions. The same driver is used for both. Problems arise because speed and duplex settings cannot be set from within /etc/system. Instead, a configuration file must be used. The syntax is cryptic and prone to mistakes – at the worst case, a poorly written configuration file can cause a kernel panic on bootup. This script will parse /etc/path_to_inst and generate a ce.conf configuration file, forcing 100mb ce cards to 100mb/full duplex, and letting 1gb cards auto-negotiate.
Platform: Solaris
Installation: Copy the script somewhere. Edit the PATH_TO_INST and OUTPUT variables to point to /etc/path_to_inst and where you want your ce.conf to be placed (usually somewhere like /kernel/drv/ce.conf)
Usage: Once the above variables have been set, run the script. A new ce.conf file will be generated, and the settings will take effect the next time the machine is booted.
Download: ce_settings.ksh

mem_dis.ksh

Description: During performance testing on F15k domains, it was required to remove memory from several system boards to gauge relative performance when increasing CPU count, memory, and both together. Rather than physically removing the boards, this script was developed. It uses the Sunfire’s DR to unconfigured memory from selected system boards.
The operation of the script is very simple, and can be used as the basis to automate many DR commands on Sunfire machines.
Platform: Solaris
Installation: Place the script somewhere in a Sunfire domain. Must have root privileges to run.
Usage: Run the script. It will display a listing of memory on system boards, and ask you what you want to disable. Enter the details, and the script calls cfgadm to disable that memory.
Download: mem_dis.ksh

if_check.sh

Description: Before IP MultiPathing (IPMP) came along in Solaris 8, it was difficult to have 2 ethernet interfaces connecting your host to the same LAN in a failover configuration. This script pings a highly-available source (usually your default router or switch) and calls ifconfig to down an interface and up the spare if the ping fails. Your two interfaces should be connected to seperate switches for maximum availability.
Platform: Solaris, ideally pre-8
Installation: Copy the script somewhere, and run from root’s crontab every 5 or 10 minutes, depending on how much of a delay you can handle when an interface fails.
Usage: The script takes one argument, the IP address to ping.
Download: if_check.sh

clone_root_disk.ksh

Description: While IRIX comes with the XLV volume manager, the license to mirror (plex) your volumes is an expensive extra. This script allows you to clone the root disk, creating a bootable spare which is not normally mounted, allowing easy root disk recovery.
Platform: IRIX
Installation: Copy the script somewhere and run from root’s crontab. You may need to edit the disk device names to match your machine’s configuration.
Usage: Run from root’s crontab. The script takes no arguments.
Download: clone_root_disk.ksh

int_check.ksh

Description: Tired of remembering and typing in the ndd variables to check the speed and duplex settings of an ethernet port? This script automates the drudge work – just give it an interface type (hme, ce, bge) and an instance number, and it will tell you how that port is configured.
Platform: Solaris
Installation: Place the script on your host and run as root.
Usage: Run as root. It will take two command line arguments – the interface type, and the instance number.
Download: int_check.ksh

kstat_check.ksh

Description: kstat can return a lot of useful information about the state of your ethernet interfaces. However, the syntax can be confusing and difficult to remember. This script functions as a wrapper around kstat – tell it the interface type and instance number, and it will return configuration details. It’s important to note that older cards, like hme, will return less information than newer cards, like ce. This is due to driver improvements as opposed to deficiencies in kstat.
Platform: Solaris
Installation: Place the script on your host and run as root.
Usage: Run as root. It will take two command line arguments – the interface type, and the instance number.
Download: kstat_check.ksh

split.ksh

Description: This script is an example of what can be done with EMC’s Symcli tools and Symmetrix Business Continuance Volumes (BCVs). In this example, an Oracle database is running on the main Symmetrix disks. The BCVs are mounted on another host, which contains a datawarehouse. The script unmounts the BCV volumes, mirrors them to the main disks, and then splits them off again, remounting them on the host. You then have a hot copy of your live Oracle database which can be imported into your datawarehouse without any impact on the production system.
Note that there are many variables involved (volume types, hosts, Oracle database, etc.) and so this script should be taken as an example of what it is possible to do.
Platform: Solaris host with Veritas Volume Manager, connected to an EMC Symmetrix, with Symcli installed
Installaton and Usage: Don’t! Read the script, understand what it does, and then use that as the basis for your own scripts, customised for your own needs.
Download: split.ksh

Redundant NICs on Solaris Comments Off on Redundant NICs on Solaris

In June 2001 I wrote an article for SysAdmin Magazine showing how to script NIC failover in Solaris. IPMP wasn’t introduced until the 10/00 release of Solaris 8 (or MU2 if you’re keeping score that way). At the time the environments being managed were Solaris 2.6 and Solaris 7 – the site upgrade to 8 was a long way off.

So I came up with some scripts to enable NIC failover between two ethernet interfaces on the same VLAN. The script itself was pretty basic and relied on ndd and ping – a bit belt and braces, but as the article explains, there were no other cost-free options at the time.

You can find the original article on the SysAdmin Magazine website at http://www.samag.com/documents/s=9368/sam0106j/0106j.htm

Extracting EMC Symmetrix Data with Orca Comments Off on Extracting EMC Symmetrix Data with Orca

One of the problems using big disk arrays is the difficulty in getting meaningful reporting out of them. All the vendors’ tools are closed source, and in many cases the expertise from the vendor is often missing or seriously lacking when it comes plotting performance trends.

“Just add more cache” is the same tired refrain vendors always give. No. I’m not going to recommend to clients that they spend a huge sum of money buying more SAN cache until I can prove the SAN actually needs it.

In March 2004 I wrote an article for SysAdmin Magazine showing how to use the symcli command line tools in conjunction with Orca to plot some nice historic performance graphs, showing the host’s view of performance of the Symmetrix array.

You can find the original article, complete with diagrams and code, on SysAdmin Magazine’s website at http://www.samag.com/documents/s=9364/sam0403f/0403f.htm

Top of page / Subscribe to new Entries (RSS)