Learn From Errors: Is Your Cloud About To Burst?

<script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-12162483-1"); pageTracker._trackPageview(); } catch(err) {}</script>

Rationale

A number of customers I talk have a hugely diverse ecosystem of application relying on the LDAP infrastructure for authentication, single sign-on and also user-specific configuration storage. Very few have a strictly controlled environment with a reduced set of well-known clients.

One cause of trouble I have seen many times over sparks from client applications not being robust and poorly handle the protocol. There is an easy way to grow confidence in your infrastructure and ecosystem at the same time: after setting up the prototype and before you go in production, during the QA stage, try to spend some time intentionally injecting errors in your traffic. You'll immediately see if  clients start blowing up left and right!

Bird's Eye View

To cut to the chase, this plug-in sits on DS as a pre operation search. You can "create" any entry simply by adding a configuration parameter to the plug-in. For example, if you want to have DS return "no such entry" (Error 32) for cn=nosuch,dc=example,dc=com, like shown below :

all you would have to do (once the plug-in is properly set up) is:

dsconf set-plugin-prop arbitrary-response argument+:cn=nosuch,dc=example,dc=com#32#0

The Meat

I honestly have no idea why I have not shared this small tool earlier. I wrote this plug-in years ago for Directory Server 5.2 and later on recompiled it against DS 6.x on OpenSolaris. Currently it is built for Solaris 9/10/OpenSolaris x86/x64. If you want it on another platform, let me know and I'll spin it for you.

To install this plugin, simply unzip the file and then follow the instructions in the bundled README file. The sequence of commands will work for DS 6.x.

In its current version (1.1b) the plug-in can inject errors as well as delays into an arbitrary response. This means that you can easily test how connection idle timeouts are managed by your client applications connection pooling mechanism, if any.

Injecting delay is done through the third parameter of the plug-in. For example, to return a valid response with error code 0 after 15 seconds, you would have to add the following argument to the plug-in:

dsconf set-plugin-prop arbitrary-response argument+:cn=ok,dc=example,dc=com#0#15

Useful things not in this version

  1. I will probably add a 4th parameter which will represent the probability that the error is returned, otherwise, just pass on the request to DS core

  2. Ability to interpret regular expressions in the base DN part of the plug-in argument

That's it for today!

Comments:

Arnaud,

Thanks for the great work again :)
i believe this will be very useful for our next deployment.
i remember i had to restart the server every time i changed a param; is this still required in the 6.x version of the plugin?

Thanks again and keep up the great work :)

Posted by Pierre Charbel on September 04, 2009 at 11:22 AM MDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Directory Services Tutorials, Utilities, Tips and Tricks

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today