Wednesday Oct 10, 2012

enable iptables firewall on linux

 Here is a very basic set of instruction to setup a simple iptables firewall configuration on linux (redhat)

Enable firewall

log as root thenenter the following command, it launch a text gui

#> setup

first screen: Choose firewall configuration
second screen: choose "Enabled" then "Customize" 
third screen: select you interface in "Trusted Devices", select "Allow Incoming" for "SSH" "Telnet" "FTP" (add eventually other ports, then press "OK" (2 times, then "Quit")

At that point the firewall is enabled. You can start/stop/monitor using service iptables start/stop/status

Change timeout

to changed the tcp established connection timeout

#> echo 120 >    /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established 

Monitor connection in iptables tables

for example if you want to track a connection establish from a host  152.68.65.207

#> cat /proc/net/ip_conntrack |grep 152.68.65.207

 

Change tcp keepalive parameter on Kinux

#> /sbin/sysctl net.ipv4.tcp_keepalive_time net.ipv4.tcp_keepalive_intvl net.ipv4.tcp_keepalive_probes #> /sbin/sysctl net.ipv4.tcp_keepalive_time=60 net.ipv4.tcp_keepalive_intvl=5 net.ipv4.tcp_keepalive_probes=6

tcp_keepalive_time: "idle" time in seconds before sending a empty packet to keep the connection alive
tcp_keepalive_probes: number of attempts to keep the connection Alive (if at the end it fails the connection is considered as down) 
tcp_keepalive_intvl: number of second between 2 attempts

Tuesday Oct 25, 2011

Very basic ODSEE DPS config

How to create a minimalist dps conf : 

create DS instance

dsadm create -p 3389 -P 3636  /export/pat/dsee7.0.1/instances/ds1

dsadm start '/export/pat/dsee7.0.1/instances/ds1'

dsconf  create-suffix -p 3389 o=stress.com

dsconf  import -p 3389 1k.ldif o=stress.com

Create and configure DPS instance

dpadm create -p 4389 -P 4636 /export/pat/dsee7.0.1/instances/dp1

dpadm start /export/pat/dsee7.0.1/instances/dp1

dpconf create-ldap-data-source -p 4389  branstock_ds7_3389 branstock:3389

dpconf create-ldap-data-source-pool  -p 4389  mypool

dpconf attach-ldap-data-source  -p 4389  mypool  branstock_ds7_3389

dpconf set-attached-ldap-data-source-prop -p 4389  mypool branstock_ds7_3389 bind-weight:1 search-weight:1

dpconf create-ldap-data-view -p 4389 myview mypool o=stress.com

 restart dps :   dpadm restart /export/pat/dsee7.0.1/instances/dp1

Simple test 

ldapsearch -p 3389  -b "o=stress.com" "objectclass=*"  (directly search DS)

ldapsearch -p 4389 -b "o=stress.com" "uid=*"  (search trough DPS)



Wednesday Apr 29, 2009

How to debug dpconf with netbeans

If you need to launch dpconf under netbeans debugger you have to follow this procedure:

 1- Modify dpconf C command wrapper in order to enable JODA debugger

  • In a 6.x,7.x DSEE wks, edit the file <wks>/ldap/dps/dpcfg/starter/dpcfg_starter.c and add the following lines (in red) in the main function
... 
if (ldapUnsecuredOptSetProperty[0] != '\\0') {
    spawnArgs[i++] = ldapUnsecuredOptSetProperty;
    }
       
    spawnArgs[i++] = "-Xdebug";
    spawnArgs[i++] = "-Xnoagent";
    spawnArgs[i++]= "-Djava.compiler=none";

    spawnArgs[i++]= "-Xrunjdwp:transport=dt_socket,server=y,address=8010,suspend=y";
    spawnArgs[i++] = "-classpath";
    spawnArgs[i++] = classPath;
    spawnArgs[i++] = "com.sun.directory.proxy.dpcfg.cli.DpcfgMain";
    
    /\* Copy argv to spawnArgs
     \*
...
  • Then compile dsee and copy the built dpconf command under the DSEE install you have to debug

2- Launch dpconf command and attach netbeans to the process

You are now ready to attach the dpconf command you want to debug under a netbeans session. You first need to create a new java project with the corresponding source (use <wks>/ldap/dps/dpcfg/java as Package Folder for source). Put some breakpoints and then attach the debugger "Debug->Attach Debugger..." under netbeans (specify port 8010).


Monday Mar 09, 2009

Setting a basic ISW conf

The aim of this post is to give some clues inorder to setup (install + configure) a basic ISW configuration. 

ISW is part of DSEE suite, and allows to sync DS with AD. 

[Read More]

Tuesday Dec 16, 2008

Use DSML plugin in DSEE 6.3

  • Create a instance
#dsadm create /var//tmp/pat/instances/ds1
  • Start it
#dsadm start /var//tmp/pat/instances/ds1
  • Enable dsml plugin

#dsconf set-server-prop -p 1389 dsml-enabled:on

Directory Server must be restarted for changes to take effect.

  • Configure non secure dsml port
#dsconf set-server-prop -p 1389 dsml-port:1234
Directory Server must be restarted for changes to take effect.
  • Restart the instance
#dsadm start /var//tmp/pat/instances/ds1
  • Create a DSML request, for example request.dsml containing:

POST /dsml HTTP/1.1
Content-Length: 1038  !! this value must be the exact lenght of the blue portion below
HOST: stratoid
SOAPAction: ""
Content-Type: text/xml
Connection: close

<?xml version='1.0' encoding='UTF-8'?>
<soap-env:Envelope
   xmlns:xsd='http://www.w3.org/2001/XMLSchema'
   xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
   xmlns:soap-env='http://schemas.xmlsoap.org/soap/envelope/'>
   <soap-env:Body>
      <batchRequest
        xmlns='urn:oasis:names:tc:DSML:2:0:core'
        requestID='Batch of search requests'>
        <searchRequest
            dn=""
            requestID="search on Root DSE"
            scope="baseObject"
            derefAliases="neverDerefAliases"
            typesOnly="false">
            <filter>
               <present name="objectClass"/>
            </filter>
            <attributes>
               <attribute name="namingContexts"/>
               <attribute name="supportedLDAPversion"/>
               <attribute name="vendorName"/>
               <attribute name="vendorVersion"/>
               <attribute name="supportedSASLMechanisms"/>
            </attributes>
        </searchRequest>
      </batchRequest>
   </soap-env:Body>
</soap-env:Envelope>

  • Then submit the request.html file using a tool sucjh as netcat
#netcat <your_host_name> 1234 < request.dsml
The returned SOAP message is : 

HTTP/1.1 200 OK
Cache-control: no-cache
Connection: close
Date: Tue, 16 Dec 2008 15:55:07 GMT
Accept-Ranges: none
Server: Sun-Java(tm)-System-Directory/6.3
Content-Type: text/xml; charset="utf-8"
Content-Length: 1141

<?xml version='1.0' encoding='UTF-8' ?>
<soap-env:Envelope
   xmlns:xsd='http://www.w3.org/2001/XMLSchema'
   xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
   xmlns:soap-env='http://schemas.xmlsoap.org/soap/envelope/'
   >
<soap-env:Body>
<batchResponse
   xmlns:xsd='http://www.w3.org/2001/XMLSchema'
   xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
   xmlns='urn:oasis:names:tc:DSML:2:0:core'
   requestID='Batch of search requests'
   >
   <searchResponse requestID='search on Root DSE'>
   <searchResultEntry>
      <attr name='supportedLDAPVersion'>
      <value>2</value>
      <value>3</value>
      </attr>
      <attr name='vendorName'>
      <value>Sun Microsystems, Inc.</value>
      </attr>
      <attr name='vendorVersion'>
      <value>Sun-Java(tm)-System-Directory/6.3</value>
      </attr>
      <attr name='supportedSASLMechanisms'>
      <value>EXTERNAL</value>
      <value>DIGEST-MD5</value>
      </attr>
   </searchResultEntry>
   <searchResultDone>
      <resultCode code='0' descr='success'/>
   </searchResultDone>
   </searchResponse>
</batchResponse>
</soap-env:Body>
</soap-env:Envelope>

Friday Oct 10, 2008

About activating Debug logs in DSEE

Enable dxadm commands debug information

Traces can be enabled in administrative commands through environment variables  :

DPS use :

DDX_DEBUG_AREA
DDX_DEBUG_LEVEL
possible values described in file <ws>/ldap/dps/dpx/ddx.h
DS use
SLAPX_DEBUG_AREA
SLAPX_DEBUG_LEVEL
possible values described in file <ws>/ldap/ds/slapx/slapx.h


Note : those traces are not documented !


e.g DDX_DEBUG_AREA=-1 (means DEBUG_AREA_ANY)


additional setting SPAWNER_DEBUG=1 will dump data input and result code of the spawner lib.

Enable DPS Debug traces

Enable DS Debug traces

  • stop DS instance
  • Edit <instance_path>/config/dse.ldif and add the following line

nsslapd-errorlog: /export/isw_patch/instances/isw_data/logs/errors
nsslapd-errorlog-logging-enabled: on
nsslapd-infolog-area: value
nsslapd-errorlog-maxlogsperdir: 2
nsslapd-errorlog-maxlogsize: 100

  • start DS instance
Each component is identified as an area, whose value is a decimal translation of the hex values. The log area is additive. For example, to enable logging on search filter processing (32) and Config file processing (64), you would set this attribute to value=96  (32+64). The valid range includes the following values:
0

Default logging area, used for critical errors and other messages that are always written to the error log, for example server startup messages. Messages at this level are always included in the error log regardless of the nsslapd-infolog-level setting.

1

Trace function calls. Logs a message when the server enters and exits a function.

4

Search arguments processing.

8

Connection management

16

Print out packets sent/received

32

Search filter processing

64

Config file processing

128

Access control list processing

512

LDBM processing.

2048

Log LDIF entry parsing debugging

4096

Housekeeping thread debugging

8192

Replication debugging

32768

Database cache debugging.

65536

Server plug-in debugging. An entry is written to the log file when a server plug-in calls slapi_log_info_ex().

Enable DSCC Debug traces

to be done

Wednesday Feb 13, 2008

launch DPS 6.x under a debug session

In order to start DPS 6.x under a debug session you first have to modify the arguments passed to the JVM

dpadm set-flags <your/dps/instance/path> jvm-args="-Xmx250M -Xms250M -Xdebug -Xnoagent \\
-Djava.compiler=none -Xrunjdwp:transport=dt_socket,server=y,suspend=n"

then start dps and note the dt_transport socket:

dpadm start <your/dps/instance/path>
Listening for transport dt_socket at address: 64870
Directory Proxy Server instance <your/dps/instance/path> started: pid=5900

You can now attach the process to a jdb session:

jdb -attach 64870 
Set uncaught java.lang.Throwable
Set deferred uncaught java.lang.Throwable
Initializing jdb ...
>

Then you are ready to use jdb, for example

> stop at com.sun.directory.proxy.server.JdbcDataView:2372
Set breakpoint com.sun.directory.proxy.server.JdbcDataView:2372
>
... 

Note: You can also use an IDE to attach the process

About

Patrice Duc-Jacquet

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today