Friday Apr 24, 2009

Finally I have my D90

The other day my wife gifted me a brand new Nikon D 90 with the 18-105 kit lens. It feels so good to hold it ( especially during this time of recession).  Bought a 16GB SHDC class 6 card from Amazon for 35 bucks. The duo makes a deadly combo so if you are keen on buying this and holding up for some reasons, just grab it. I inaugurated this with my son's pic. 


 

Wednesday Jan 28, 2009

Finding information about svn branches in openDS

This is a general tip about svn. Lately, a number of svn branches have been created for openDS development. Here is what you would do to get a general idea on how the OpenDS is organized:


sin > svn ls https://opends.dev.java.net/svn/opends
README
branches/
tags/
trunk/


sin > svn ls https://opends.dev.java.net/svn/opends/tags
README
build15/

sin > svn ls https://opends.dev.java.net/svn/opends/branches
README
b1.0.1/
b1.2/
core-refactoring/
data-provider-refactoring/
r1.0/
replication-service/


If you are interested in any particular branch, you can check it out. For example:


sin > svn checkout --username sin https://opends.dev.java.net/svn/opends/branches/data-provider-refactoring  opends
A    opends/opends



Tuesday Jan 27, 2009

Internationalized Searches in OpenDS

Those who are interested in running internationalized searches (collation rules) against OpenDS may want to note that this feature is now available in the Trunk. For those who are unaware of what I am talking about, I will explain what is a collation rule and how does it work with OpenDS. For more information, kindly look at : https://www.opends.org/wiki/page/I18NCollationRules.


What is a Collation rule:


Collation rule is a kinda matching rule which allows one to do the equality, substring and other order-based searches. Each collation rule is based upon a Locale. Going by a simple calculation, the number of collation rules = number of supported locales \* 6 ( equality,substring,less than, less than or equal to, greater than, greater than or equal to).


Note that the supported locales vary from one JVM implementation to the other. If you look at the config.ldif, you would notice that some of the locales have commented out:



dn: cn=Collation Matching Rule,cn=Matching Rules,cn=config
objectClass: top
objectClass: ds-cfg-matching-rule
objectClass: ds-cfg-collation-matching-rule
cn: Collation Matching Rule
ds-cfg-java-class: org.opends.server.schema.CollationMatchingRuleFactory
ds-cfg-enabled: true
ds-cfg-matching-rule-type: equality
ds-cfg-matching-rule-type: less-than
ds-cfg-matching-rule-type: less-than-or-equal-to
ds-cfg-matching-rule-type: greater-than
ds-cfg-matching-rule-type: greater-than-or-equal-to
ds-cfg-matching-rule-type: substring
#ds-cfg-collation: af:1.3.6.1.4.1.42.2.27.9.4.1.1
#ds-cfg-collation: am:1.3.6.1.4.1.42.2.27.9.4.2.1
ds-cfg-collation: ar:1.3.6.1.4.1.42.2.27.9.4.3.1
ds-cfg-collation: ar-AE:1.3.6.1.4.1.42.2.27.9.4.4.1

For example, the Locale "af" is not supported by the Sun's JVM. The above configuration shows that the Collation matching rules are enabled
and all 6 types of rules are requested by the administrator.

How it works?

OpenDS uses Java-based Collator APIs for supporting this functionality. See an example below:

//Creates a Collator for the specified Locale.
private Collator createCollator(Locale locale)
{
Collator collator = Collator.getInstance(locale);
collator.setStrength(Collator.PRIMARY);
collator.setDecomposition(Collator.FULL_DECOMPOSITION);
return collator;
}

A Collator object is obtained per Locale and it is used in the PRIMARY and FULL_DECOMPOSITION mode.

Usage
=====


Usage and Examples


As described above, an international search filter may contain
Locale OID (ex. 1.3.6.1.4.1.42.2.27.9.4.34.1), Locale name (en or
en-US) or an exact matching rule type with suffix ( ex.
1.3.6.1.4.1.42.2.27.9.4.34.1.3 or en.eq). Note that a Locale name or
Locale OID without any suffix is treated as an equality type. For
example, a filter such as "cn:en-US:=sanchez" will use an equality
matching rule type.



Some examples below demonstrate how to use this feature.


Equality Search



The following search uses a filter with the en (en-US) Locale OID to perform an equality search:


ldapsearch -D "cn=directory manager" -w password -b "o=test" "cn:1.3.6.1.4.1.42.2.27.9.4.34.1:=sanchez"


Above search should return the entry which has a cn value of SÃnchez.


Alternatively, you can use the following filters:



  • "cn:en:=sanchez"



  • "cn:en.3:=sanchez"



  • "cn:en.eq:=sanchez"



  • "cn:1.3.6.1.4.1.42.2.27.9.4.34.1.3:=sanchez"



Less Than Search



The following search uses a filter with the es (es-ES) Locale and performs a Less-than search:


ldapsearch -D "cn=directory manager" -w password -b "o=test"
"departmentnumber:1.3.6.1.4.1.42.2.27.9.4.49.1.1:=abc120"


Above search should return the entry which has a departmentnumber value as Ãbc119.


Alternatively, you can use the following filters:



  • "departmentnumber:es.1:=abc120"



  • "departmentnumber:es.lt:=abc120"



Less Than or Equal To Search



The following search uses a filter with the es (es-ES) Locale and performs a Less-than-or-equal-to search:


ldapsearch -D "cn=directory manager" -w password -b "o=test"
"departmentnumber:1.3.6.1.4.1.42.2.27.9.4.49.1.2:=abc119"


Above search should return the entry which has a departmentnumber value as Ãbc119.


Alternatively, you can use the following filters:



  • "departmentnumber:es.2:=abc119"



  • "departmentnumber:es.lte:=abc119"



Greater Than or Equal To Search



The following search uses a filter with the fr (fr-FR) Locale and performs a Greater-than-or-Equal-To search:


ldapsearch -D "cn=directory manager" -w password -b "o=test"
"departmentnumber:fr.4:=abc119"


Above search should return an entry which has a departmentnumber value as Ãbc119.


Alternatively, you can use the following filters:



  • "departmentnumber:1.3.6.1.4.1.42.2.27.9.4.76.1.4:=abc119"



  • "departmentnumber:fr.gte:=abc119"



Greater Than Search



The following search uses a filter with the fr (fr-FR) Locale and performs a Greater-than search:


ldapsearch -D "cn=directory manager" -w password -b "o=test"
"departmentnumber:fr.5:=abc119"


Above search should not return an entry which has a departmentnumber value as Ãbc119.


Alternatively, you can use the following filter:



  • "departmentnumber:1.3.6.1.4.1.42.2.27.9.4.76.1.5:=abc119"



  • "departmentnumber:fr.gt:=abc119"



Substring Search



The following search uses a filter with the en (en-US) Locale and performs a substring search:


ldapsearch -D "cn=directory manager" -w password -b "o=test" "sn:en.6:=\*u\*bec"


Above search should return an entry which as an sn value as Québec.


Alternatively, you can use the following filter:



  • "sn:1.3.6.1.4.1.42.2.27.9.4.34.1.6:=\*u\*bec"



  • "sn:en.sub:=\*u\*bec"



I will provide more information about the indexing in the next post.

Monday Nov 03, 2008

Idsync DS plugin doesn't start on x86

If you see the following message in your DS logs while starting it:


[03/Nov/2008:10:00:00 +0200] - WARNING<38781> - isw - conn=-1 op=-1 msgId=-1 - Plugins BasicSaintRPC.cpp:341(logCode=0, connectionID=0) BasicSaintRPC::run() exiting because 'XML parse error. Expected a single root element to remain on the parse stack.' (7001)


You are hitting bug# 6600668. This has been fixed in the DSEE builds starting DSEE 6.3. The fix is to copy the psw-plugin.so from the dsee 6.3 build and replace the one in your workspace.

Tuesday Apr 22, 2008

DSEE 6.3 is out for download

It is an old news by now. For Identity synchronization for Windows users, it contains a the fix for CR 6600668. Note that you are hitting this if you are using Solaris on 64-bit Intel or AMD. If you happen to see the following log messages in your DS error logs, you should move to DSEE 6.3:


 WARNING<38781> - isw - conn=-1 op=-1 msgId=-1 - Plugins BasicSaintRPC.cpp:341(logCode=0, connectionID=0)
BasicSaintRPC::run() exiting because 'XML parse error.  Expected a single root element to remain on the parse stack.' (7001)
WARNING<38781> - isw - conn=-1 op=-1 msgId=-1 - Plugins BasicSaintRPC.cpp:341(logCode=0, connectionID=0)
BasicSaintRPC::run() exiting because 'XML parse error.  Expected a single root element to remain on the parse stack.' (7001)

Using a FileChannel to force a single process per application

If you haven't played with the FileChannel in the NIO package, you might want to read about it to enforce a single instance of the running process. Using FileChannel you can obtain an exclusive lock on it. Once a process with singleton instance obtains a lock on the FileChannel, it can store this information into the shared (read static) resource and stop one from re-runing another instance of the process.  


{code}


public class LockManager {


    //A map between the filenames and lock files.
    private static Map<String,FileLock> exclusiveLock = new HashMap<String,FileLock>();


    //Lock to protect the threadsafe access.
    private static ReentrantLock lock = new ReentrantLock();


  /\*
     \*Acquires an exclusive lock on the specified file.
     \*/
    public static boolean acquireExclusiveLock(String fileName)
    {
        lock.lock();
        RandomAccessFile raf = null;
        FileChannel channel = null;
        try
        {
            if(exclusiveLock.containsKey(fileName))
            {
                return false;
            }
                   //No lock found. create it.
            File f = new File(fileName);
            if(f.exists()            )
            {
                f.createNewFile();
            }


            //Open the file and get the channel.
            raf = new RandomAccessFile(fileName,"rw";)   ;
            channel = raf.getChannel();


            //Try to obtain an exclusive lock over FileChannel.
            FileLock fileLock = channel.tryLock();
            if(fileLock == null)
            {
                //Couldn't get the lock. Throw the exception to get the resource freed.
                throw new Exception();
            }
            //Put it in the Map.
            exclusiveLock.put(fileName,fileLock);
        }
        catch(Exception e) // Bad to catch all but okay to keep this code short.      


       {
            try
            {
                if(channel!=null)
                {
                    channel.close();
                }
                if(raf!=null)
                {
                    raf.close();
                }
            }
            catch(Exception e1)
            {
                e1.printStackTrace();
            }
            e.printStackTrace();
            return false;
        }
       finally {
            lock.unlock();
        }
        return true;
    }


    /\*
     \*Releases the Lock.
     \*/
    public static boolean releaseLock(String lockFile)
    {
        lock.lock();
        try


           FileLock lock = exclusiveLock.remove(lockFile);
            if(lock!=null)
            {
                lock.release();
            }
            lock.channel().close();
        }
        catch(Exception e)
        {
            e.printStackTrace();
            return false;
        }
        finally {
            lock.unlock();
        }
        return true;
    }

}


 


In the process which should have only one instance:


public class myserver {


          //use a singleton instance


         public static myserver server = new myserver();


         private static boolean serverLocked = false


         private  String fileName;


         public void start()


         {


                 //Get the lock file name, say it's "abc".


                fileName == System.getProperty("user.dir";) + File.pathSeparator + "abc";


                //If not locked, lock it and move forward.


                   if(!LockManager.acquireExclusiveLock(lockFile))
               {
                    //No point of going further.
                    throw new Exception();
               }
               serverLocked = true;
         }


           public void shutdown()


         {


            //Release the lock.


             if(fileName!=null && serverLocked)


             LockManager.releaseLock(fileName);


             ....


          }


{code}


This technique could be used in any application which shouldn't have more than 1 instances running for any reasons.

Wednesday Feb 27, 2008

o=NetscapeRoot and Identity Synchronization for windows

I have noticed that most common question on the forum is related to the following message:

 "The selected Directory Server is not a configuration directory server. You must select a directory server that has "o=netscaperoot". Please note that merely adding the"o=netscaperoot" entry will not suffice."

The above message may show up when you are trying to install ISW (Identity Synchronization for Windows) 1.1sp1 or 1.1 with DS 6.x. As you are aware, DS 6.x uses the new console and hence it doesn't have any o=Netscaperoot for admin server installation.

You are supposed to use ISW 6.x for DS 6.x compatibility. ISW 6.x build ships the Administration Server. During the core installation, ISW installer detects if there is a local administrator server for the selected Directory Server ( as the configuration registry). If a suitable local adminstration server ( JES 4 or more) is found, ISW core installation proceeds without installing the Administration server. In case the administration server is not found, core installer installs the administration server before installing the core. Since it's a package installation of Administration Server, it's advisable to clean up the machine of any conflicting packages.

Couple of questions answered below:

How does ISW install Administration Server?

Installing a local Administration Server for DS 6.x requires creation of o=NetscapeRoot DIT. For this, ISW uses a template ldif to build up the ldif file with the proper values gathered from the user. This information includes the user "uid=admin" and the port number for the administration server. Firstly, the o=NetscapeRoot DIT is created on a DS 6.x instance, and then the other necessary information under the DIT are uploaded before actually calling the Administration Server installer. Please note that, Administration Server installation is done by Admin Server installer only. ISW merely invokes the installer at the right moment.

What do I do if the administration Server installation fails? Do I need to run the ISW core installer again and go through the pain?

Not really. If the administration server installation fails ( which might happen if the machine is not clean), administration server could be installed from the ISW installer bundle. Read the installation guide for the installer layout. Please remember that you can not install the administration server directly on a DS 6.0 instance without going through the ISW 6.0 installer. The reason is that the ISW installer is responsible for creating the DIT o=NetscapeRoot, without which, you can't install the Administration Server.

Monday Jan 14, 2008

Unable to retrieve a backend BIND/MODIFY/SEARCH connection

 


If you are working with Sun Java System Directory Proxy Server (aka DPS) 6.0+ and noticing the following error, you might be interested in this article:

/app/dps/slapd-dps/logs $ ldapsearch -D "uid=ldapadmin,ou=admins,dc=abc,dc=com" -w password -b "dc=abc,dc=com" -p 389 uid=user1 dn
ldap_simple_bind: Operations error
ldap_simple_bind: additional info: Unable to retrieve a backend BIND connectioN

For some of you,the message may be related to a different operation type like ADD or SEARCH etc. However, the reason stays the same. As it is evident from the message, there is no connection available in the pool to serve the request.If you have the default DPS settings, very likely, you would see it when your DPS instance is stressed. By default, MAX connections in a
pool is set to 1024 and it should generally suffice for a normal dps instance.
I see this when I stress my DPS instance with SLAMD. Typically, a stress test utilizes all the available connections forcing the new clients to wait for a connection to be free.

Internally, a Worker thread does wait for the time specified in connectionPoolTimeoutInMillisec prior to declaring that there is no connection available. The attribute
connectionPoolTimeoutInMillisec resides under cn=config and its default value is 3000.

In case you are getting troubled with this frequently, it means that number of connections in your pool isn't sufficient. Either you can set the MAX to the higher value ( default is 1024), or you can increase the timeout to a higher value ( or, 0 for infinite wait).

Friday Dec 07, 2007

"Error handling error: 122, Dacl is NULL:"

If you happen to see this error message ("Error handling error: 122, Dacl is NULL:") while installing DSEE, most likely it is caused by the FAT32 partition.

I noticed this while installing DSEE on my XP laptop. It failed while configuring the Cacao. Moving to an NTFS partition solved the issue.

Friday Sep 28, 2007

My worst flight ever on Air France/Air India

I would surely like to forget this. My Paris trip started with getting stranded at Gare' D lyon railway station for nearly 2 hours while waiting for the taxi. A gentleman came forward and helped us in getting a taxi. Later I realized that he was the taxi agent and it was his own taxi which cost me fortune. Alas!! Like it was not enough, I reached to the airport and the Air India Flight (operated by Air France..dunno what it means) attendant told that it would cost me 1200 euros if I check in my 4 luggages ( I was traveling with my wife). I told them that I am traveling from USA and I took a break in Paris for tourism. However, they didn't budge. I had to throw the stuffs from my suitcases. Since it is not allowed to throw the suitcases, I gave my suitcase to the guy at the counter.  Unfortunately, I had to throw the scrapbooks and the other toys I was getting for a new-born relative. I had to shell out 500 euros for the rest of my stuff.

If you ever read this, just make sure that you don't end up paying for a third passanger like I did. I can atleast stop traveling these flights for some consolation.





Powered by ScribeFire.

Saturday Aug 18, 2007

Workaround for Creative Vision M drivers on XP

I have had a hard time finding out why was it failing to recognize the portable device. Found a link on the website explaining that the MTP device needs some windows libraries to be detected. Follow these steps to get your vision M recognized by the XP:

Download an instalation of windows media player 11
Don't install it, just unpack using winrar
Start a file: umdf.exe
Go to device manager and remove your player
connect it once again and all should be fine


Powered by ScribeFire.

Friday Jun 08, 2007

Adding new service in inetd.conf in Solaris 10

I was trying to add a service to inetd.conf and found that a "kill -HUP `pgrep inetd`" doesn't get the service into effect.

As per the solaris 10 docs, "In Solaris 10, services are no longer managed by editing the inetd configuration file, inetd.conf. Instead, you use inetconv to convert the configuration file content into SMF format services, then manage these services using inetadm and svcadm. Once a service has been converted by inetconv, any changes to the legacy data in the inetd config file will not become effective. However, inetd does alert the administrator when it notices change in the configuration file."

So the necessary steps are:

1. Modify  /etc/inetd.conf and add your service correctly ( use tab rather than spaces)
2. Modify /etc/services and provide a port number for your service.
3.
inetconv -i/etc/inet/inetd.conf

It does the trick and I get this output:

inetconv: Notice: Service manifest for 100235/1 already generated as /var/svc/manifest/network/rpc/100235_1-rpc_ticotsord.xml, skipped
mkh -> /var/svc/manifest/network/mk-tcp.xml
Importing mk-tcp.xml ...Done

Now you are all set. You can check this by using "telnet server port_number".




Powered by ScribeFire.

Tuesday Jun 05, 2007

Designing Account Lockout synchronization in Directory Server 5.2

Account Lockout Policy at Sun Java System Directory Server 5.2 has 3 main attributes:

accountUnlocktime ( local attribute against user entry)
passwordretrycount ( local attribute against user entry)


Attribute passwordretrycount reflects the number of invalid attempts for a particular user. You can directly synchronize the similar attribute from another directory source to passwordretrycount. However, it is not the recommened way. The same is true about accountUnlocktime. This attribute shows the time at which the user is going to be  unlocked.  If you want to synchronize the account lockout from Directory Server 5.2 to any other directory source, you can send an event to the other end with the value of accountUnlocktime. Just before committing the changes at the other end  you might want to check if accountUnlockTime>current_time to verify if it has expired. There is a special flag for accountlockouttime of 1970...Z meaning that the user is locked forever. If you want to synchronize account lockout into Directory Server 5.2, you can perform the invalid bind attempts to get the user locked. For unlocking, you can delete the accountUnlocktime. Note that a lockout forever case needs special treatment.



Designing Account Lockout synchronization in Active Directory

Account Lockout Policy at AD has 3 main attributes:

badpwdcount ( local attribute against user entry)
lockouttime ( local attribute against user entry)
lockoutduration ( global attribute)

Attribute badpwdcount reflects the number of invalid attempts for a particular user. You can't directly synchronize the similar attribute from another directory source to badpwdcount. It's because this attribute is an operational attribute controlled by Active Directory. The same is true about lockouttime. This attribute shows the time at which the user got locked.  If you want to synchronize the account lockout from Active Directory to any other directory source, you can add the lockoutduration to lockouttime and send an event to the other end. Just before committing the changes at the other end  you might want to check if (lockouttime+lockoutduration)>current_time to verify if it has expired. A value of "0" for lockoutduration means that the user is locked forever. If you want to synchronize account lockout into Active Directory, you can perform the invalid bind attempts to get the user locked. For unlocking, just set the lockouttime=0. Note that a lockout forever case needs special treatment.


Powered by ScribeFire.

Directory hangs while using ldap_sasl_bind

Recently I observed that the ldap_sasl_bind to Active Directory resulted my client in a hang state. If you happen to run into the same situation, use the following fix:


+ #include <ldappr.h>

+ static const int SASL_TIMEOUT_MILLISECONDS = 15000;

+   prldap_set_session_option(ld, NULL, PRLDAP_OPT_IO_MAX_TIMEOUT,SASL_TIMEOUT_MILLISECONDS);




Powered by ScribeFire.

About

This is the blog of a software engineer, specialized in identity management. Kunal Sinha works in Directory Services Engineering (OpenDS) team from Austin,Texas.

Search

Categories
Archives
« March 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today
Bookmarks