Friday, May 14, 2010
Oracle (Sun) DSEE 7
Oracle’s (Sun’s, actually) Directory Server Enterprise Edition (DSEE) 7.0 has a lot going for it. [Read More…]
Tuesday, March 2, 2010
Using a Sun or Red Hat DS into a simple LDAP proxy
While Oracle’s Virtual Directory and Sun’s Directory Proxy Server have lots of features that make deploying them worthwhile, if all you need is a simple pass-through LDAP proxy the standard Sun and Red Hat (a/k/a Netscape or 389 Directory) servers support a feature called Chaining that does the job.
Basically chaining involves substituting a remote Sun/Red Hat LDAP directory for the usual local database back-end. When an LDAP client requests something from the directory that’s configured to do chaining, the directory responds by performing LDAP operations on the remote directory and then returning the result to the client. This is transparent to the client, unlike standard LDAP v3 referrals that require the client to handle the process on its own. The analogy that immediately comes to mind is where a DNS server handles queries recursively.
Making this work is a two stage process. First you have to prepare the remote directory, then you configure the directory that will do the chaining.
Preparing the Remote Directory
A few points here. First, just as with setting up a replication admin account it’s always best to put your proxy user entry someplace off the main tree. I created mine as “cn=proxyadmin, cn=proxy, cn=config”. You also need to give this user proxy rights to the target suffix (e.g. “dc=example,dc=com”). I found that I had to loosen up some of my access constraints to make things work properly. Here are two acis (
access control instructions”) I set at the top of the target suffix and “cn=config”:
(targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
(targetattr="carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURL || mail || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
(targetattr = "*") (version 3.0;acl "proxy acl";allow (proxy)(userdn = "ldap:///cn=proxyadmin, cn=proxy, cn=config");)
The first two acis are taken from the defaults that ship with the Sun or Red Hat Directory server. I also place them at the root of the “cn=config” tree. You’re going to want to look carefully at that list of attributes in both these. They’re going to violate many very good security designs out there. As with anything having to do with LDAP the key is to “test, test, test and test again”.
That last aci is specially designed to enable the proxy account to … “proxy”: perform operations “on behalf” of the user binding to the chaining directory as that user.
Configuring a Chaining Directory
The simplest way I found to get a chaining directory up and running is to create a new instance with a different root suffix than my target’s root will be. For example, “o=proxy”.
Once the instance is up and running you need to create a new root suffix named for your target, like “dc=example, dc=com”. When you do this uncheck the box labeled “Create associated database automatically”.
Then right click on the new suffix and select “New Database Link”. Provide a name for the database link (e.g. “exampleproxy”) and fill out the bind dn and password for the proxy user account you created on the remote server.
The form also includes a field for the remote server and port (early versions asked for the “URL”, by which they meant the LDAP URI, like “ldap://ldap1.example.com:389/” — that last slash being significant). A nice touch where you don’t have an application load balancer is the ability to list more than one server for failover.
Although it’s not technically required, I usually restart the chaining instance before testing, to make sure everything is properly applied.
Thursday, July 30, 2009
How do I search on a name value that has a parens in it?
How do I search on a name value that has a parens [”(”] in it?
You have to escape both parens characters in the LDAP search filter.
"(givenname=stephan (IT))"
why? Because the parens is what LDAP uses to determine where the filter begins and ends!
Just another reason never to let anyone store parens or other non-alphabet characters in name attributes.
(oh well…)
Monday, February 16, 2009
increasing efficiency with a wiki
For anyone who still doubts the usefulness of wikis in facilitating the kind of collaboration that can increase worker efficiency, check out Stewart Mader’s Future Changes site. Mader has a couple of books on wiki adoption, as well as a short video series, 21 Days of Wiki Adoption, where he makes the point with such skill that even an executive could get it.
Saturday, January 31, 2009
What's in a footprint?
Google the words, “windows 7 footprint”, and you’re likely to get back an interesting collection of articles.
The physical disk space that operating systems consume has been increasing exponentially over the years, as more and more capability was packed into the O/S as opposed to user land applications. Over in the Linux world we’ve been seeing steady movement away from this. Most distros now have a Live CD that can install a minimal build on your machine that you can add components to as needed. My own “fully loaded” (just think, “every developer tool available”) Ubuntu desktop machine at home currently uses a little more than 6 Gb. The “minimal client” Windows XP machine I have been using for testing at work, on the other hand, uses about 9 Gb. My more fully outfitted Windows XP laptop image takes up around 19 Gb.
There are two reasons footprint makes a difference. First, because the more space given over to the O/S, the less you have for applications and data. In an age of 500 Gb hard disks that might sound irrelevant, but given recent hardware developments like the overnight success of the netbook with solid state drives in the 8 - 16 Gb range, it may turn into a market imperative. Second, and perhaps more importantly in light of the netbook phenomenon, being able to fit the entire O/S into RAM could be a critical requirement for performance reasons.
One good article I found on Windows 7’s disk usage was this post from the blog written by the Windows 7 developers. From the main body and the comments I didn’t see anything that would lead me to believe that a minimal install of Windows 7 would be much smaller than my own Windows XP “minimal client” build. That’s disappointing. As one commenter put it, “Windows should be able to boot from a device with less than 4Gb RAM”. I wholeheartedly agree. Of course even though many Linux distro Live CDs do just that, the further question of just how usable the resulting image is has to be considered. I ran into this when looking for an alternative to Sugar and the Fedora 9 based O/S on the OLPC XO-1 machine we have at home. In the end I decided that none of the other distros could run any better, and some much worse, on that resource-challenged hardware.
Anyway, I’ll soon see for myself. Having downloaded the Windows 7 Beta iso, I’ve decided to do my own evaluation to determine if Microsoft is finally moving in the right direction.