version: 1dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=configobjectClass: topobjectClass: extensibleObjectcn: monitordatabase: ldbm databasereadonly: 0nextid: 10dbentrycount: 9ldapentrycount: 9entrycachehits: 26entrycachetries: 36entrycachehitratio: 72currententrycachesize: 14796maxentrycachesize: 10485760currententrycachecount: 9maxentrycachecount: -1
Tuesday, June 30, 2009
Monday, June 29, 2009
How do we scale our Directory Service?
- Add more nodes;
- Configure replication across all nodes;
- Place a load-balancer in-front of all nodes;
- If the solution is to cater for more WRITE than READ, then I'll ask "Are you actually looking for a database?" (LDAP is built for fast and frequent read ops, with occasionally write ops.)
- You'll be surprised at the answers you get. There are really customers who cannot differentiate between LDAP and database.
- If the customer is really sure they need Directory Service, then I'll suggest that they spilt their users into various organizations/groups. Then each logical group will be stored in different LDAP sources.
Note that you cannot use replication to scale write operations because a write operation to one directory server results in a write operation to every other server in the topology. The only way to scale write operations horizontally is to split the directory data among multiple databases and place those databases on different servers.
The section on File Descriptor Requirements (Linux Systems) reminds me of an escalation case I was assigned to in Feburary.
The case involved a global logistics company in Malaysia. It has an issue with Sun Directory Server 5.2 SP4 running on Redhat Enterprise Linux Server AS 4. Long story short - the problem was due to insufficient tuning.
Linux systems limit the number of file descriptors that any one process may open to 1024 per process.
After the directory server has exceeded the file descriptor limit of 1024 per process, any new process and worker threads will be blocked.
For example, if the directory server attempts to open a Oracle Berkeley JE database file when the operating system has exceeded the file descriptor limit, the directory server will no longer be able to open a connection, which results in a corrupted database exception. Likewise, if you have a directory server that exceeds the file descriptor limit set by the operating system, the directory server can become unresponsive as the LDAP connection handler consumes all of the CPU's processing in attempting to open a new connection.
To fix this condition, set the maximum file descriptor limit per process on Linux
Wednesday, June 24, 2009
- Held by anti-spam/anti-virus server
- Sender did not even get the email sent (stuck in their outbox)
- Sender sent to wrong email address (Ha! It really happened before!)
- etc ...
19-Jun-2009 16:43:28.75 ims-ms R 57 email@example.com rfc822;firstname.lastname@example.org max%abc.com@ims-ms-daemon /opt/SUNWmsgsr/data/queue/ims-ms/003/ZZg0x5H1dfFdv.00 <email@example.com> mailsrv Over quota
Tuesday, June 23, 2009
bash-3.00# cd /usr/jdk/bash-3.00# ./jdk-6u14-solaris-i586.sh
bash-3.00# java -versionjava version "1.5.0_14"Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_14-b03)Java HotSpot(TM) Client VM (build 1.5.0_14-b03, mixed mode, sharing)bash-3.00# javac -versionjavac 1.5.0_14
bash-3.00# ls -al /usr/bin/java*lrwxrwxrwx 1 root other 16 Jul 3 2008 /usr/bin/java -> ../java/bin/javalrwxrwxrwx 1 root other 17 Jul 3 2008 /usr/bin/javac -> ../java/bin/javaclrwxrwxrwx 1 root other 19 Jul 3 2008 /usr/bin/javadoc -> ../java/bin/javadoclrwxrwxrwx 1 root other 17 Jul 3 2008 /usr/bin/javah -> ../java/bin/javahlrwxrwxrwx 1 root other 17 Jul 3 2008 /usr/bin/javap -> ../java/bin/javaplrwxrwxrwx 1 root other 18 Jul 3 2008 /usr/bin/javaws -> ../java/bin/javawsbash-3.00# ls -al /usr/javalrwxrwxrwx 1 root other 15 Jul 3 2008 /usr/java -> jdk/jdk1.5.0_14
bash-3.00# rm /usr/javabash-3.00# ln -s jdk/jdk1.6.0_14 /usr/java
bash-3.00# java -versionjava version "1.6.0_14"Java(TM) SE Runtime Environment (build 1.6.0_14-b08)Java HotSpot(TM) Client VM (build 14.0-b16, mixed mode, sharing)bash-3.00# javac -versionjavac 1.6.0_14
bash-3.00# cd /usr/jdkbash-3.00# ls -altrtotal 16lrwxrwxrwx 1 root other 7 Jul 3 2008 j2sdk1.4.2_16 -> ../j2sedrwxr-xr-x 3 root bin 512 Jul 3 2008 instanceslrwxrwxrwx 1 root other 18 Jul 3 2008 jdk1.5.0_14 -> instances/jdk1.5.0lrwxrwxrwx 1 root other 11 Jul 3 2008 latest -> jdk1.5.0_14drwxr-xr-x 8 root bin 512 Jul 3 2008 packagesdrwxrwxr-x 10 root root 512 Jun 23 13:12 jdk1.6.0_14drwxr-xr-x 5 root bin 512 Jun 23 13:15 .drwxr-xr-x 40 root sys 1024 Jun 23 13:17 ..bash-3.00# rm latestbash-3.00# ln -s jdk1.6.0_14 latestbash-3.00# ls -altrtotal 16lrwxrwxrwx 1 root other 7 Jul 3 2008 j2sdk1.4.2_16 -> ../j2sedrwxr-xr-x 3 root bin 512 Jul 3 2008 instanceslrwxrwxrwx 1 root other 18 Jul 3 2008 jdk1.5.0_14 -> instances/jdk1.5.0drwxr-xr-x 8 root bin 512 Jul 3 2008 packagesdrwxrwxr-x 10 root root 512 Jun 23 13:12 jdk1.6.0_14drwxr-xr-x 40 root sys 1024 Jun 23 13:17 ..lrwxrwxrwx 1 root root 11 Jun 23 13:24 latest -> jdk1.6.0_14drwxr-xr-x 5 root bin 512 Jun 23 13:24 .
root# /opt/SUNWdsee/dscc6/bin/dsccsetup dismantle
root# /opt/SUNWdsee/dscc6/bin/dsccsetup initialize
Sunday, June 21, 2009
Gmail doesn't offer traditional aliases, but you can receive messages sent to firstname.lastname@example.org. For example, messages sent to email@example.com are delivered to firstname.lastname@example.org.You can set up filters to automatically direct these messages to Trash, apply a label or star, skip the inbox, or forward to another email account.
Saturday, June 20, 2009
Hello,We have a community of about 500 users who use the Outlook Connector. We're having significant difficulty is managing upgrades to the connector software and maintaining the most recent version across all 500 users' systems.We're even having difficulty identifying which users/machines are using the outlook connector to even approach them to upgrade. When an upgrade becomes available, installing it involves sending support staff around to hundreds of users' PC to perform the upgrade, as most users aren't savvy enough or have appropriate access to perform the upgrade on their own.Have others encountered this same problem and what have others done to manage connector upgrades?Regards,Andrew
Friday, June 19, 2009
- Forward the same email (yes, 10 MB!!)
- Download to corporate network drive; ask my colleague to pick the document from there
- Download to a thumbdrive; work over to my colleague's desk; ask him to copy the document
bash-3.00# ./dsee_deploy install -i /comms/dsee
- You need to install your own web container to deploy DSEE Console (a .war file). It is not tightly integrated with Java Web Console (aka smcwebserver). This is troublesome to me!
- You cannot utilize the default system-installed CACAO agent. A standalone caocao will be installed in
/dsee6/cacao_2 . Might cause confusion for someone who is handling operation.
- Changes all functioning resource groups on the cluster to an offline state
- Unmount all file systems
- Shuts down all active device services
- Runs /usr/sbin/init 0 on all nodes
Thursday, June 18, 2009
- pwdKeepLastAuthTime feature is not enabled by default
- Directory Server, by default, is in DS5-compatible-mode
- Directory Server has to be DS6-mode compatible, in order to enable pwdKeepLastAuthTime
- The server state can move only towards stricter compliance with the new password policy specifications. It implies "no way to rollback once you make the change".
Using this feature can affect performance. When you configure Directory Server to save pwdLastAuthTimetimestamps, the server must perform an internal modify operation for each successful bind.
Wednesday, June 17, 2009
If we need to patch the Directory Server later, all we need to do is to download the latest patch (in PKG format, of course) and execute pkgadd command. Clean and simple! I like to keep things simple.
Monday, June 15, 2009
With logging is enabled, the mail.log file steadily grows and, if left unchecked, consumes all available disk space. Monitor the size of this file and periodically delete unnecessary contents. You can also delete the entire file as another version will be created as needed.
The message return job, which runs every night around midnight, appends any existing mail.log_yesterday to the cumulative log file, mail.log, renames the current mail.log_current file to mail.log_yesterday, and then begins a new mail.log_current file.
Why? No automatic log rotation? How can that be from an Enterprise product?
Sun is giving you the flexibility. :)
bash-3.00# crontab -l# The root crontab should be used to perform accounting data collection.#10 3 * * * /usr/sbin/logadm
bash-3.00# ls -al /etc/logadm.conf-rw-r--r-- 1 root sys 1485 Jun 11 03:10 /etc/logadm.conf
Thursday, June 11, 2009
1. Ensure Cacao is running$ cacaoadm status2. Ensure SMC Web Server is running$ smcwebserver status3. If it is not running, start it$ smcwebserver start
$ smcwebserver startStarting Sun Java(TM) Web Console Version 3.1 ...Cannot determine if console service is running.Check log file: /var/svc/log/system-webconsole:console.logRun "svcs system/webconsole:console" to determine its status.
$ /usr/share/webconsole/private/bin/wcremove -i console$ svcadm clear system/webconsole:console
Wednesday, June 10, 2009
- We will only develop features required by 80% of our user base.
- 20% of the features requests will take up 80% of our development time, but might not be useful to our users (at least for 80% of them). Thus, we should not spend time on these.
- Non-cluttered interface
- Single page to create new email account (no wizard please!)
- Single page to create new mailing list (again - no wizard please!)
- Single page to list users' quota (new feature request)
- Receive a list of over-quota email accounts (new feature request)
Tuesday, June 9, 2009
Can we backup the LDAP data by executing a filesystem backup on a daily basis?
/opt/SUNWdsee/ds6/bin/dsconf backup -p 389 -c /ldap/backup/db/`date +%Y_%m_%d_%H%M%S`
/opt/SUNWdsee/ds6/bin/dsconf export -Q -p 389 -c o=isp /ldap/backup/ldif/123.ldif
Thursday, June 4, 2009
Edit the AMConfig.properties file.Change the valuecom.iplanet.am.session.purgedelay=60tocom.iplanet.am.session.purgedelay=0Restart your AM server.
1. Know which authentication module is utilized2. Search for the appropriate XML file in [webapp-path]/SUNWam/web-src/services/config/auth/default. (In our case, LDAP.xml)3. Set value to 0 for every occurrence of the attribute timeout4. Restart AM server
Wednesday, June 3, 2009
(target ="ldap:///o=isp")(targetattr !="userPassword")(version 3.0;acl "Anonymous read-search access";allow (read, search, compare)(userdn = "ldap:///anyone");)
bash-3.00# ldapmodify -D "cn=Directory Manager" -w passworddn: o=ispchangetype: modifydelete: aciaci: (target ="ldap:///o=isp")(targetattr !="userPassword")(version 3.0;acl "Anonymous read-search access";allow (read, search, compare)(userdn = "ldap:///anyone");)