Study Notes

So many ways I’ve tried to add samba user in iPlanet, this following is useful. First, create POSIX user by iPlanet, and then issue “smbpasswd -a user” to make this POSIX user to be samba user. It seemed add entries contains smb infomation would also operate successfully.

“/etc/ldap.conf” identifies the setting of “getent passwd” command.
“/etc/openldap/ldap.conf” identifies the setting of “ldapsearch -x” command.

Note, only the user whose object class contains POSIX option could be recoganized as UNIX account and returned by getent command. None POSIX entries will never be returned in the “getent passwd” result.

How to share directory in Linux?
First, should confirm the NFS has been installed and started up. Second, modify the “/etc/exports” file, and add the shared directory item.

I’ve tried winex and wine, but it dose not work well. “Cedege”, a powerful tools to run Windows program in Linux platform, is installed with related crack lisence package “cpkg”, it supports some Windows games, for example, StarScraft, WarIII, but Microsoft Office and MSN even could not be installed by Cedege tools.

Run cedege program, just execute “cedege” in the command line. The StarCraft runs very well in my CentOS.

Performance testing on LDAP
Wrote by Phillip Huang

Index
 Target
 Environment
 Preparing Work
 Testing Process
 Data Analysis

1. Target
Performance testing on getting returned entries from LDAP server

2. Environment
There are total two computers. One acts as LDAP server, another is client requests to query on LDAP server.
2.1 Hardware Info
LDAP server – CPU C2.0GHz/Memory 512MB/250G IDE/Realtek 8139(10/100Mbps)
Client machine- CPU P4 1.7GHz/Memory 512MB/80G IDE/Network device Intel PRO 1000(10/100/1000Mbps)
2.2 Software Info
LDAP server – Microsoft Windows 2000 Server / iPlanet Directory Server 5.1
Client – CentOS 4.3(2.6.9-34.EL) / LAT (1.0.7 stable version)
2.3 Network setting/info:
LDAP server IP – 192.168.123.21
LDAP service port – 390
Client IP – 192.168.123.32
Local Area Network – 10Mbps

3. Preparing work

3.1 iPlanet Directory Server Installation/Basic configuration
In the machine “192.168.123.21”, log on as administrator. Before install iPlanet Directory Server, be sure Internet Information Service (IIS) is not installed, specify only TCP/IP as network protocol and any other network services would not be installed. If IIS are installed, remove it and restart operating system. If other protocols (e.g. IPX/NetBIOS) and network services are installed, remove them and restart operating system.

Then, unzip the product binaries, and run the iPlanet Directory Server setup program. In this testing case, choose the type of installation as “typical installation”.

According to DNS host name “plasmon.sit”, select the directory suffix as “dc=plasmon, dc=sit” for the trees that contains the data. Here we set “390” as Directory Server port. The Directory Manager DN is the special directory entry to which access control does not apply. In this testing, we just keep the default Directory Manager DN is “cn=Directory Manager”, and set its password as “hello123”

3.2 Configure client setting
In the machine “192.168.123.32”, modify the “/etc/openldap/ldap.conf” file as the following:
# LDAP Defaults
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
uri ldap://192.168.123.21:390
BASE dc=plasmon,dc=sit

3.3 connection testing
In the machine “192.168.123.32”, issue the “ldapsearch -x” command. If it is able to return the entries information from LDAP server, it means the configurations are right and connection between LDAP server and client runs well.

3.4 Create large number of general users
In the machine “192.168.123.32”, create a general user “rooney” and export its ldif to file name “1”.
# cat 1
dn: cn=rooney,ou=People, dc=plasmon,dc=sit
sn: wen
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
displayName: rooney
Initials: rw
givenName: rooney
cn: rooney

I wrote a Shell script “stest” in order to replicate the above text with somewhere changes.
# !/bin/bash
# script name: stest
# replicate the “rooney” entry with some where changes
# create 10000 copies
for ((i=1;i<=10000;i++)) do cp 1 t1 # change "rooney" to "claudio_$i" sed "s/rooney/claudio_$i/g" t1 > t2
# change “wen” to “lopez_$i”
sed “s/wen/lopez_$i/g” t2 > rt$i

# remove temporary files
rm -rf t1 t2
done
# the following steps are to concatenate all the rt_$i files
# create B1 file
touch B1
for((i=1;i<=10000;i++)) do j=`expr $i + 1` cat B$i rt$i > B$j
# remove temporary files
rm -rf rt$i B$i
done
# end of script

As the result, I got a file named “B10001” contains 10000 different entries, and then imported this “B10001” to LDAP database by LAT. The successful import operating could be proved by showing these 10000 users in LAT window.
Issue “ldapsearch -x” only returned 5000 entries with “Administrative limit exceeded” messages. This issue will be described in detail later in this report

3.5 Create large number of POSIX users
As same as creating general users, used LAT to create a POSIX user
“luisfigo” and exported the entry to file named “2”.
# cat 2
dn: cn=luisfigo,ou=People, dc=plasmon,dc=sit
objectClass: top
objectClass: posixaccount
objectClass: shadowaccount
objectClass: inetorgperson
objectClass: person
objectClass: organizationalPerson
displayName: luisfigo
uidNumber: 1002
cn: luisfigo
Initials: lf
sn: figo
uid: luisfigo
gecos: luisfigo
homeDirectory: /home/lfigo
gidNumber: 1001
givenName: luis
userPassword: {SSHA}muFo383UsaJsjZpKqAF4MZUk+VxjYo9p8Zs3ow==

I wrote a Shell script “stest1” in order to replicate the above text with somewhere changes.
#! /bin/bash
# script name: stest1
# usage: ./stest1 $1 $2 $3 $4
# $1: the basic first name
# $2: the basic second name
# $3: the begin uidNumber
# $4: the end uidNumber
# create entry
for ((i=$3;i<=$4;i++)) do cp 2 t1 sed "s/luis/$1_$i/g" t1 > t2
sed “s/figo/$2_$i/g” t2 > t3
# reset the uidNumber
sed “s/1002/$i/g” t3 > rt$i
# remove temporary files
rm -rf t1 t2 t3
done
# the following steps are to concatenate all the rt_$i files
# create C$3 file
touch C$3
for((i=$3;i<=$4;i++)) do k=`expr $i + 1` cat C$i rt$i > C$k
# remove temporary files
rm -rf rt$i C$i
done
# rename the output file with meaningful name
mv C$i report$1_$2_$3_$4
# end of script

Then, I decided to create users in the following steps:
First, issued “./stest1 phillip huang 1003 4000” in command line, it created users whose uidNumber from 1003 to 4000.
Second, issued “./stest1 bruce gan 8000 11003” in command line, it created users whose uidNumber from 8000 to 11003.
Third, issued “./stest1 ashely cole 4001 7999” in command line, it created users whose uidNumber from 4001 to 7999.

Now, there are three files: reportphillip_huang_1003_4000, reportbruce_gan_8000_11003, reportashely_cole_4001_7999. Concatenate these three files in this identified order:
# cat reportphillip_huang_1003_4000 reportbruce_gan_8000_11003 reportashely_cole_4001_7999 > Shevchenko

Import the file “Shevchenko” to LDAP database by LAT. The successful import operating could be proved by showing these added POSIX users in LAT window. Note, here, issue “ldapsearch -x” also returned 5000 entries with “Administrative limit exceeded” messages.

3.6 Look – through Limitation on iPlanet Directory Server
The conditions that trigger the problem include using a user registry containing more entries than the registry’s “look-through” search limit on iPlanet. When the look-through limit defined in the iPlanet Directory Server is exceeded, the directory server returns a status of LDAP_ADMINLIMIT_EXCEEDED. The look-through limit is a performance related parameter that can be customized by the iPlanet LDAP administrator.

In the iPlanet Console, select the Configuration tab and expand the Data entry. Then select the Database Settings item and select the LDBM Plug-in Settings tab. In the Look-through Limit field, enter the maximum number of entries you want the server to check in response to a search request. The default look-through limit value is 5000. If you do not wish to set a limit, enter -1 in this field.

If bind to the directory as the Directory Manager, the look-through limit is unlimited by default, and overrides any settings you specify in this field.

So I would use “cn=Directory Manager” to return all entries without modify the iPlanet default setting in the following testing:
# ldapsearch -x -D “cn=Directory Manager” -w hello123

4. Testing Process
By default, iPlanet Directory Server has created index on “sn”,”cn” and “objectclass”. No Index is build for “uidNumber”. In this case, we focus on the responding on returned entries when request to query, sort and research.

4.1 Research with filter based on “objectclass”
4.1.1 ldapsearch result redirect
Testing script: 4_1_1
# !/bin/bash
# script name: 4_1_1
# ldapsearch result redirect
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" > ldapsearch_4_1_$i
echo “End: `date`”
echo ” ”
sleep 60
done
# end of script
The result:
15:43:21 – 15:43:30 9s
15:44:30 – 15:44:38 8s
15:45:38 – 15:45:47 9s
4.1.2 ldapsearch result standard output(screen)
Testing script: 4_1_2
# !/bin/bash
# script name:4_1_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" echo "End: `date`" echo " " sleep 60 done # end of script The result: 16:29:28 - 16:31:02 94s 16:31:22 - 16:32:54 92s 16:33:14 - 16:34:42 88s 4.2 Research with filter based on "objectclass" and sort by uid 4.2.1 ldapsearch result redirect Testing script: 4_2_1 # !/bin/bash # script name: 4_2_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" –S uid > ldapsearch_4_2_$i
echo “End: `date`”
echo ” ”
sleep 60
done
# end of script
The result:
15:48:31 – 15:49:40 69s
15:50:40 – 15:51:50 70s
15:52:50 – 15:53:59 69s
4.2.2 ldapsearch result standard output(screen)
Testing script: 4_2_2
# !/bin/bash
# script name:4_2_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" –S uid echo "End: `date`" echo " " sleep 20 done # end of script The result: 16:37:48 - 16:40:26 162s 16:40:46 - 16:43:24 158s 16:43:44 - 16:46:21 157s 4.3 Research with filter based on "objectclass" and "cn" 4.3.1 ldapsearch result redirect Testing script: 4_3_1 # !/bin/bash # script name: 4_3_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 " (&(objectclass=*)(cn=*))" > ldapsearch_4_3_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
16:22:06 – 16:22:15 9s
15:22:45 – 16:22:53 8s
16:23:23 – 16:23:32 9s
4.3.2 ldapsearch result standard output(screen)
Testing script: 4_3_2
# !/bin/bash
# script name:4_3_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*))" echo "End: `date`" echo " " sleep 60 done # end of script The result: 16:48:22 - 16:49:56 94s 16:50:16 - 16:51:48 92s 16:52:08 - 16:53:40 92s 4.4 Research with filter based on "objectclass" "cn" and sort by uid 4.4.1 ldapsearch result redirect Testing script: 4_4_1 # !/bin/bash # script name: 4_4_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*))" -S uid > ldapsearch_4_4_$i
echo “End: `date`”
echo ” ”
sleep 60
done
# end of script
The result:
15:58:56 – 16:00:01 65s
16:01:01 – 16:02:06 65s
15:03:06 – 16:04:10 64s
4.4.2 ldapsearch result standard output(screen)
Testing script: 4_4_2
# !/bin/bash
# script name:4_4_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*))" -S uid echo "End: `date`" echo " " sleep 20 done # end of script The result: 16:55:56 - 16:58:35 159s 16:58:55 - 17:01:28 153s 17:01:48 - 17:04:22 154s 4.5 Research with filter based on "objectclass" "cn" "sn" 4.5.1 ldapsearch result redirect Testing script: 4_5_1 # !/bin/bash # script name: 4_5_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*)(sn=*))" > ldapsearch_4_5_$i
echo “End: `date`”
echo ” ”
sleep 60
done
# end of script
The result:
16:17:22 – 16:17:30 8s
16:18:30 – 16:18:38 8s
16:19:38 – 16:19:47 9s
4.5.2 ldapsearch result standard output(screen)
Testing script: 4_5_2
# !/bin/bash
# script name:4_5_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*)(sn=*))" echo "End: `date`" echo " " sleep 20 done # end of script The result: 17:06:24 - 17:07:55 91s 17:08:15 - 17:09:48 93s 17:10:08 - 17:11:33 95s 4.6 Research with filter based on "objectclass" "cn" "sn" and sort by uid 4.6.1 ldapsearch result redirect Testing script: 4_6_1 # !/bin/bash # script name: 4_6_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*)(sn=*))" -S uid > ldapsearch_4_6_$i
echo “End: `date`”
echo ” ”
sleep 60
done
# end of script
The result:
16:08:23 – 16:09:33 70s
16:10:33 – 16:11:41 68s
16:12:41 – 16:13:54 73s
4.6.2 ldapsearch result standard output(screen)
Testing script: 4_6_2
# !/bin/bash
# script name:4_6_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*)(sn=*))" -S uid echo "End: `date`" echo " " sleep 20 done # end of script The result: 17:13:17 - 17:16:13 176s 17:16:33 - 17:19:15 162s 17:19:35 - 17:22:30 175s Now, in iPlanet console, add "uidNumber" index. Restart LDAP service. 4.7 Research with filter based on "uidnumber" 4.7.1 ldapsearch result redirect Testing script: 4_7_1 # !/bin/bash # script name: 4_7_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(uidnumber=*)" > ldapsearch_4_7_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
18:17:32 – 18:17:38 6s
18:18:08 – 18:18:14 6s
18:18:44 – 18:18:51 7s
4.7.2 ldapsearch result standard output(screen)
Testing script: 4_7_2
# !/bin/bash
# script name:4_7_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(uidnumber=*)" echo "End: `date`" echo " " sleep 30 done # end of script The result: 18:19:21 - 18:21:08 107s 18:21:38 - 18:23:36 118s 18:24:06 - 18:26:02 116s 4.8 Research with filter based on "uidnumber" and sort by uid 4.8.1 ldapsearch result redirect Testing script: 4_8_1 # !/bin/bash # script name: 4_8_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(uidnumber=*)" –S uid > ldapsearch_4_8_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
18:26:32 – 18:26:52 20s
18:27:22 – 18:27:43 21s
18:28:13 – 18:28:33 20s

4.8.2 ldapsearch result standard output(screen)
Testing script: 4_8_2
# !/bin/bash
# script name:4_8_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(uidnumber=*)" –S uid echo "End: `date`" echo " " sleep 30 done # end of script The result: 18:29:03 - 18:31:16 133s 18:31:47 - 18:34:00 133s 18:34:30 - 18:36:44 134s 4.9 Research with filter based on "uidnumber" and "objectclass" 4.9.1 ldapsearch result redirect Testing script: 4_9_1 # !/bin/bash # script name: 4_9_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*))" > ldapsearch_4_9_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
18:37:14 – 18:37:21 7s
18:37:51 – 18:37:57 6s
18:38:27 – 18:38:34 7s
4.9.2 ldapsearch result standard output(screen)
Testing script: 4_9_2
# !/bin/bash
# script name:4_9_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*))" echo "End: `date`" echo " " sleep 30 done # end of script The result: 18:39:04 - 18:41:01 117s 18:41:31 - 18:43:27 116s 18:43:57 - 18:45:55 118s 4.10 Research with filter based on "uidnumber" "objectclass" and sort by uid 4.10.1 ldapsearch result redirect Testing script: 4_10_1 # !/bin/bash # script name: 4_10_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*))" -S uid > ldapsearch_4_10_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
18:46:25 – 18:46:45 20s
18:47:15 – 18:47:35 20s
18:48:05 – 18:48:25 20s
4.10.2 ldapsearch result standard output(screen)
Testing script: 4_10_2
# !/bin/bash
# script name:4_10_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*))" -S uid echo "End: `date`" echo " " sleep 30 done # end of script The result: 18:48:55 - 18:51:09 134s 18:51:39 - 18:53:51 132s 18:54:21 - 18:56:37 135s 4.11 Research with filter based on "uidnumber" "objectclass" "cn" 4.11.1 ldapsearch result redirect Testing script: 4_11_1 # !/bin/bash # script name: 4_11_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*)(cn=*))" > ldapsearch_4_11_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
18:57:07 – 18:57:13 6s
18:57:43 – 18:57:50 7s
18:58:20 – 18:58:27 7s

4.11.2 ldapsearch result standard output(screen)
Testing script: 4_11_2
# !/bin/bash
# script name:4_11_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*)(cn=*))" echo "End: `date`" echo " " sleep 30 done # end of script The result: 18:58:57 - 19:00:54 117s 19:01:24 - 19:03:21 117s 19:03:51 - 19:05:47 116s 4.12 Research with filter based on "uidnumber ""objectclass" "cn" and sort by uid 4.12.1 ldapsearch result redirect Testing script: 4_12_1 # !/bin/bash # script name: 4_12_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*)(cn=*))" -S uid > ldapsearch_4_12_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
19:06:17 – 19:06:38 19s
19:07:08 – 19:07:28 20s
19:07:58 – 19:08:18 20s

4.12.2 ldapsearch result standard output(screen)
Testing script: 4_12_2
# !/bin/bash
# script name:4_12_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*)(cn=*))" -S uid echo "End: `date`" echo " " sleep 30 done # end of script The result: 19:08:48 - 19:11:01 133s 19:11:31 - 19:13:45 134s 19:14:15 - 19:16:29 133s 4.13 Research with filter based on "objectclass" sort by "objectclass" 4.13.1 ldapsearch result redirect Testing script: 4_13_1 # !/bin/bash # script name: 4_13_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" –S objectclass > ldapsearch_4_13_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
19:16:59 – 19:18:09 70s
19:18:39 – 19:19:50 71s
19:20:20 – 19:21:31 71s
4.13.2 ldapsearch result standard output(screen)
Testing script: 4_13_2
# !/bin/bash
# script name:4_13_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" –S objectclass echo "End: `date`" echo " " sleep 30 done # end of script The result: 19:22:01 - 19:25:59 238s 19:26:29 - 19:30:26 237s 19:30:56 - 19:34:53 237s 5. Data Analysis Table 5-1 ldapsearch –x Filter Filter (objectclass=*) (objectclass=*)(cn=*) (objectclass=*)(cn=*)(sn=*) -------------------------------------------------------------------------------------------- Time(Redirect)(s) 9 9 8 Time(stdio)(s) 90 92 92 Table 5-2 ldapsearch –x Filter –S uid Filter (objectclass=*) (objectclass=*)(cn=*) (objectclass=*)(cn=*)(sn=*) ---------------------------------------------------------------------------------------------- Time(Redirect)(s) 70 65 70 Time(stdio)(s) 162 154 170 Note, ldapsearch –x ”(objectclass=*)” –S objectclass testing times are: 70s and 238s Table 5-3 ldapsearch –x Filter Filter (uidnumber=*) (uidnumber=*)(objectclass=*) (uidnumber=*)(objectclass=*)(cn=*) -------------------------------------------------------------------------------------------------------- Time(Redirect)(s) 6 7 6 Time(stdio)(s) 110 117 117 Table 5-4 ldapsearch –x Filter –S uid Filter (uidnumber=*) (uidnumber=*)(objectclass=*) (uidnumber=*)(objectclass=*)(cn=*) --------------------------------------------------------------------------------------------------------- Time(Redirect)(s) 20 20 19 Time(stdio)(s) 133 133 133 From Table5-1 and Table5-2, although iPlanet has built index on “uid”, it still took longer time to return results than the situation without sort operation. We could find that the returned time (Redirect) comparing Table5-3 withTable5-4, 20 is 3 times of 6, then dig of the returned time(Redirect) comparing Table5-1 with Table5-2, 70 is almost 8 times based on 9. I think this different of times is caused by the number of returned entries. Testing according Table5-1 and Table5-2 returned about 20,000 entries, but the other testing based on Table5-3 and Table5-4 has only about 10,000 items because some general users have no uidnumber. So the result is able to accepted, From all the tables, we could find that the query rate is not increased obviously whenever have multiple filters. It’s necessary to take a look at returning time of “ldapsearch –x ”(objectclass=*)” –S objectclass” subjects, they are 70s and 238s. Comparing with the time of “ldapsearch –x ”(objectclass=*)” –S uid” listed in Table5-2, 70s and 162s. The time(Redirect) is same, but here 238 is much bigger than 162. How could this happen, now I have no reasonable explanations and I’m still going on research.

Basic stability and Language compatibility testing on LDAP
Wrote by Phillip Huang

Index
– Target
– Testing Environment
– Testing Process
– Testing Result
– Following up
– Summary

1. Target
Test the stability of LDAP service when create a large number of users. Specify “getent passwd” and “ldapsearch -x” command usage. Test LDAP service whether it supports Chinese characters set or not.

2. Testing Environment
Machines/Software:
192.168.123.21: LDAP service (port: 390) running based on ‘iplanet’, Operating system is Windows 2000 Advance server (Service Pack 4).
192.168.123.22: PC, with CentOS 4.3(Fully installation).
192.168.123.62: SNAZ OS 4
Network Environment: LAN (10Mbps)

3. Testing process.

3.1 Preprocessing
In machine ‘192.168.123.22’, log on as ‘root’. Install ‘smbldap-tools'(referring to smbldap tools How-to Manual). And then create a shell script ‘ldaptest’ as following text:
#! /bin/bash
# script name: ldaptest
echo “Start: `date`”
for ((i=1;i<=10000;i++)) do /usr/local/sbin/smbldap-useradd -m "testuser$i" done echo "End: `date`" Here, set the script executing privilege: # chmod 777 ldaptest In machine ‘192.168.123.62’, login as ‘root’, and modify the ‘/etc/openldap/ldap.conf’ as the following text: #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never BASE dc=plasmon, dc=com #HOST 192.168.123.8 #HOST 192.168.123.21 uri ldap://192.168.123.21:390 3.2 Create user with Chinese character set There are two ways to create users: ‘smbldap-useradd’ command and iplaned console. For smbldap-tools, log on ‘192.168.123.22’ as root, type the texts ‘#smbldap-useradd Chineseusername’, here, input Chinese characters in Chineseusername location. And then press ‘enter’ to confirm issuing this command. Watch on the return message. No message means the operating has been done successfully. Any other information means failure.(Also, you could get the status by issuing “echo $?”). In the LDAP server which is located at ‘192.168.123.21’, open iplanet console, and turn to ‘users and groups’ table. Add new users, and input the user profile table as possible as Chinese characters, special focus on ‘uid’ and ‘user name’ items. 3.3 Create large number of users In machine ‘192.168.123.22’, login as ‘root’, run the ‘./ldaptest’ script firstly. In machine ‘192.168.123.62’, login as ‘root’, issue the ‘getent passwd’ and ‘ldapsearch –x’ in command line to view the users added to LDAP database. For double checking, in machine ‘192.168.123.21’ hold LDAP service and database, open ‘iplanet’ console, and list all returned users from query. 3.4 End working When the ‘ldaptest’ script runs completely, record the ‘Start’ and ‘End’ time information. Keep on watching at ‘getent passwd’ result, and compare it with what iplanet shows. 4. Testing Result At the beginning, ‘ldaptest’ script worked well, and the added users could be viewed from ‘getent passwd’ result. In ‘192.168.123.62’, also issued ‘getent passwd | wc –l’, the number of lines increased as expected. After about 30 minutes, the machine ‘192.168.123.22’ running "ldaptest" script got warning messages: Cannot confirm uidnumber is free at /usr/local/sbin//smbldaptools.pm line 1062 No user could be inserted now. In machine ‘192.168.123.62’, ‘getent passwd’ only showed the former 2030 items. the rest added uses are not listed and seemed to be ‘lost’. But I would get those users information by issuing ‘getent passwd testuser’. For example, it proved ‘testuser4600’ was existed: # getent passwd testuser4600 This command returned the ‘testuser4600’ entry from LDAP database. Run ‘ldapsearch -x’ commands on ‘192.168.123.62’, the result did not contain all the user entries and it showed the warning message: # search result search: 2 result: 4 size limit exceeded In "192.168.123.21", iplanet console would show more users (about 4500), but not all. e.g., one user like ‘testuser4800’ would be searched and return its profile, but it is not displayed in iplanet user list. In order to specify how many users had been created, I just guessed by issuing the following commands on ‘192.168.123.62’: # getenv passwd testuser10000 If no result returned, continued with: # getenv passwd testuser5000 If ‘testuser5000’ existed, try the middle number between 5000 and 10000, and so on. If ‘testuser5000’ did not existed, user number less than 5000 to do the loop until the identified number has corresponding ‘testuser’ entry. Finally, I found the count was 4820. It means "ldaptest" had already created 4820 users. I stopped the "ldaptest", just executed: # smbldap-useradd newtestuser It failed with the same warning message like ‘ldaptest’ script got early . Then, identified the ‘uid’ and tried again: # smbldap-useradd -u 20000 -a newtestuser This operating still failed to add ‘newtestuser’, smbldap tools indicated it could not confirm the uidnumber is free. Later, I used the reversed loop script "smbldap-userdel testuser$i" to delete all users whose name begin as ‘testuser’. In the first 15 minutes, ‘getent passwd’ showed the rest ‘testuser$i’ users, and the returned lines always hold at 2030. After 15 minutes, the "getent passwd | wc -l" result became to decrease, and finally all "testuser$i" users were deleted. Now, I could add user again without smbldap tools warning messages. Then I repeated the whole test again. And the secondary result was same as the first one. Only 4820 users could be inserted to the iplanet LDAP database. It’s a limitation. Another testing project, both smbldap tools and iplaned could accept Chinese characters to setting the user profiles except of uid and email. If set Chinese uid, there was the following error message: The value is not 7-bit clean. Constraint violation Later, I deleted ‘uid’ limitation from iplanet ‘7-bit clean’ rules, Chinese was able to input as uid, and it also was found when query by Chinese string in iplanet. Smbldap tools, did not support Chinese uid as issuing in command line mode, and the inserted Chinese uid user could not be returned during query. 5. Following up In order to display all user in ‘getent passwd’, in machine ‘192.168.123.21’, I modified the ‘c:iplanetserversslapd-plz/config/des.ldif’, changed the nssizelimit value to ‘-1’(default nssizelimit is ‘2000’, ‘-1’ means no limit). Then restart iplanet service, more users were listed but not all. This way did not affect the ‘getenv passwd’ returned result, it still hold 2030 without changing. On the third tools LAT connecting to ‘192.168.123.21’ LDAP service, It would only display 1000 accounts as maximum value(Loren is fixing this issue, and today sent me a new patch). Searching the added users as "testuser4820" and "testuser4800" which were not listed on LAT, both of them could be found and return profile. When I’m going on researching, the LDAP server ‘192.168.123.21’ crashed and all the data lost. We had to format the hard disk and install new OS. Testing is also halted. Since iplanet has these issues and I have to wait its reinstallation, I plan to test on another LDAP server(OpenLDAP) in these days to focus on maximum user count. 6. Summary Iplanet LDAP server seems to have limitation on users count. This issue is waiting to be confirmed in the following up testing. ‘getent passwd’ and ‘ldapseach -x’ could not display all users, only a part of users were returned. In iplaned, Chinese could not be used as ‘uid’ until modify the ‘7-bit clean’ rules. Smbldap tools do not accept Chinese character as ‘uid’ whenever.

It took me about a week in researching OpenLDAP+SSL installtaion. The troubles I met mostly are OpenSSL and Berkeley DB configuration. Here should I write the step used to install them successfully.

Testing Operating System: CentOS 3.5 (On Virtual Machine)
Virtual Machine setting: P3/256M/6G/Bridge Network
Basic Operating System: CentOS 4.3(Final)
Hardeware: P4 1.7GHz/DDR266 512M/80G IDE

1. Install openSSL
Download the latest version “openssl-0.9.8c.tar.gz” from www.openssl.org/source. Check the former openssl which has been installed in the system, by issuing the following commands:
# rpm -qa | grep openssl
As the result, it showed openssl-0.9.7a and openssl-devel-0.9.7a. I tried to remove these two packages by “rpm -e”, but then the two have so many packages depending and I could not done the delete operation. Then I downloaded the rpm packages:0.9.8c.rpm and devel-0.9.8c and tired to update : rpm -Uvh *.rpm, it also failed. Note, the openssl-develop package must be installed, or in OpenLDAP installation would have errors. Finally, I decided to use and complie the source package like “.tar.gz”. This source code has already included the development packages as openssl website indicates.

Unzip the tarball package and go to its directory:
# tar zxvf openssl-0.9.8c.tar.gz
# cd openssl-0.9.8c
Here, I set the “–prefix” paramter as “/usr/local/newssl”, if this parameter is not set, it will use “/usr/local” as default. The most important thing could pay attention, is “shared” parameter must be add with configure command. “shared” means in addition to the usual static libraries create shared libraries. If shared is not set, OpenLDAP installation will failed.
# ./configure –prefix=/usr/local/newssl shared
Guess on system mode by issuing:
# ./config -t
Begin to build:
# make depend
# make
# make test
# make install
Create links as following:
# cd /usr/local/newssl/lib
# ln -s libcrypto.so libcrypto.so.2
# ln -s libssl.so.0.9.8c libssl.so.c
Update the library:
# echo /usr/local/newssl/lib >> /etc/ld.so.conf
# lddconfig -v
Update the PATH:
# vi /root/.bash_profile
PATH=/usr/local/newssl/bin:$PATH:…
Note, here “/usr/local/newssl” could be added in the first position.
Check SSL installation:
# which openssl
If successful, it will show “/usr/loca/newssl/bin/openssl”
# openssl version
If successful, it will show “0.9.8c”.

2.Install Berkeley DB4.3
Download the source code, unzip and compile:
# tar zxvf BerkeleyDB.4.3.tar.gz
# cd BerkeleyDB.4.3/build_unix
# ../dist/configure
As the default, Berkeley DB will be installed at “/usr/local” directory.
# make && make install
The most important in this stage is recovery the former Berkeley DB version 4.1 which has been installed in the OS. If ignore this step, during OpenLDAP installation, it failed with “Berkeley DB version dismatch”.
# cd /usr/lib
Remove all items named “libdb4.1”, and copy all the 4.3 libraries in “/usr/local/BerkeleyDB.4.3/lib” to “/usr/libdb4.1”. Ok, everything about Berkeley DB has been configurated successfully.

3.Install OpenLDAP
Download the source code from www.openldap.org, the version I used is 2.3.29.
Unzip the package:
# tar zxvf openldap-2.3.29.tar.gz
Before “configure”, the env must be set rightly,”CPPFLAGS” is the path of OpenSSL and Berkeley DB’s include directories location, and “LDFLAGS” is the path of OpenSSL and Berkeley DB’s library directories location.
# env CPPFLAGS=”-I/usr/local/newssl/include -I/usr/local/BerkeleyDB.4.3/include” LDFLAGS=”-L/usr/local/newssl/lib -L/usr/local/BerkeleyDB.4.3/lib” ./configure –with-tls
If all the above steps are set rightly, the configure process will create make file without errors.
# make
# make install

Finally, run “/usr/local/libexec/sladp” in the command line to check whether the installation has been done or not. if the sladp runs well, it means the successful installation.

Today is Saturday. I’ve been in Zhuhai for about 1.5 months. Through the beginning hard days, I would put all my heart in the Linux development. It’s a really intersting world and charming. How happy when I install iPlanet,create large number of users by ldif, export and import entries again and again, sometimes also did I feel very tired, and even wanted to give up. But I decided to keep on fixing all the issues, and then I got it! I could not decribe that feeling when found the right way by many testings. It’s really life, really researching. None of my earilier days in Shenzhen gave me the feeling. Robert, the father of the weatherman said, the hard things are always the right things.

I’ll write some articles about latest two weeks experience. It’s very important.

Saturday, Sunday, install and configure iplanet successfully, and create large number of users by LDIF database.

Put all heart in reseaching, is funny thing.

LAT stands for LDAP Administration Tool. The tool allows you to browse LDAP-based directories and add/edit/delete entries contained within. It can store profiles for quick access to different servers. There are also different views available such as Users, Groups and Hosts which allow you to easily manage objects without having to deal with the intricacies of LDAP.

The latest stable release of LAT is 1.0.6 which was released on June 30th, 2006. The latest development release of LAT is 1.1.6 which was released on August 28, 2006.

SambaLMPassword and SambaNTPassword have not been encrypted issue:

Opened: 2006-09-01 02:39 CDT Phillip Huang
Hi, I am using LAT 1.0.6 on CentOS4.3,LAT is really a userful tools on LDAP administration. Today I added some SMB attributes to a user, and tried to changed this account’s SambaLMPassword and SambaNTPassword which two seems to
have been encrypted. In the path “Browers-User-Phillip”, I modified these two passwords to the string “testpassword” and pressed “Apply”, and then I found in the right frame, both”SambaLMPassword” and “SambaNTPassword” were showed as “testpassword” without encrypted!

Absolutely, I could not use this samba accout to access SMB shares through LDAP certification. Hmmm. and I tried to copy other certified user’s encrpted password string instead of “testpassword”, yes, could access smb share later.
Lorenb, would you please tell how me to modify the SMBpassword in LAT directly? Many thanks.

From Loren Bandiera 2006-09-01 07:58 CD
You can’t use the browser portion to set passwords in 1.0. That has been fixed in 1.1 branch (it will eventually be v1.2).
You can however use the User view. If you go to Views -> Users, you can do one of the following:

a) Right click on Phillip and select “Change password”
b) Double click on Phillip, select the ‘Account’ tab, and click on the ‘Set password’ button.

That will set the Unix and SAMBA passwords. Let me know if that works for you.

From Phillip Huang 2006-09-02 21:03 CDT
Hello, Loren, thanks for your cencern. I just try following with your guide, the first “Right click on phillip and select “change passwd” operation is ok, and I am a litter confused which option I will take, Crypt,MD5 or SHA? It seems
the “SHA” option is default setting.

Then the second step, when double click, the LAT crashed, there are error messages like the following text:

[root@localhost ~]# lat
(lat:2898): Gtk-WARNING **: Mixing deprecated and non-deprecated GtkToolbar API is not allowed
(lat:2898): Gtk-WARNING **: Mixing deprecated and non-deprecated GtkToolbar API is not allowed
(lat:2898): Gtk-WARNING **: Mixing deprecated and non-deprecated GtkToolbar API is not allowed
(lat:2898): Gtk-WARNING **: Mixing deprecated and non-deprecated GtkToolbar API is not allowed
(lat:2898): Gtk-WARNING **: Mixing deprecated and non-deprecated GtkToolbar API is not allowed
Unhandled Exception: System.ArgumentException: Key duplication when adding: 515
in <0x001f2> System.Collections.Hashtable:PutImpl (System.Object key,System.Object value, Boolean overwrite)
in <0x00012> System.Collections.Hashtable:Add (System.Object key, System.Object value)
in <0x00291> lat.EditUserViewDialog:getGroups (Novell.Directory.Ldap.LdapEntryle)
in <0x000b6> lat.EditUserViewDialog:.ctor (lat.LdapServer ldapServer,Novell.Directory.Ldap.LdapEntry le)
in <0x0006f> lat.ViewDialogFactory:Create (System.String name, lat.LdapServer server, Novell.Directory.Ldap.LdapEntry le)
in <0x00038> lat.ServerView:OnRowActivated (System.Object o,Gtk.RowActivatedArgs args)
in (wrapper delegate-invoke)
System.MulticastDelegate:invoke_void_object_RowActivatedArgs (object,Gtk.RowActivatedArgs)
in <0x001a1> Gtk.TreeView:RowActivatedSignalCallback (IntPtr arg0, IntPtr arg1,IntPtr arg2, IntPtr gch)
in (wrapper native-to-managed) Gtk.TreeView:RowActivatedSignalCallback (intptr,intptr,intptr,intptr)
in <0x00000>
in (wrapper managed-to-native) Gtk.Application:gtk_main ()
in <0x00007> Gtk.Application:Run ()
in <0x00007> Gnome.Program:Run ()
in <0x00238> LdapAdministrationTool:Main (System.String[] args

Oh, my LAT is 1.0.6 which is stable version. I downloaded the latest version
1.1.6(rpm), and try to install this package, it warnes me:
[root@localhost temp]# rpm -ivh lat-1.1.6-1.noarch.rpm
error: Failed dependencies:
avahi-sharp is needed by lat-1.1.6-1.noarch
dbus-sharp is needed by lat-1.1.6-1.noarch
Would you please give me more advice to resolve my trouble? Thanks and regards.

Today is the 34th days I came to Zhuhai. It is a quiet city, I love the blue sky and clear air.Here’s my new friends: Charles,Steven,Bruce,Sam,Hans,More,Red,Mike,and two girls,Spring and Vicky.

No time could be wasted. Read more books.

The harddrivers always have cache for buffer the data. The cache is very fast than both harddrivers and Host Bus, so it is impossible to form continous transfer stream in the Host Bus, because it acts like middlestone between harddriver and host bus. I think the following example would indicate the factor more clearly.

Just image, in an operating system, copy data from harddriver “A” to harddriver “B”.

SCSI: because the cache is more faster device, it always has to wait for harddisk to full it. when the cache is full, A will send all the data in cache to host, in this time, the cache is receiving data again, and the host send the data to B through host bus! Yes, it saves time and increase the transfer rate greatly.

IDE: A will hold the channel single until it writes all data to host memory, even there’s other way which is free when A’s cache is fulling. This mode waste a large machine time and has low rate.

Absolutely, SCSI is more powerful than IDE.