Study Notes

Sometimes, the SNAZ meets crash in the hard testing or overload. We need to repair the SNAZ online.

1. log on the target machine as admin and turn to root.
2. # portmap
3. # mount 192.168.123.3:/builds /mnt
4. # cp /mnt/4.02/S4.02.17/vmlinuz /boot
5. # cp /mnt/4.02/S4.02.17/initrd_loop /boot
6. # cp /mnt/4.02/S4.02.17/rootfs.zbd /boot
7. # lilo -C /boot/lilo.conf
8. # clean-slate –force SYSTEM
In this step, answer “yes” to confirm clean all data on the harddisk.
9. # shutdown -r now

When the system restart, it will run in the former stable version4.02.17. Use the corresponding ISO to update the system to what you want. I think this way gives my some advices at how to repair other linux crashing issues. Verify the /boot and make sure it would work well.

Run “/usr/local/libexec/slapd” to start openldap service. In this article, I’ll configure this openldap service with OpenSSL(self signed certification). All the steps including the failure would be written here.

At first, edit the “/usr/loca/etc/openldap/slapd.conf”. Note, samba schema is not included as default, I copied the samba.schema form /Chengdu/build/smb/example/ldap/samba.schema. All these schema items must be added as the following sequence, or it will failed during running: core,cosine,inetorgperson,misc,openldap,nis,smb.
Also the following lines are added to slapd.conf:
database bdb
suffix dc=plasmon,dc=sit
rootdn “cn=root,dc=plasmon,dc=sit”
rootpw hello123 # root’s password
directory /usr/local/var/openldap.dat

I modified the path with adding “/usr/local/libexec” in the .bash_profile. then run the slapd directly like “slapd” in the command line. Check the ldap port,192.168.123.33 is my openldap server.
# nmap 192.168.123.33
or # netstat -ant | grep 389
Port 389 is default as ldap service. To check to see if the server is running and configured correctly, by issuing the following command:
# ldapsearch -x -b ” -s base ‘(objectclass=*)’ nameingContext
If the configuration is correct, there would show:
dn:
namingContexts: dc=plasmon,dc=sit
Yes, the openldap works well, and next step I will add entries by LAT and ldif. Here, I only want to say how to add “ou”.Create a file named “ou.ldif”:
dn: ou=People,dc=plasmon,dc=sit
ObjectClass: top
ObjectClass: organizationalUnit
ou: People
description: User info
Note, it must not have space in the end of line in ldif files. Hmm,I see why I failed to import those ldif files to Iplanet early. Save the “ou.ldif” and import to OpenLdap by LAT or by issuing on the “192.168.123.33”:
# ldapadd -x -D “cn=root,dc=plasmon,dc=sit” -W hello123 -f ou.ldif
As the result, ou=People was added to OpenLdap.
————————–
More attention here! Does this add ou operation could be done successfully as the above words? The answer is no. In the Sep 22nc, I reinstall OpenLDAP in other machine. I found this issue. The resolution is add “dc=plasmon,dc=sit” firstly. just as following:
dn: dc=plasmon, dc=sit
objectclass: dcObject
objectclass: organization
o: Exmaple Company
dc: plasmon
Save the file name “begin.ldif”, and then issue:
# ldapadd -x -D “cn=root,dc=plasmon,dc=sit” -W hello123 -f begin.ldif
The “dc=plasmon,dc=sit” RN is created. then would go to add ou.

Configure OpenSSL.
First, we need to create server.pem file.
# openssl req -newkey rsa:1024 -nodes –keyout server.pem -out server.pem
Please be very careful at setting the Common Name here! It must be server’s FQDN(fully qualified distinguished name). Run “hostname” will get the FQDN, for example, the “192.168.123.33” is “localhost.localdomain”. I tried to set another hostname by issuing “hostname plasmon.sit”. this new hostname only be used in the current session. If the system restart, the hostname will return to its original name “localhost.localdomain”. Steven said the hostname could be modified permanently in “/etc/host” even reboot, I have not tested this way. So, I would still identify the Common Name as “localhost.localdomain”. Then, a certificated file “sever.pem” was create, add the relative info to “slapd.conf” as its tips.

Restart system, and run :
# sldap -h “ldaps://:636”
As the above, use netstat and namp to check if the Port 636 is open.

In the client machine, configure the following file in order to access openldap:
1./etc/ldap.conf, the bindpw must be “hello123”. the root’s password.
2./etc/samba/smb.conf add the ldapserver
3./etc/nsswitch.conf add the “ldap” before password, user and group.
Then, “getent passwd” could return items both from ldapserver and local file.

Client’s “/etc/openldap/ldap.conf” is the only file decided the result from “ldapsearch -x”, just add the ldapserver to this file. Normally, “ldapsearch -x ” returns all the entries(Note, the “size limit” setting in ldapserver’s “slapd.conf” will limit the number of returned items, ‘-1’ means nolimitation. just as iPlanet “look though” parameter).

In the Adobe Reader, open the pdf file, and click the print item. Select the printer as “Microsoft Office Document ImageWaiter”, translate the pdf document to “.mdi” formation. If no “Microsoft Office Document ImageWaiter” is not found, try to install this program with Microsoft Office 2003 CD(Microsoft Draw).

Second, run Microsoft Office Document Imaging, open the created “.mdi” file, “Tools – Send to word”, set the OCR as English or Chinese. then this tools will create a Web file contains the PDF’s texts.

Only Office 2003 has this function. other Office version could not get such job.

So many ways I’ve tried to add samba user in iPlanet, this following is useful. First, create POSIX user by iPlanet, and then issue “smbpasswd -a user” to make this POSIX user to be samba user. It seemed add entries contains smb infomation would also operate successfully.

“/etc/ldap.conf” identifies the setting of “getent passwd” command.
“/etc/openldap/ldap.conf” identifies the setting of “ldapsearch -x” command.

Note, only the user whose object class contains POSIX option could be recoganized as UNIX account and returned by getent command. None POSIX entries will never be returned in the “getent passwd” result.

How to share directory in Linux?
First, should confirm the NFS has been installed and started up. Second, modify the “/etc/exports” file, and add the shared directory item.

I’ve tried winex and wine, but it dose not work well. “Cedege”, a powerful tools to run Windows program in Linux platform, is installed with related crack lisence package “cpkg”, it supports some Windows games, for example, StarScraft, WarIII, but Microsoft Office and MSN even could not be installed by Cedege tools.

Run cedege program, just execute “cedege” in the command line. The StarCraft runs very well in my CentOS.

Performance testing on LDAP
Wrote by Phillip Huang

Index
 Target
 Environment
 Preparing Work
 Testing Process
 Data Analysis

1. Target
Performance testing on getting returned entries from LDAP server

2. Environment
There are total two computers. One acts as LDAP server, another is client requests to query on LDAP server.
2.1 Hardware Info
LDAP server – CPU C2.0GHz/Memory 512MB/250G IDE/Realtek 8139(10/100Mbps)
Client machine- CPU P4 1.7GHz/Memory 512MB/80G IDE/Network device Intel PRO 1000(10/100/1000Mbps)
2.2 Software Info
LDAP server – Microsoft Windows 2000 Server / iPlanet Directory Server 5.1
Client – CentOS 4.3(2.6.9-34.EL) / LAT (1.0.7 stable version)
2.3 Network setting/info:
LDAP server IP – 192.168.123.21
LDAP service port – 390
Client IP – 192.168.123.32
Local Area Network – 10Mbps

3. Preparing work

3.1 iPlanet Directory Server Installation/Basic configuration
In the machine “192.168.123.21”, log on as administrator. Before install iPlanet Directory Server, be sure Internet Information Service (IIS) is not installed, specify only TCP/IP as network protocol and any other network services would not be installed. If IIS are installed, remove it and restart operating system. If other protocols (e.g. IPX/NetBIOS) and network services are installed, remove them and restart operating system.

Then, unzip the product binaries, and run the iPlanet Directory Server setup program. In this testing case, choose the type of installation as “typical installation”.

According to DNS host name “plasmon.sit”, select the directory suffix as “dc=plasmon, dc=sit” for the trees that contains the data. Here we set “390” as Directory Server port. The Directory Manager DN is the special directory entry to which access control does not apply. In this testing, we just keep the default Directory Manager DN is “cn=Directory Manager”, and set its password as “hello123”

3.2 Configure client setting
In the machine “192.168.123.32”, modify the “/etc/openldap/ldap.conf” file as the following:
# LDAP Defaults
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
uri ldap://192.168.123.21:390
BASE dc=plasmon,dc=sit

3.3 connection testing
In the machine “192.168.123.32”, issue the “ldapsearch -x” command. If it is able to return the entries information from LDAP server, it means the configurations are right and connection between LDAP server and client runs well.

3.4 Create large number of general users
In the machine “192.168.123.32”, create a general user “rooney” and export its ldif to file name “1”.
# cat 1
dn: cn=rooney,ou=People, dc=plasmon,dc=sit
sn: wen
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
displayName: rooney
Initials: rw
givenName: rooney
cn: rooney

I wrote a Shell script “stest” in order to replicate the above text with somewhere changes.
# !/bin/bash
# script name: stest
# replicate the “rooney” entry with some where changes
# create 10000 copies
for ((i=1;i<=10000;i++)) do cp 1 t1 # change "rooney" to "claudio_$i" sed "s/rooney/claudio_$i/g" t1 > t2
# change “wen” to “lopez_$i”
sed “s/wen/lopez_$i/g” t2 > rt$i

# remove temporary files
rm -rf t1 t2
done
# the following steps are to concatenate all the rt_$i files
# create B1 file
touch B1
for((i=1;i<=10000;i++)) do j=`expr $i + 1` cat B$i rt$i > B$j
# remove temporary files
rm -rf rt$i B$i
done
# end of script

As the result, I got a file named “B10001” contains 10000 different entries, and then imported this “B10001” to LDAP database by LAT. The successful import operating could be proved by showing these 10000 users in LAT window.
Issue “ldapsearch -x” only returned 5000 entries with “Administrative limit exceeded” messages. This issue will be described in detail later in this report

3.5 Create large number of POSIX users
As same as creating general users, used LAT to create a POSIX user
“luisfigo” and exported the entry to file named “2”.
# cat 2
dn: cn=luisfigo,ou=People, dc=plasmon,dc=sit
objectClass: top
objectClass: posixaccount
objectClass: shadowaccount
objectClass: inetorgperson
objectClass: person
objectClass: organizationalPerson
displayName: luisfigo
uidNumber: 1002
cn: luisfigo
Initials: lf
sn: figo
uid: luisfigo
gecos: luisfigo
homeDirectory: /home/lfigo
gidNumber: 1001
givenName: luis
userPassword: {SSHA}muFo383UsaJsjZpKqAF4MZUk+VxjYo9p8Zs3ow==

I wrote a Shell script “stest1” in order to replicate the above text with somewhere changes.
#! /bin/bash
# script name: stest1
# usage: ./stest1 $1 $2 $3 $4
# $1: the basic first name
# $2: the basic second name
# $3: the begin uidNumber
# $4: the end uidNumber
# create entry
for ((i=$3;i<=$4;i++)) do cp 2 t1 sed "s/luis/$1_$i/g" t1 > t2
sed “s/figo/$2_$i/g” t2 > t3
# reset the uidNumber
sed “s/1002/$i/g” t3 > rt$i
# remove temporary files
rm -rf t1 t2 t3
done
# the following steps are to concatenate all the rt_$i files
# create C$3 file
touch C$3
for((i=$3;i<=$4;i++)) do k=`expr $i + 1` cat C$i rt$i > C$k
# remove temporary files
rm -rf rt$i C$i
done
# rename the output file with meaningful name
mv C$i report$1_$2_$3_$4
# end of script

Then, I decided to create users in the following steps:
First, issued “./stest1 phillip huang 1003 4000” in command line, it created users whose uidNumber from 1003 to 4000.
Second, issued “./stest1 bruce gan 8000 11003” in command line, it created users whose uidNumber from 8000 to 11003.
Third, issued “./stest1 ashely cole 4001 7999” in command line, it created users whose uidNumber from 4001 to 7999.

Now, there are three files: reportphillip_huang_1003_4000, reportbruce_gan_8000_11003, reportashely_cole_4001_7999. Concatenate these three files in this identified order:
# cat reportphillip_huang_1003_4000 reportbruce_gan_8000_11003 reportashely_cole_4001_7999 > Shevchenko

Import the file “Shevchenko” to LDAP database by LAT. The successful import operating could be proved by showing these added POSIX users in LAT window. Note, here, issue “ldapsearch -x” also returned 5000 entries with “Administrative limit exceeded” messages.

3.6 Look – through Limitation on iPlanet Directory Server
The conditions that trigger the problem include using a user registry containing more entries than the registry’s “look-through” search limit on iPlanet. When the look-through limit defined in the iPlanet Directory Server is exceeded, the directory server returns a status of LDAP_ADMINLIMIT_EXCEEDED. The look-through limit is a performance related parameter that can be customized by the iPlanet LDAP administrator.

In the iPlanet Console, select the Configuration tab and expand the Data entry. Then select the Database Settings item and select the LDBM Plug-in Settings tab. In the Look-through Limit field, enter the maximum number of entries you want the server to check in response to a search request. The default look-through limit value is 5000. If you do not wish to set a limit, enter -1 in this field.

If bind to the directory as the Directory Manager, the look-through limit is unlimited by default, and overrides any settings you specify in this field.

So I would use “cn=Directory Manager” to return all entries without modify the iPlanet default setting in the following testing:
# ldapsearch -x -D “cn=Directory Manager” -w hello123

4. Testing Process
By default, iPlanet Directory Server has created index on “sn”,”cn” and “objectclass”. No Index is build for “uidNumber”. In this case, we focus on the responding on returned entries when request to query, sort and research.

4.1 Research with filter based on “objectclass”
4.1.1 ldapsearch result redirect
Testing script: 4_1_1
# !/bin/bash
# script name: 4_1_1
# ldapsearch result redirect
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" > ldapsearch_4_1_$i
echo “End: `date`”
echo ” ”
sleep 60
done
# end of script
The result:
15:43:21 – 15:43:30 9s
15:44:30 – 15:44:38 8s
15:45:38 – 15:45:47 9s
4.1.2 ldapsearch result standard output(screen)
Testing script: 4_1_2
# !/bin/bash
# script name:4_1_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" echo "End: `date`" echo " " sleep 60 done # end of script The result: 16:29:28 - 16:31:02 94s 16:31:22 - 16:32:54 92s 16:33:14 - 16:34:42 88s 4.2 Research with filter based on "objectclass" and sort by uid 4.2.1 ldapsearch result redirect Testing script: 4_2_1 # !/bin/bash # script name: 4_2_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" –S uid > ldapsearch_4_2_$i
echo “End: `date`”
echo ” ”
sleep 60
done
# end of script
The result:
15:48:31 – 15:49:40 69s
15:50:40 – 15:51:50 70s
15:52:50 – 15:53:59 69s
4.2.2 ldapsearch result standard output(screen)
Testing script: 4_2_2
# !/bin/bash
# script name:4_2_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" –S uid echo "End: `date`" echo " " sleep 20 done # end of script The result: 16:37:48 - 16:40:26 162s 16:40:46 - 16:43:24 158s 16:43:44 - 16:46:21 157s 4.3 Research with filter based on "objectclass" and "cn" 4.3.1 ldapsearch result redirect Testing script: 4_3_1 # !/bin/bash # script name: 4_3_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 " (&(objectclass=*)(cn=*))" > ldapsearch_4_3_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
16:22:06 – 16:22:15 9s
15:22:45 – 16:22:53 8s
16:23:23 – 16:23:32 9s
4.3.2 ldapsearch result standard output(screen)
Testing script: 4_3_2
# !/bin/bash
# script name:4_3_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*))" echo "End: `date`" echo " " sleep 60 done # end of script The result: 16:48:22 - 16:49:56 94s 16:50:16 - 16:51:48 92s 16:52:08 - 16:53:40 92s 4.4 Research with filter based on "objectclass" "cn" and sort by uid 4.4.1 ldapsearch result redirect Testing script: 4_4_1 # !/bin/bash # script name: 4_4_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*))" -S uid > ldapsearch_4_4_$i
echo “End: `date`”
echo ” ”
sleep 60
done
# end of script
The result:
15:58:56 – 16:00:01 65s
16:01:01 – 16:02:06 65s
15:03:06 – 16:04:10 64s
4.4.2 ldapsearch result standard output(screen)
Testing script: 4_4_2
# !/bin/bash
# script name:4_4_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*))" -S uid echo "End: `date`" echo " " sleep 20 done # end of script The result: 16:55:56 - 16:58:35 159s 16:58:55 - 17:01:28 153s 17:01:48 - 17:04:22 154s 4.5 Research with filter based on "objectclass" "cn" "sn" 4.5.1 ldapsearch result redirect Testing script: 4_5_1 # !/bin/bash # script name: 4_5_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*)(sn=*))" > ldapsearch_4_5_$i
echo “End: `date`”
echo ” ”
sleep 60
done
# end of script
The result:
16:17:22 – 16:17:30 8s
16:18:30 – 16:18:38 8s
16:19:38 – 16:19:47 9s
4.5.2 ldapsearch result standard output(screen)
Testing script: 4_5_2
# !/bin/bash
# script name:4_5_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*)(sn=*))" echo "End: `date`" echo " " sleep 20 done # end of script The result: 17:06:24 - 17:07:55 91s 17:08:15 - 17:09:48 93s 17:10:08 - 17:11:33 95s 4.6 Research with filter based on "objectclass" "cn" "sn" and sort by uid 4.6.1 ldapsearch result redirect Testing script: 4_6_1 # !/bin/bash # script name: 4_6_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*)(sn=*))" -S uid > ldapsearch_4_6_$i
echo “End: `date`”
echo ” ”
sleep 60
done
# end of script
The result:
16:08:23 – 16:09:33 70s
16:10:33 – 16:11:41 68s
16:12:41 – 16:13:54 73s
4.6.2 ldapsearch result standard output(screen)
Testing script: 4_6_2
# !/bin/bash
# script name:4_6_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*)(sn=*))" -S uid echo "End: `date`" echo " " sleep 20 done # end of script The result: 17:13:17 - 17:16:13 176s 17:16:33 - 17:19:15 162s 17:19:35 - 17:22:30 175s Now, in iPlanet console, add "uidNumber" index. Restart LDAP service. 4.7 Research with filter based on "uidnumber" 4.7.1 ldapsearch result redirect Testing script: 4_7_1 # !/bin/bash # script name: 4_7_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(uidnumber=*)" > ldapsearch_4_7_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
18:17:32 – 18:17:38 6s
18:18:08 – 18:18:14 6s
18:18:44 – 18:18:51 7s
4.7.2 ldapsearch result standard output(screen)
Testing script: 4_7_2
# !/bin/bash
# script name:4_7_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(uidnumber=*)" echo "End: `date`" echo " " sleep 30 done # end of script The result: 18:19:21 - 18:21:08 107s 18:21:38 - 18:23:36 118s 18:24:06 - 18:26:02 116s 4.8 Research with filter based on "uidnumber" and sort by uid 4.8.1 ldapsearch result redirect Testing script: 4_8_1 # !/bin/bash # script name: 4_8_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(uidnumber=*)" –S uid > ldapsearch_4_8_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
18:26:32 – 18:26:52 20s
18:27:22 – 18:27:43 21s
18:28:13 – 18:28:33 20s

4.8.2 ldapsearch result standard output(screen)
Testing script: 4_8_2
# !/bin/bash
# script name:4_8_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(uidnumber=*)" –S uid echo "End: `date`" echo " " sleep 30 done # end of script The result: 18:29:03 - 18:31:16 133s 18:31:47 - 18:34:00 133s 18:34:30 - 18:36:44 134s 4.9 Research with filter based on "uidnumber" and "objectclass" 4.9.1 ldapsearch result redirect Testing script: 4_9_1 # !/bin/bash # script name: 4_9_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*))" > ldapsearch_4_9_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
18:37:14 – 18:37:21 7s
18:37:51 – 18:37:57 6s
18:38:27 – 18:38:34 7s
4.9.2 ldapsearch result standard output(screen)
Testing script: 4_9_2
# !/bin/bash
# script name:4_9_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*))" echo "End: `date`" echo " " sleep 30 done # end of script The result: 18:39:04 - 18:41:01 117s 18:41:31 - 18:43:27 116s 18:43:57 - 18:45:55 118s 4.10 Research with filter based on "uidnumber" "objectclass" and sort by uid 4.10.1 ldapsearch result redirect Testing script: 4_10_1 # !/bin/bash # script name: 4_10_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*))" -S uid > ldapsearch_4_10_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
18:46:25 – 18:46:45 20s
18:47:15 – 18:47:35 20s
18:48:05 – 18:48:25 20s
4.10.2 ldapsearch result standard output(screen)
Testing script: 4_10_2
# !/bin/bash
# script name:4_10_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*))" -S uid echo "End: `date`" echo " " sleep 30 done # end of script The result: 18:48:55 - 18:51:09 134s 18:51:39 - 18:53:51 132s 18:54:21 - 18:56:37 135s 4.11 Research with filter based on "uidnumber" "objectclass" "cn" 4.11.1 ldapsearch result redirect Testing script: 4_11_1 # !/bin/bash # script name: 4_11_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*)(cn=*))" > ldapsearch_4_11_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
18:57:07 – 18:57:13 6s
18:57:43 – 18:57:50 7s
18:58:20 – 18:58:27 7s

4.11.2 ldapsearch result standard output(screen)
Testing script: 4_11_2
# !/bin/bash
# script name:4_11_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*)(cn=*))" echo "End: `date`" echo " " sleep 30 done # end of script The result: 18:58:57 - 19:00:54 117s 19:01:24 - 19:03:21 117s 19:03:51 - 19:05:47 116s 4.12 Research with filter based on "uidnumber ""objectclass" "cn" and sort by uid 4.12.1 ldapsearch result redirect Testing script: 4_12_1 # !/bin/bash # script name: 4_12_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*)(cn=*))" -S uid > ldapsearch_4_12_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
19:06:17 – 19:06:38 19s
19:07:08 – 19:07:28 20s
19:07:58 – 19:08:18 20s

4.12.2 ldapsearch result standard output(screen)
Testing script: 4_12_2
# !/bin/bash
# script name:4_12_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*)(cn=*))" -S uid echo "End: `date`" echo " " sleep 30 done # end of script The result: 19:08:48 - 19:11:01 133s 19:11:31 - 19:13:45 134s 19:14:15 - 19:16:29 133s 4.13 Research with filter based on "objectclass" sort by "objectclass" 4.13.1 ldapsearch result redirect Testing script: 4_13_1 # !/bin/bash # script name: 4_13_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" –S objectclass > ldapsearch_4_13_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
19:16:59 – 19:18:09 70s
19:18:39 – 19:19:50 71s
19:20:20 – 19:21:31 71s
4.13.2 ldapsearch result standard output(screen)
Testing script: 4_13_2
# !/bin/bash
# script name:4_13_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" –S objectclass echo "End: `date`" echo " " sleep 30 done # end of script The result: 19:22:01 - 19:25:59 238s 19:26:29 - 19:30:26 237s 19:30:56 - 19:34:53 237s 5. Data Analysis Table 5-1 ldapsearch –x Filter Filter (objectclass=*) (objectclass=*)(cn=*) (objectclass=*)(cn=*)(sn=*) -------------------------------------------------------------------------------------------- Time(Redirect)(s) 9 9 8 Time(stdio)(s) 90 92 92 Table 5-2 ldapsearch –x Filter –S uid Filter (objectclass=*) (objectclass=*)(cn=*) (objectclass=*)(cn=*)(sn=*) ---------------------------------------------------------------------------------------------- Time(Redirect)(s) 70 65 70 Time(stdio)(s) 162 154 170 Note, ldapsearch –x ”(objectclass=*)” –S objectclass testing times are: 70s and 238s Table 5-3 ldapsearch –x Filter Filter (uidnumber=*) (uidnumber=*)(objectclass=*) (uidnumber=*)(objectclass=*)(cn=*) -------------------------------------------------------------------------------------------------------- Time(Redirect)(s) 6 7 6 Time(stdio)(s) 110 117 117 Table 5-4 ldapsearch –x Filter –S uid Filter (uidnumber=*) (uidnumber=*)(objectclass=*) (uidnumber=*)(objectclass=*)(cn=*) --------------------------------------------------------------------------------------------------------- Time(Redirect)(s) 20 20 19 Time(stdio)(s) 133 133 133 From Table5-1 and Table5-2, although iPlanet has built index on “uid”, it still took longer time to return results than the situation without sort operation. We could find that the returned time (Redirect) comparing Table5-3 withTable5-4, 20 is 3 times of 6, then dig of the returned time(Redirect) comparing Table5-1 with Table5-2, 70 is almost 8 times based on 9. I think this different of times is caused by the number of returned entries. Testing according Table5-1 and Table5-2 returned about 20,000 entries, but the other testing based on Table5-3 and Table5-4 has only about 10,000 items because some general users have no uidnumber. So the result is able to accepted, From all the tables, we could find that the query rate is not increased obviously whenever have multiple filters. It’s necessary to take a look at returning time of “ldapsearch –x ”(objectclass=*)” –S objectclass” subjects, they are 70s and 238s. Comparing with the time of “ldapsearch –x ”(objectclass=*)” –S uid” listed in Table5-2, 70s and 162s. The time(Redirect) is same, but here 238 is much bigger than 162. How could this happen, now I have no reasonable explanations and I’m still going on research.

Basic stability and Language compatibility testing on LDAP
Wrote by Phillip Huang

Index
– Target
– Testing Environment
– Testing Process
– Testing Result
– Following up
– Summary

1. Target
Test the stability of LDAP service when create a large number of users. Specify “getent passwd” and “ldapsearch -x” command usage. Test LDAP service whether it supports Chinese characters set or not.

2. Testing Environment
Machines/Software:
192.168.123.21: LDAP service (port: 390) running based on ‘iplanet’, Operating system is Windows 2000 Advance server (Service Pack 4).
192.168.123.22: PC, with CentOS 4.3(Fully installation).
192.168.123.62: SNAZ OS 4
Network Environment: LAN (10Mbps)

3. Testing process.

3.1 Preprocessing
In machine ‘192.168.123.22’, log on as ‘root’. Install ‘smbldap-tools'(referring to smbldap tools How-to Manual). And then create a shell script ‘ldaptest’ as following text:
#! /bin/bash
# script name: ldaptest
echo “Start: `date`”
for ((i=1;i<=10000;i++)) do /usr/local/sbin/smbldap-useradd -m "testuser$i" done echo "End: `date`" Here, set the script executing privilege: # chmod 777 ldaptest In machine ‘192.168.123.62’, login as ‘root’, and modify the ‘/etc/openldap/ldap.conf’ as the following text: #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never BASE dc=plasmon, dc=com #HOST 192.168.123.8 #HOST 192.168.123.21 uri ldap://192.168.123.21:390 3.2 Create user with Chinese character set There are two ways to create users: ‘smbldap-useradd’ command and iplaned console. For smbldap-tools, log on ‘192.168.123.22’ as root, type the texts ‘#smbldap-useradd Chineseusername’, here, input Chinese characters in Chineseusername location. And then press ‘enter’ to confirm issuing this command. Watch on the return message. No message means the operating has been done successfully. Any other information means failure.(Also, you could get the status by issuing “echo $?”). In the LDAP server which is located at ‘192.168.123.21’, open iplanet console, and turn to ‘users and groups’ table. Add new users, and input the user profile table as possible as Chinese characters, special focus on ‘uid’ and ‘user name’ items. 3.3 Create large number of users In machine ‘192.168.123.22’, login as ‘root’, run the ‘./ldaptest’ script firstly. In machine ‘192.168.123.62’, login as ‘root’, issue the ‘getent passwd’ and ‘ldapsearch –x’ in command line to view the users added to LDAP database. For double checking, in machine ‘192.168.123.21’ hold LDAP service and database, open ‘iplanet’ console, and list all returned users from query. 3.4 End working When the ‘ldaptest’ script runs completely, record the ‘Start’ and ‘End’ time information. Keep on watching at ‘getent passwd’ result, and compare it with what iplanet shows. 4. Testing Result At the beginning, ‘ldaptest’ script worked well, and the added users could be viewed from ‘getent passwd’ result. In ‘192.168.123.62’, also issued ‘getent passwd | wc –l’, the number of lines increased as expected. After about 30 minutes, the machine ‘192.168.123.22’ running "ldaptest" script got warning messages: Cannot confirm uidnumber is free at /usr/local/sbin//smbldaptools.pm line 1062 No user could be inserted now. In machine ‘192.168.123.62’, ‘getent passwd’ only showed the former 2030 items. the rest added uses are not listed and seemed to be ‘lost’. But I would get those users information by issuing ‘getent passwd testuser’. For example, it proved ‘testuser4600’ was existed: # getent passwd testuser4600 This command returned the ‘testuser4600’ entry from LDAP database. Run ‘ldapsearch -x’ commands on ‘192.168.123.62’, the result did not contain all the user entries and it showed the warning message: # search result search: 2 result: 4 size limit exceeded In "192.168.123.21", iplanet console would show more users (about 4500), but not all. e.g., one user like ‘testuser4800’ would be searched and return its profile, but it is not displayed in iplanet user list. In order to specify how many users had been created, I just guessed by issuing the following commands on ‘192.168.123.62’: # getenv passwd testuser10000 If no result returned, continued with: # getenv passwd testuser5000 If ‘testuser5000’ existed, try the middle number between 5000 and 10000, and so on. If ‘testuser5000’ did not existed, user number less than 5000 to do the loop until the identified number has corresponding ‘testuser’ entry. Finally, I found the count was 4820. It means "ldaptest" had already created 4820 users. I stopped the "ldaptest", just executed: # smbldap-useradd newtestuser It failed with the same warning message like ‘ldaptest’ script got early . Then, identified the ‘uid’ and tried again: # smbldap-useradd -u 20000 -a newtestuser This operating still failed to add ‘newtestuser’, smbldap tools indicated it could not confirm the uidnumber is free. Later, I used the reversed loop script "smbldap-userdel testuser$i" to delete all users whose name begin as ‘testuser’. In the first 15 minutes, ‘getent passwd’ showed the rest ‘testuser$i’ users, and the returned lines always hold at 2030. After 15 minutes, the "getent passwd | wc -l" result became to decrease, and finally all "testuser$i" users were deleted. Now, I could add user again without smbldap tools warning messages. Then I repeated the whole test again. And the secondary result was same as the first one. Only 4820 users could be inserted to the iplanet LDAP database. It’s a limitation. Another testing project, both smbldap tools and iplaned could accept Chinese characters to setting the user profiles except of uid and email. If set Chinese uid, there was the following error message: The value is not 7-bit clean. Constraint violation Later, I deleted ‘uid’ limitation from iplanet ‘7-bit clean’ rules, Chinese was able to input as uid, and it also was found when query by Chinese string in iplanet. Smbldap tools, did not support Chinese uid as issuing in command line mode, and the inserted Chinese uid user could not be returned during query. 5. Following up In order to display all user in ‘getent passwd’, in machine ‘192.168.123.21’, I modified the ‘c:iplanetserversslapd-plz/config/des.ldif’, changed the nssizelimit value to ‘-1’(default nssizelimit is ‘2000’, ‘-1’ means no limit). Then restart iplanet service, more users were listed but not all. This way did not affect the ‘getenv passwd’ returned result, it still hold 2030 without changing. On the third tools LAT connecting to ‘192.168.123.21’ LDAP service, It would only display 1000 accounts as maximum value(Loren is fixing this issue, and today sent me a new patch). Searching the added users as "testuser4820" and "testuser4800" which were not listed on LAT, both of them could be found and return profile. When I’m going on researching, the LDAP server ‘192.168.123.21’ crashed and all the data lost. We had to format the hard disk and install new OS. Testing is also halted. Since iplanet has these issues and I have to wait its reinstallation, I plan to test on another LDAP server(OpenLDAP) in these days to focus on maximum user count. 6. Summary Iplanet LDAP server seems to have limitation on users count. This issue is waiting to be confirmed in the following up testing. ‘getent passwd’ and ‘ldapseach -x’ could not display all users, only a part of users were returned. In iplaned, Chinese could not be used as ‘uid’ until modify the ‘7-bit clean’ rules. Smbldap tools do not accept Chinese character as ‘uid’ whenever.

It took me about a week in researching OpenLDAP+SSL installtaion. The troubles I met mostly are OpenSSL and Berkeley DB configuration. Here should I write the step used to install them successfully.

Testing Operating System: CentOS 3.5 (On Virtual Machine)
Virtual Machine setting: P3/256M/6G/Bridge Network
Basic Operating System: CentOS 4.3(Final)
Hardeware: P4 1.7GHz/DDR266 512M/80G IDE

1. Install openSSL
Download the latest version “openssl-0.9.8c.tar.gz” from www.openssl.org/source. Check the former openssl which has been installed in the system, by issuing the following commands:
# rpm -qa | grep openssl
As the result, it showed openssl-0.9.7a and openssl-devel-0.9.7a. I tried to remove these two packages by “rpm -e”, but then the two have so many packages depending and I could not done the delete operation. Then I downloaded the rpm packages:0.9.8c.rpm and devel-0.9.8c and tired to update : rpm -Uvh *.rpm, it also failed. Note, the openssl-develop package must be installed, or in OpenLDAP installation would have errors. Finally, I decided to use and complie the source package like “.tar.gz”. This source code has already included the development packages as openssl website indicates.

Unzip the tarball package and go to its directory:
# tar zxvf openssl-0.9.8c.tar.gz
# cd openssl-0.9.8c
Here, I set the “–prefix” paramter as “/usr/local/newssl”, if this parameter is not set, it will use “/usr/local” as default. The most important thing could pay attention, is “shared” parameter must be add with configure command. “shared” means in addition to the usual static libraries create shared libraries. If shared is not set, OpenLDAP installation will failed.
# ./configure –prefix=/usr/local/newssl shared
Guess on system mode by issuing:
# ./config -t
Begin to build:
# make depend
# make
# make test
# make install
Create links as following:
# cd /usr/local/newssl/lib
# ln -s libcrypto.so libcrypto.so.2
# ln -s libssl.so.0.9.8c libssl.so.c
Update the library:
# echo /usr/local/newssl/lib >> /etc/ld.so.conf
# lddconfig -v
Update the PATH:
# vi /root/.bash_profile
PATH=/usr/local/newssl/bin:$PATH:…
Note, here “/usr/local/newssl” could be added in the first position.
Check SSL installation:
# which openssl
If successful, it will show “/usr/loca/newssl/bin/openssl”
# openssl version
If successful, it will show “0.9.8c”.

2.Install Berkeley DB4.3
Download the source code, unzip and compile:
# tar zxvf BerkeleyDB.4.3.tar.gz
# cd BerkeleyDB.4.3/build_unix
# ../dist/configure
As the default, Berkeley DB will be installed at “/usr/local” directory.
# make && make install
The most important in this stage is recovery the former Berkeley DB version 4.1 which has been installed in the OS. If ignore this step, during OpenLDAP installation, it failed with “Berkeley DB version dismatch”.
# cd /usr/lib
Remove all items named “libdb4.1”, and copy all the 4.3 libraries in “/usr/local/BerkeleyDB.4.3/lib” to “/usr/libdb4.1”. Ok, everything about Berkeley DB has been configurated successfully.

3.Install OpenLDAP
Download the source code from www.openldap.org, the version I used is 2.3.29.
Unzip the package:
# tar zxvf openldap-2.3.29.tar.gz
Before “configure”, the env must be set rightly,”CPPFLAGS” is the path of OpenSSL and Berkeley DB’s include directories location, and “LDFLAGS” is the path of OpenSSL and Berkeley DB’s library directories location.
# env CPPFLAGS=”-I/usr/local/newssl/include -I/usr/local/BerkeleyDB.4.3/include” LDFLAGS=”-L/usr/local/newssl/lib -L/usr/local/BerkeleyDB.4.3/lib” ./configure –with-tls
If all the above steps are set rightly, the configure process will create make file without errors.
# make
# make install

Finally, run “/usr/local/libexec/sladp” in the command line to check whether the installation has been done or not. if the sladp runs well, it means the successful installation.

Today is Saturday. I’ve been in Zhuhai for about 1.5 months. Through the beginning hard days, I would put all my heart in the Linux development. It’s a really intersting world and charming. How happy when I install iPlanet,create large number of users by ldif, export and import entries again and again, sometimes also did I feel very tired, and even wanted to give up. But I decided to keep on fixing all the issues, and then I got it! I could not decribe that feeling when found the right way by many testings. It’s really life, really researching. None of my earilier days in Shenzhen gave me the feeling. Robert, the father of the weatherman said, the hard things are always the right things.

I’ll write some articles about latest two weeks experience. It’s very important.

Saturday, Sunday, install and configure iplanet successfully, and create large number of users by LDIF database.

Put all heart in reseaching, is funny thing.