Study Notes

I still remembe, maybe in June,2005, I tried to install mplayer on Fedora Core 3. Though audio file (mp3,mp4) was played in text mode, the mplayer could not support video. After some times re-installing, I had to give up. This week,Thursday,is a big day for congratulation, I do install mplayer successfully!

Download the following files first:
1.mplayer source code package: MPlayer-1.0pre8.tar.bz2
2.mplayer essential code package: essential-20060611.tar.bz2
3.font files: font-arial-cp1250.tar.bz2, font-arial-iso-8859-1.tar.bz2, font-arial-iso-8859-2.tar.bz2, font-arial-iso-8859-7.tar.bz2
4.mplayer skin: iTunes(Of course,I choose my favorite)

My operation system is CentOS4.2, and have most development packages installed. Unzip essential code package and move it to “/usr/lib/codecs”:
# tar -jxvf essential-20060611.tar.bz2
# mkdir /usr/lib/codecs
# mv essential-20060611 /usr/lib/codecs

Install mplayer:
# tar jxvf MPlayer-1.0pre8.tar.bz2
# cd MPlayer-1.0pre8
# ./configure –enable-gui –with-codecsdir=/usr/lib/codecs –with-win32libdir=/usr/lib/codecs –with-reallibdir=/usr/lib/codecs –with-xanimlibdir=/usr/lib/codecs –disable-inet6 –　language=zh_CN,en –prefix=/soft/MPlayer1.0
During this configure process, it was interupted with the following error:
Checking for GUI … yes
Error: PNG support required for GUI compilation, please install libpng and libpng-dev packages.
Check “configure.log” if you do not understand why it failed.

I’m sure the libpng and libpnd-dev packages had been installed:
# rpm -qa | grep libpng
libpng-1.2.7-1
libpng-devel-1.2.7-1
What’s wrong? In the google, somebody said even they reinstalled or updated the libpng and libpng-devel packages, the above error still exist. I’m no going to reinstall those packages for the damn RedHat packages’ independence. When I considered I had to give up again, the resolution was found from google.
Just two lines, how simply it looks like!
/usr/bin/gtk-query-immodules-2.0 > /etc/gtk-2.0/gtk.immodules
/usr/bin/gdk-pixbuf-query-loaders > /etc/gtk-2.0/gdk-pixbuf.loaders

Ok, go on with the installation:
[root@localhost MPlayer-1.0pre8]# ./configure –enable-gui –with-codecsdir=/usr /lib/codecs –with-win32libdir=/usr/lib/codecs –with-reallibdir=/usr/lib/codecs –with-xanimlibdir=/usr/lib/codecs –disable-inet6 –enable-png –language=zh_C N,en –prefix=/soft/MPlayer1.0
Detected operating system: Linux
Detected host architecture: i386
Checking for cc version … 3.4.5, ok
Checking for host cc … cc
Checking for cross compilation … no
Checking for CPU vendor … GenuineIntel (15:1:3)
Checking for CPU type … Intel(R) Pentium(R) 4 CPU 1.70GHz
Checking for GCC & CPU optimization abilities … pentium4
Checking for kernel support of mmx … yes
Checking for kernel support of mmxext … yes
Checking for kernel support of sse … yes
Checking for kernel support of sse2 … yes
Checking for mtrr support … yes
Checking for xmmintrin.h … yes
Checking for assembler support of -pipe option … yes
Checking for assembler (as 2.15.92.0.2) … ok
Checking for Linux kernel version … 2.6.9-34.EL, ok
Checking for MPlayer binary name … mplayer
Checking for awk … gawk
Checking for extra headers … none
Checking for extra libs … none
Checking for -lposix … no
Checking for -lm … yes
Checking for langinfo … yes
Checking for language … using zh_CN (man pages: en en)
Checking for enable sighandler … yes
Checking for runtime cpudetection … no
Checking for restrict keyword … __restrict
Checking for __builtin_expect … yes
Checking for kstat … no
Checking for posix4 … no
Checking for lrintf … yes
Checking for round … yes
Checking for nanosleep … yes
Checking for socklib … yes (using -lnsl)
Checking for inet_pton() … yes (using -lnsl)
Checking for inttypes.h (required) … yes
Checking for int_fastXY_t in inttypes.h … yes
Checking for word size … 32
Checking for stddef.h … yes
Checking for malloc.h … yes
Checking for memalign() … yes
Checking for alloca.h … yes
Checking for mman.h … yes
Checking for dynamic loader … yes
Checking for dynamic a/v plugins support … no
Checking for pthread … yes (using -lpthread)
Checking for rpath … no
Checking for iconv … yes
Checking for sys/soundcard.h … yes
Checking for sys/dvdio.h … no
Checking for sys/cdio.h … no
Checking for linux/cdrom.h … yes
Checking for dvd.h … no
Checking for BSDI dvd.h … no
Checking for HP-UX SCSI header … no
Checking for userspace SCSI headers (Solaris) … no
Checking for termcap … yes (using -lncurses)
Checking for termios … yes (using sys/termios.h)
Checking for shm … yes
Checking for linux devfs … no
Checking for scandir() … yes
Checking for strsep() … yes
Checking for strlcpy() … no
Checking for strlcat() … no
Checking for fseeko() … yes
Checking for localtime_r() … yes
Checking for vsscanf() … yes
Checking for swab() … yes
Checking for POSIX select() … yes
Checking for gettimeofday() … yes
Checking for glob() … yes
Checking for setenv() … yes
Checking for sys/sysinfo.h … yes
Checking for Mac OS X APIs … auto
Checking for Mac OS X Finder Support … no
Checking for Mac OS X Bundle file locations … no
Checking for Samba support (libsmbclient) … yes
Checking for 3dfx … no
Checking for tdfxfb … no
Checking for s3fb … no
Checking for tdfxvid … no
Checking for tga … yes
Checking for DirectFB headers presence … not found
Checking for DirectFB … no
Checking for X11 headers presence … yes (using /usr/X11R6/include)
Checking for X11 … yes (using /usr/X11R6/lib)
Checking for DPMS … yes (using Xdpms 4)
Checking for Xv … yes
Checking for XvMC … no
Checking for Xinerama … yes
Checking for Xxf86vm … yes
Checking for XF86keysym … yes
Checking for DGA … 2 (using DGA 2.0)
Checking for OpenGL … yes
Checking for /dev/mga_vid … no
Checking for xmga … no
Checking for GGI … no
Checking for GGI extension: libggiwmh … no
Checking for AA … no
Checking for CACA … no
Checking for SVGAlib … no
Checking for FBDev … no
Checking for DVB … no (specify path to DVB/ost/include with –with-dvbincdir=D IR)
Checking for DVB HEAD … yes
Checking for PNG support … yes
Checking for JPEG support … yes
Checking for PNM support … yes
Checking for md5sum support … yes
Checking for GIF support … yes
Checking for broken giflib workaround … disabled
Checking for VESA support … no
Checking for SDL … yes (using sdl-config)
Checking for Windows waveout … no
Checking for Directx … no
Checking for NAS … no
Checking for DXR2 … no
Checking for DXR3/H+ … no
Checking for libmp1e … no
Checking for libfame … no
Checking for OSS Audio … yes
Checking for aRts … no
Checking for EsounD … yes
Checking for esd_get_latency() … yes
Checking for Polyp … no
Checking for JACK … no
Checking for OpenAL … no
Checking for ALSA audio … yes (using alsa 1.0.x and alsa/asoundlib.h)
Checking for Sun audio … no
Checking for Sun mediaLib … no
Checking for SGI audio … no
Checking for VCD support … yes
Checking for DVD support (libmpdvdkit2) … yes
Checking for DVD support (libdvdread) … no (disabled by libmpdvdkit2)
Checking for cdparanoia … no
Checking for libcdio … no
Checking for freetype >= 2.0.9 … yes
Checking for fontconfig … yes
Checking for fribidi with charsets … no
Checking for ENCA … no
Checking for zlib … yes
Checking for RTC … yes
Checking for external liblzo support … no
Checking for mad support … no
Checking for Toolame … no
Checking for Twolame … no
Checking for OggVorbis support … yes (internal Tremor)
Checking for libspeex (version >= 1.1 required) … no
Checking for OggTheora support … no
Checking for mp3lib support … yes
Checking for liba52 support … yes
Checking for libdts support … no
Checking for libmpeg2 support … yes
Checking for libmpcdec (musepack, version >= 1.2.1 required) … no
Checking for FAAC (AAC encoder) support … no
Checking for internal FAAD2 (AAC) support … yes
Checking for external FAAD2 (AAC) support … no
Checking for LADSPA plugin support … no
Checking for Win32 codec DLL support … yes (using /usr/lib/codecs)
Checking for Win32 loader support … yes
Checking for DirectShow … yes
Checking for XAnim DLL … yes (using /usr/lib/codecs)
Checking for RealPlayer DLL … yes (using /usr/lib/codecs)
Checking for LIVE555 Streaming Media libraries … no
Checking for FFmpeg libavutil (static) … yes
Checking for FFmpeg libavcodec (static) … yes
Checking for FFmpeg libavformat (static) … yes
Checking for FFmpeg libpostproc (static) … yes
Checking for AMR narrowband … no
Checking for AMR narrowband, fixed point … no
Checking for AMR wideband … no
Checking for libdv-0.9.5+ … no
Checking for zr … no
Checking for bl … no
Checking for XviD … no
Checking for x264 … no
Checking for DivX4linux/DivX5linux/OpenDivX decore … no
Checking for libmp3lame (for mencoder) … no
Checking for DivX4linux encore (for mencoder) … no
Checking for mencoder … yes
Checking for fastmemcpy … yes
Checking for UniquE RAR File Library … yes
Checking for TV interface … yes
Checking for *BSD BrookTree 848 TV interface … no
Checking for Video 4 Linux TV interface … yes
Checking for Video 4 Linux 2 TV interface … yes
Checking for audio select() … yes
Checking for network … yes
Checking for ftp … yes
Checking for vstream client … no
Checking for byte order … little-endian
Checking for OSD menu … no
Checking for QTX codecs … yes
Checking for Subtitles sorting … yes
Checking for XMMS inputplugin support … no
Checking for inet6 … no
Checking for gethostbyname2 … yes
Checking for GUI … yes
Checking for XShape extension … yes
Checking for GTK+ version … 2.8.20
Checking for glib version … 2.8.6
Creating Gui/config.mak
Checking for automatic gdb attach … no
Checking for compiler support for -fno-PIC … yes
Checking for compiler support for noexecstack … yes
Checking for ftello() … yes
Checking for VIDIX (internal) … yes
Checking for VIDIX (external) … no
Checking for joystick … no
Checking for lirc … no
Checking for lircc … no
Creating config.mak
Creating config.h
Creating libvo/config.mak
Creating libao2/config.mak
Creating libaf/config.mak
Config files successfully generated by ./configure !
Install prefix: /soft/MPlayer1.0
Data directory: /soft/MPlayer1.0/share/mplayer
Config direct.: /soft/MPlayer1.0/etc/mplayer
Byte order: little-endian
Optimizing for: pentium4 mmx mmxext sse sse2 mtrr
Languages:
Messages/GUI: zh_CN
Manual pages: en en
Enabled optional drivers:
Input: ftp network tv-v4l2 tv-v4l tv mpdvdkit2 vcd dvb smb
Codecs: qtx libavcodec real xanim dshow/dmo win32 faad2(internal) libmpeg2 liba52 mp3lib tremor(internal) gif
Audio output: alsa esd oss sdl mpegpes(dvb)
Video output: xvidix cvidix sdl gif89a md5sum pnm jpeg png mpegpes(dvb) opengl dga xv x11 xover tga
Audio filters:
Disabled optional drivers:
Input: vstream tv-bsdbt848 live555 cdda dvdread
Codecs: opendivx x264 xvid libdv amr_wb amr_nb faac musepack libdts libtheora speex twolame toolame libmad liblzo
Audio output: sgi sun openal jack polyp arts dxr2 nas dsound win32
Video output: winvidix bl zr zr2 dxr3 dxr2 directx vesa fbdev svga caca aa ggi xmga mga xvmc directfb tdfx_vid s3fb tdfxfb 3dfx
Audio filters: ladspa
‘config.h’ and ‘config.mak’ contain your configuration options.
Note: If you alter theses files (for instance CFLAGS) MPlayer may no longer
compile *** DO NOT REPORT BUGS if you tweak these files ***
‘make’ will now compile MPlayer and ‘make install’ will install it.
Note: On non-Linux systems you might need to use ‘gmake’ instead of ‘make’.
Please check mtrr settings at /proc/mtrr (see DOCS/HTML/en/video.html#mtrr)

Check configure.log if you wonder why an autodetection failed (check whether
the development headers/packages are installed).
Do not report compilation errors if you used any of the –enable-* options
(except –enable-gui and maybe –enable-debug).
If you suspect a bug, please read DOCS/HTML/en/bugreports.html.

Yeah! Go pass the configure successfully!
# make
# make install
Here, the main program was installed. In the next steps, will add fonts to support Chinese, and changed the ugly default skin of Mplayer. Aha, I always love iTunes.

Install fonts:
# tar xjvf font-arial-cp1250.tar.bz2
# tar xjvf font-arial-iso-8859-1.tar.bz2
# tar xjvf font-arial-iso-8859-2.tar.bz2
# tar xjvf font-arial-iso-8859-7.tar.bz2
Move these unzipped files to : “/soft/MPlayer1.0/share/mplayer/font/”
# mv font-arial-cp1250/ /soft/MPlayer1.0/share/mplayer/font/
# mv font-arial-iso-8859-1/ /soft/MPlayer1.0/share/mplayer/font/
# mv font-arial-iso-8859-2/ /soft/MPlayer1.0/share/mplayer/font/
# mv font-arial-iso-8859-7/ /soft/MPlayer1.0/share/mplayer/font/

Install the iTunes skin:
# tar -jxvf iTunes-1.1.tar.bz2
# mv PowerPlayer-1.1 default
# mv default /soft/MPlayer1.0/share/mplayer/Skin

Now, run the mplayer. It has two running mode: text and GUI. the command for text is “mplayer”, and for GUI is “gmplayer”. Note, when issue gmplayer now, there would be some error messages(I forgot the details), and could fix this with the following:
# cd ~/.mplayer
# ln -s /usr/share/fonts/zh_CN/TrueType/gbsn001p.ttf subfont.ttf
Note, the ~/.mplayer file only will be created after run “gmplayer”. So, the gmplayer should run firstly(for testing).

Finally, I could use mplayer to enjoy media(mp3,wmv) on my Linux. Some rmvb movies seem to be not supported now.

SNAZ support ftp and http service. Ftp uses vsftp, and http is based on tomcat.

The service should be start/restart as following:
ftp service: #service vsftpd restart
http service: # /etc/init.d/jsp_init restart

And the related Pam files are located at “/etc/pam.d”
ftp service: /etc/pam.d/vsftpd
http service: /etc/pam.d/login

Sometimes, the SNAZ meets crash in the hard testing or overload. We need to repair the SNAZ online.

1. log on the target machine as admin and turn to root.
2. # portmap
3. # mount 192.168.123.3:/builds /mnt
4. # cp /mnt/4.02/S4.02.17/vmlinuz /boot
5. # cp /mnt/4.02/S4.02.17/initrd_loop /boot
6. # cp /mnt/4.02/S4.02.17/rootfs.zbd /boot
7. # lilo -C /boot/lilo.conf
8. # clean-slate –force SYSTEM
In this step, answer “yes” to confirm clean all data on the harddisk.
9. # shutdown -r now

When the system restart, it will run in the former stable version4.02.17. Use the corresponding ISO to update the system to what you want. I think this way gives my some advices at how to repair other linux crashing issues. Verify the /boot and make sure it would work well.

Run “/usr/local/libexec/slapd” to start openldap service. In this article, I’ll configure this openldap service with OpenSSL(self signed certification). All the steps including the failure would be written here.

At first, edit the “/usr/loca/etc/openldap/slapd.conf”. Note, samba schema is not included as default, I copied the samba.schema form /Chengdu/build/smb/example/ldap/samba.schema. All these schema items must be added as the following sequence, or it will failed during running: core,cosine,inetorgperson,misc,openldap,nis,smb.
Also the following lines are added to slapd.conf:
database bdb
suffix dc=plasmon,dc=sit
rootdn “cn=root,dc=plasmon,dc=sit”
rootpw hello123 # root’s password
directory /usr/local/var/openldap.dat

I modified the path with adding “/usr/local/libexec” in the .bash_profile. then run the slapd directly like “slapd” in the command line. Check the ldap port,192.168.123.33 is my openldap server.
# nmap 192.168.123.33
or # netstat -ant | grep 389
Port 389 is default as ldap service. To check to see if the server is running and configured correctly, by issuing the following command:
# ldapsearch -x -b ” -s base ‘(objectclass=*)’ nameingContext
If the configuration is correct, there would show:
dn:
namingContexts: dc=plasmon,dc=sit
Yes, the openldap works well, and next step I will add entries by LAT and ldif. Here, I only want to say how to add “ou”.Create a file named “ou.ldif”:
dn: ou=People,dc=plasmon,dc=sit
ObjectClass: top
ObjectClass: organizationalUnit
ou: People
description: User info
Note, it must not have space in the end of line in ldif files. Hmm,I see why I failed to import those ldif files to Iplanet early. Save the “ou.ldif” and import to OpenLdap by LAT or by issuing on the “192.168.123.33”:
# ldapadd -x -D “cn=root,dc=plasmon,dc=sit” -W hello123 -f ou.ldif
As the result, ou=People was added to OpenLdap.
————————–
More attention here! Does this add ou operation could be done successfully as the above words? The answer is no. In the Sep 22nc, I reinstall OpenLDAP in other machine. I found this issue. The resolution is add “dc=plasmon,dc=sit” firstly. just as following:
dn: dc=plasmon, dc=sit
objectclass: dcObject
objectclass: organization
o: Exmaple Company
dc: plasmon
Save the file name “begin.ldif”, and then issue:
# ldapadd -x -D “cn=root,dc=plasmon,dc=sit” -W hello123 -f begin.ldif
The “dc=plasmon,dc=sit” RN is created. then would go to add ou.

Configure OpenSSL.
First, we need to create server.pem file.
# openssl req -newkey rsa:1024 -nodes –keyout server.pem -out server.pem
Please be very careful at setting the Common Name here! It must be server’s FQDN(fully qualified distinguished name). Run “hostname” will get the FQDN, for example, the “192.168.123.33” is “localhost.localdomain”. I tried to set another hostname by issuing “hostname plasmon.sit”. this new hostname only be used in the current session. If the system restart, the hostname will return to its original name “localhost.localdomain”. Steven said the hostname could be modified permanently in “/etc/host” even reboot, I have not tested this way. So, I would still identify the Common Name as “localhost.localdomain”. Then, a certificated file “sever.pem” was create, add the relative info to “slapd.conf” as its tips.

Restart system, and run :
# sldap -h “ldaps://:636”
As the above, use netstat and namp to check if the Port 636 is open.

In the client machine, configure the following file in order to access openldap:
1./etc/ldap.conf, the bindpw must be “hello123”. the root’s password.
2./etc/samba/smb.conf add the ldapserver
3./etc/nsswitch.conf add the “ldap” before password, user and group.
Then, “getent passwd” could return items both from ldapserver and local file.

Client’s “/etc/openldap/ldap.conf” is the only file decided the result from “ldapsearch -x”, just add the ldapserver to this file. Normally, “ldapsearch -x ” returns all the entries(Note, the “size limit” setting in ldapserver’s “slapd.conf” will limit the number of returned items, ‘-1’ means nolimitation. just as iPlanet “look though” parameter).

In the Adobe Reader, open the pdf file, and click the print item. Select the printer as “Microsoft Office Document ImageWaiter”, translate the pdf document to “.mdi” formation. If no “Microsoft Office Document ImageWaiter” is not found, try to install this program with Microsoft Office 2003 CD(Microsoft Draw).

Second, run Microsoft Office Document Imaging, open the created “.mdi” file, “Tools – Send to word”, set the OCR as English or Chinese. then this tools will create a Web file contains the PDF’s texts.

Only Office 2003 has this function. other Office version could not get such job.

So many ways I’ve tried to add samba user in iPlanet, this following is useful. First, create POSIX user by iPlanet, and then issue “smbpasswd -a user” to make this POSIX user to be samba user. It seemed add entries contains smb infomation would also operate successfully.

“/etc/ldap.conf” identifies the setting of “getent passwd” command.
“/etc/openldap/ldap.conf” identifies the setting of “ldapsearch -x” command.

Note, only the user whose object class contains POSIX option could be recoganized as UNIX account and returned by getent command. None POSIX entries will never be returned in the “getent passwd” result.

How to share directory in Linux?
First, should confirm the NFS has been installed and started up. Second, modify the “/etc/exports” file, and add the shared directory item.

I’ve tried winex and wine, but it dose not work well. “Cedege”, a powerful tools to run Windows program in Linux platform, is installed with related crack lisence package “cpkg”, it supports some Windows games, for example, StarScraft, WarIII, but Microsoft Office and MSN even could not be installed by Cedege tools.

Run cedege program, just execute “cedege” in the command line. The StarCraft runs very well in my CentOS.

Performance testing on LDAP
Wrote by Phillip Huang

Index
 Target
 Environment
 Preparing Work
 Testing Process
 Data Analysis

1. Target
Performance testing on getting returned entries from LDAP server

2. Environment
There are total two computers. One acts as LDAP server, another is client requests to query on LDAP server.
2.1 Hardware Info
LDAP server – CPU C2.0GHz/Memory 512MB/250G IDE/Realtek 8139(10/100Mbps)
Client machine- CPU P4 1.7GHz/Memory 512MB/80G IDE/Network device Intel PRO 1000(10/100/1000Mbps)
2.2 Software Info
LDAP server – Microsoft Windows 2000 Server / iPlanet Directory Server 5.1
Client – CentOS 4.3(2.6.9-34.EL) / LAT (1.0.7 stable version)
2.3 Network setting/info:
LDAP server IP – 192.168.123.21
LDAP service port – 390
Client IP – 192.168.123.32
Local Area Network – 10Mbps

3. Preparing work

3.1 iPlanet Directory Server Installation/Basic configuration
In the machine “192.168.123.21”, log on as administrator. Before install iPlanet Directory Server, be sure Internet Information Service (IIS) is not installed, specify only TCP/IP as network protocol and any other network services would not be installed. If IIS are installed, remove it and restart operating system. If other protocols (e.g. IPX/NetBIOS) and network services are installed, remove them and restart operating system.

Then, unzip the product binaries, and run the iPlanet Directory Server setup program. In this testing case, choose the type of installation as “typical installation”.

According to DNS host name “plasmon.sit”, select the directory suffix as “dc=plasmon, dc=sit” for the trees that contains the data. Here we set “390” as Directory Server port. The Directory Manager DN is the special directory entry to which access control does not apply. In this testing, we just keep the default Directory Manager DN is “cn=Directory Manager”, and set its password as “hello123”

3.2 Configure client setting
In the machine “192.168.123.32”, modify the “/etc/openldap/ldap.conf” file as the following:
# LDAP Defaults
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
uri ldap://192.168.123.21:390
BASE dc=plasmon,dc=sit

3.3 connection testing
In the machine “192.168.123.32”, issue the “ldapsearch -x” command. If it is able to return the entries information from LDAP server, it means the configurations are right and connection between LDAP server and client runs well.

3.4 Create large number of general users
In the machine “192.168.123.32”, create a general user “rooney” and export its ldif to file name “1”.
# cat 1
dn: cn=rooney,ou=People, dc=plasmon,dc=sit
sn: wen
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
displayName: rooney
Initials: rw
givenName: rooney
cn: rooney

I wrote a Shell script “stest” in order to replicate the above text with somewhere changes.
# !/bin/bash
# script name: stest
# replicate the “rooney” entry with some where changes
# create 10000 copies
for ((i=1;i<=10000;i++)) do cp 1 t1 # change "rooney" to "claudio_$i" sed "s/rooney/claudio_$i/g" t1 > t2
# change “wen” to “lopez_$i”
sed “s/wen/lopez_$i/g” t2 > rt$i

# remove temporary files
rm -rf t1 t2
done
# the following steps are to concatenate all the rt_$i files
# create B1 file
touch B1
for((i=1;i<=10000;i++)) do j=`expr $i + 1` cat B$i rt$i > B$j
# remove temporary files
rm -rf rt$i B$i
done
# end of script

As the result, I got a file named “B10001” contains 10000 different entries, and then imported this “B10001” to LDAP database by LAT. The successful import operating could be proved by showing these 10000 users in LAT window.
Issue “ldapsearch -x” only returned 5000 entries with “Administrative limit exceeded” messages. This issue will be described in detail later in this report

3.5 Create large number of POSIX users
As same as creating general users, used LAT to create a POSIX user
“luisfigo” and exported the entry to file named “2”.
# cat 2
dn: cn=luisfigo,ou=People, dc=plasmon,dc=sit
objectClass: top
objectClass: posixaccount
objectClass: shadowaccount
objectClass: inetorgperson
objectClass: person
objectClass: organizationalPerson
displayName: luisfigo
uidNumber: 1002
cn: luisfigo
Initials: lf
sn: figo
uid: luisfigo
gecos: luisfigo
homeDirectory: /home/lfigo
gidNumber: 1001
givenName: luis
userPassword: {SSHA}muFo383UsaJsjZpKqAF4MZUk+VxjYo9p8Zs3ow==

I wrote a Shell script “stest1” in order to replicate the above text with somewhere changes.
#! /bin/bash
# script name: stest1
# usage: ./stest1 $1 $2 $3 $4
# $1: the basic first name
# $2: the basic second name
# $3: the begin uidNumber
# $4: the end uidNumber
# create entry
for ((i=$3;i<=$4;i++)) do cp 2 t1 sed "s/luis/$1_$i/g" t1 > t2
sed “s/figo/$2_$i/g” t2 > t3
# reset the uidNumber
sed “s/1002/$i/g” t3 > rt$i
# remove temporary files
rm -rf t1 t2 t3
done
# the following steps are to concatenate all the rt_$i files
# create C$3 file
touch C$3
for((i=$3;i<=$4;i++)) do k=`expr $i + 1` cat C$i rt$i > C$k
# remove temporary files
rm -rf rt$i C$i
done
# rename the output file with meaningful name
mv C$i report$1_$2_$3_$4
# end of script

Then, I decided to create users in the following steps:
First, issued “./stest1 phillip huang 1003 4000” in command line, it created users whose uidNumber from 1003 to 4000.
Second, issued “./stest1 bruce gan 8000 11003” in command line, it created users whose uidNumber from 8000 to 11003.
Third, issued “./stest1 ashely cole 4001 7999” in command line, it created users whose uidNumber from 4001 to 7999.

Now, there are three files: reportphillip_huang_1003_4000, reportbruce_gan_8000_11003, reportashely_cole_4001_7999. Concatenate these three files in this identified order:
# cat reportphillip_huang_1003_4000 reportbruce_gan_8000_11003 reportashely_cole_4001_7999 > Shevchenko

Import the file “Shevchenko” to LDAP database by LAT. The successful import operating could be proved by showing these added POSIX users in LAT window. Note, here, issue “ldapsearch -x” also returned 5000 entries with “Administrative limit exceeded” messages.

3.6 Look – through Limitation on iPlanet Directory Server
The conditions that trigger the problem include using a user registry containing more entries than the registry’s “look-through” search limit on iPlanet. When the look-through limit defined in the iPlanet Directory Server is exceeded, the directory server returns a status of LDAP_ADMINLIMIT_EXCEEDED. The look-through limit is a performance related parameter that can be customized by the iPlanet LDAP administrator.

In the iPlanet Console, select the Configuration tab and expand the Data entry. Then select the Database Settings item and select the LDBM Plug-in Settings tab. In the Look-through Limit field, enter the maximum number of entries you want the server to check in response to a search request. The default look-through limit value is 5000. If you do not wish to set a limit, enter -1 in this field.

If bind to the directory as the Directory Manager, the look-through limit is unlimited by default, and overrides any settings you specify in this field.

So I would use “cn=Directory Manager” to return all entries without modify the iPlanet default setting in the following testing:
# ldapsearch -x -D “cn=Directory Manager” -w hello123

4. Testing Process
By default, iPlanet Directory Server has created index on “sn”,”cn” and “objectclass”. No Index is build for “uidNumber”. In this case, we focus on the responding on returned entries when request to query, sort and research.

4.1 Research with filter based on “objectclass”
4.1.1 ldapsearch result redirect
Testing script: 4_1_1
# !/bin/bash
# script name: 4_1_1
# ldapsearch result redirect
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" > ldapsearch_4_1_$i
echo “End: `date`”
echo ” ”
sleep 60
done
# end of script
The result:
15:43:21 – 15:43:30 9s
15:44:30 – 15:44:38 8s
15:45:38 – 15:45:47 9s
4.1.2 ldapsearch result standard output(screen)
Testing script: 4_1_2
# !/bin/bash
# script name:4_1_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" echo "End: `date`" echo " " sleep 60 done # end of script The result: 16:29:28 - 16:31:02 94s 16:31:22 - 16:32:54 92s 16:33:14 - 16:34:42 88s 4.2 Research with filter based on "objectclass" and sort by uid 4.2.1 ldapsearch result redirect Testing script: 4_2_1 # !/bin/bash # script name: 4_2_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" –S uid > ldapsearch_4_2_$i
echo “End: `date`”
echo ” ”
sleep 60
done
# end of script
The result:
15:48:31 – 15:49:40 69s
15:50:40 – 15:51:50 70s
15:52:50 – 15:53:59 69s
4.2.2 ldapsearch result standard output(screen)
Testing script: 4_2_2
# !/bin/bash
# script name:4_2_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" –S uid echo "End: `date`" echo " " sleep 20 done # end of script The result: 16:37:48 - 16:40:26 162s 16:40:46 - 16:43:24 158s 16:43:44 - 16:46:21 157s 4.3 Research with filter based on "objectclass" and "cn" 4.3.1 ldapsearch result redirect Testing script: 4_3_1 # !/bin/bash # script name: 4_3_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 " (&(objectclass=*)(cn=*))" > ldapsearch_4_3_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
16:22:06 – 16:22:15 9s
15:22:45 – 16:22:53 8s
16:23:23 – 16:23:32 9s
4.3.2 ldapsearch result standard output(screen)
Testing script: 4_3_2
# !/bin/bash
# script name:4_3_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*))" echo "End: `date`" echo " " sleep 60 done # end of script The result: 16:48:22 - 16:49:56 94s 16:50:16 - 16:51:48 92s 16:52:08 - 16:53:40 92s 4.4 Research with filter based on "objectclass" "cn" and sort by uid 4.4.1 ldapsearch result redirect Testing script: 4_4_1 # !/bin/bash # script name: 4_4_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*))" -S uid > ldapsearch_4_4_$i
echo “End: `date`”
echo ” ”
sleep 60
done
# end of script
The result:
15:58:56 – 16:00:01 65s
16:01:01 – 16:02:06 65s
15:03:06 – 16:04:10 64s
4.4.2 ldapsearch result standard output(screen)
Testing script: 4_4_2
# !/bin/bash
# script name:4_4_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*))" -S uid echo "End: `date`" echo " " sleep 20 done # end of script The result: 16:55:56 - 16:58:35 159s 16:58:55 - 17:01:28 153s 17:01:48 - 17:04:22 154s 4.5 Research with filter based on "objectclass" "cn" "sn" 4.5.1 ldapsearch result redirect Testing script: 4_5_1 # !/bin/bash # script name: 4_5_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*)(sn=*))" > ldapsearch_4_5_$i
echo “End: `date`”
echo ” ”
sleep 60
done
# end of script
The result:
16:17:22 – 16:17:30 8s
16:18:30 – 16:18:38 8s
16:19:38 – 16:19:47 9s
4.5.2 ldapsearch result standard output(screen)
Testing script: 4_5_2
# !/bin/bash
# script name:4_5_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*)(sn=*))" echo "End: `date`" echo " " sleep 20 done # end of script The result: 17:06:24 - 17:07:55 91s 17:08:15 - 17:09:48 93s 17:10:08 - 17:11:33 95s 4.6 Research with filter based on "objectclass" "cn" "sn" and sort by uid 4.6.1 ldapsearch result redirect Testing script: 4_6_1 # !/bin/bash # script name: 4_6_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*)(sn=*))" -S uid > ldapsearch_4_6_$i
echo “End: `date`”
echo ” ”
sleep 60
done
# end of script
The result:
16:08:23 – 16:09:33 70s
16:10:33 – 16:11:41 68s
16:12:41 – 16:13:54 73s
4.6.2 ldapsearch result standard output(screen)
Testing script: 4_6_2
# !/bin/bash
# script name:4_6_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(objectclass=*)(cn=*)(sn=*))" -S uid echo "End: `date`" echo " " sleep 20 done # end of script The result: 17:13:17 - 17:16:13 176s 17:16:33 - 17:19:15 162s 17:19:35 - 17:22:30 175s Now, in iPlanet console, add "uidNumber" index. Restart LDAP service. 4.7 Research with filter based on "uidnumber" 4.7.1 ldapsearch result redirect Testing script: 4_7_1 # !/bin/bash # script name: 4_7_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(uidnumber=*)" > ldapsearch_4_7_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
18:17:32 – 18:17:38 6s
18:18:08 – 18:18:14 6s
18:18:44 – 18:18:51 7s
4.7.2 ldapsearch result standard output(screen)
Testing script: 4_7_2
# !/bin/bash
# script name:4_7_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(uidnumber=*)" echo "End: `date`" echo " " sleep 30 done # end of script The result: 18:19:21 - 18:21:08 107s 18:21:38 - 18:23:36 118s 18:24:06 - 18:26:02 116s 4.8 Research with filter based on "uidnumber" and sort by uid 4.8.1 ldapsearch result redirect Testing script: 4_8_1 # !/bin/bash # script name: 4_8_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(uidnumber=*)" –S uid > ldapsearch_4_8_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
18:26:32 – 18:26:52 20s
18:27:22 – 18:27:43 21s
18:28:13 – 18:28:33 20s

4.8.2 ldapsearch result standard output(screen)
Testing script: 4_8_2
# !/bin/bash
# script name:4_8_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(uidnumber=*)" –S uid echo "End: `date`" echo " " sleep 30 done # end of script The result: 18:29:03 - 18:31:16 133s 18:31:47 - 18:34:00 133s 18:34:30 - 18:36:44 134s 4.9 Research with filter based on "uidnumber" and "objectclass" 4.9.1 ldapsearch result redirect Testing script: 4_9_1 # !/bin/bash # script name: 4_9_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*))" > ldapsearch_4_9_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
18:37:14 – 18:37:21 7s
18:37:51 – 18:37:57 6s
18:38:27 – 18:38:34 7s
4.9.2 ldapsearch result standard output(screen)
Testing script: 4_9_2
# !/bin/bash
# script name:4_9_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*))" echo "End: `date`" echo " " sleep 30 done # end of script The result: 18:39:04 - 18:41:01 117s 18:41:31 - 18:43:27 116s 18:43:57 - 18:45:55 118s 4.10 Research with filter based on "uidnumber" "objectclass" and sort by uid 4.10.1 ldapsearch result redirect Testing script: 4_10_1 # !/bin/bash # script name: 4_10_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*))" -S uid > ldapsearch_4_10_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
18:46:25 – 18:46:45 20s
18:47:15 – 18:47:35 20s
18:48:05 – 18:48:25 20s
4.10.2 ldapsearch result standard output(screen)
Testing script: 4_10_2
# !/bin/bash
# script name:4_10_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*))" -S uid echo "End: `date`" echo " " sleep 30 done # end of script The result: 18:48:55 - 18:51:09 134s 18:51:39 - 18:53:51 132s 18:54:21 - 18:56:37 135s 4.11 Research with filter based on "uidnumber" "objectclass" "cn" 4.11.1 ldapsearch result redirect Testing script: 4_11_1 # !/bin/bash # script name: 4_11_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*)(cn=*))" > ldapsearch_4_11_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
18:57:07 – 18:57:13 6s
18:57:43 – 18:57:50 7s
18:58:20 – 18:58:27 7s

4.11.2 ldapsearch result standard output(screen)
Testing script: 4_11_2
# !/bin/bash
# script name:4_11_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*)(cn=*))" echo "End: `date`" echo " " sleep 30 done # end of script The result: 18:58:57 - 19:00:54 117s 19:01:24 - 19:03:21 117s 19:03:51 - 19:05:47 116s 4.12 Research with filter based on "uidnumber ""objectclass" "cn" and sort by uid 4.12.1 ldapsearch result redirect Testing script: 4_12_1 # !/bin/bash # script name: 4_12_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*)(cn=*))" -S uid > ldapsearch_4_12_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
19:06:17 – 19:06:38 19s
19:07:08 – 19:07:28 20s
19:07:58 – 19:08:18 20s

4.12.2 ldapsearch result standard output(screen)
Testing script: 4_12_2
# !/bin/bash
# script name:4_12_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(&(uidnumber=*)(objectclass=*)(cn=*))" -S uid echo "End: `date`" echo " " sleep 30 done # end of script The result: 19:08:48 - 19:11:01 133s 19:11:31 - 19:13:45 134s 19:14:15 - 19:16:29 133s 4.13 Research with filter based on "objectclass" sort by "objectclass" 4.13.1 ldapsearch result redirect Testing script: 4_13_1 # !/bin/bash # script name: 4_13_1 # ldapsearch result redirect for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" –S objectclass > ldapsearch_4_13_$i
echo “End: `date`”
echo ” ”
sleep 30
done
# end of script
The result:
19:16:59 – 19:18:09 70s
19:18:39 – 19:19:50 71s
19:20:20 – 19:21:31 71s
4.13.2 ldapsearch result standard output(screen)
Testing script: 4_13_2
# !/bin/bash
# script name:4_13_2
# ldapsearch result standard output(screen)
for ((i=0;i<=2;i++)) do echo " i = $i" echo "Start: `date`" ldapsearch -x -D "cn=Directory Manager" -w hello123 "(objectclass=*)" –S objectclass echo "End: `date`" echo " " sleep 30 done # end of script The result: 19:22:01 - 19:25:59 238s 19:26:29 - 19:30:26 237s 19:30:56 - 19:34:53 237s 5. Data Analysis Table 5-1 ldapsearch –x Filter Filter (objectclass=*) (objectclass=*)(cn=*) (objectclass=*)(cn=*)(sn=*) -------------------------------------------------------------------------------------------- Time(Redirect)(s) 9 9 8 Time(stdio)(s) 90 92 92 Table 5-2 ldapsearch –x Filter –S uid Filter (objectclass=*) (objectclass=*)(cn=*) (objectclass=*)(cn=*)(sn=*) ---------------------------------------------------------------------------------------------- Time(Redirect)(s) 70 65 70 Time(stdio)(s) 162 154 170 Note, ldapsearch –x ”(objectclass=*)” –S objectclass testing times are: 70s and 238s Table 5-3 ldapsearch –x Filter Filter (uidnumber=*) (uidnumber=*)(objectclass=*) (uidnumber=*)(objectclass=*)(cn=*) -------------------------------------------------------------------------------------------------------- Time(Redirect)(s) 6 7 6 Time(stdio)(s) 110 117 117 Table 5-4 ldapsearch –x Filter –S uid Filter (uidnumber=*) (uidnumber=*)(objectclass=*) (uidnumber=*)(objectclass=*)(cn=*) --------------------------------------------------------------------------------------------------------- Time(Redirect)(s) 20 20 19 Time(stdio)(s) 133 133 133 From Table5-1 and Table5-2, although iPlanet has built index on “uid”, it still took longer time to return results than the situation without sort operation. We could find that the returned time (Redirect) comparing Table5-3 withTable5-4, 20 is 3 times of 6, then dig of the returned time(Redirect) comparing Table5-1 with Table5-2, 70 is almost 8 times based on 9. I think this different of times is caused by the number of returned entries. Testing according Table5-1 and Table5-2 returned about 20,000 entries, but the other testing based on Table5-3 and Table5-4 has only about 10,000 items because some general users have no uidnumber. So the result is able to accepted, From all the tables, we could find that the query rate is not increased obviously whenever have multiple filters. It’s necessary to take a look at returning time of “ldapsearch –x ”(objectclass=*)” –S objectclass” subjects, they are 70s and 238s. Comparing with the time of “ldapsearch –x ”(objectclass=*)” –S uid” listed in Table5-2, 70s and 162s. The time(Redirect) is same, but here 238 is much bigger than 162. How could this happen, now I have no reasonable explanations and I’m still going on research.

Basic stability and Language compatibility testing on LDAP
Wrote by Phillip Huang

Index
– Target
– Testing Environment
– Testing Process
– Testing Result
– Following up
– Summary

1. Target
Test the stability of LDAP service when create a large number of users. Specify “getent passwd” and “ldapsearch -x” command usage. Test LDAP service whether it supports Chinese characters set or not.

2. Testing Environment
Machines/Software:
192.168.123.21: LDAP service (port: 390) running based on ‘iplanet’, Operating system is Windows 2000 Advance server (Service Pack 4).
192.168.123.22: PC, with CentOS 4.3(Fully installation).
192.168.123.62: SNAZ OS 4
Network Environment: LAN (10Mbps)

3. Testing process.

3.1 Preprocessing
In machine ‘192.168.123.22’, log on as ‘root’. Install ‘smbldap-tools'(referring to smbldap tools How-to Manual). And then create a shell script ‘ldaptest’ as following text:
#! /bin/bash
# script name: ldaptest
echo “Start: `date`”
for ((i=1;i<=10000;i++)) do /usr/local/sbin/smbldap-useradd -m "testuser$i" done echo "End: `date`" Here, set the script executing privilege: # chmod 777 ldaptest In machine ‘192.168.123.62’, login as ‘root’, and modify the ‘/etc/openldap/ldap.conf’ as the following text: #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never BASE dc=plasmon, dc=com #HOST 192.168.123.8 #HOST 192.168.123.21 uri ldap://192.168.123.21:390 3.2 Create user with Chinese character set There are two ways to create users: ‘smbldap-useradd’ command and iplaned console. For smbldap-tools, log on ‘192.168.123.22’ as root, type the texts ‘#smbldap-useradd Chineseusername’, here, input Chinese characters in Chineseusername location. And then press ‘enter’ to confirm issuing this command. Watch on the return message. No message means the operating has been done successfully. Any other information means failure.(Also, you could get the status by issuing “echo $?”). In the LDAP server which is located at ‘192.168.123.21’, open iplanet console, and turn to ‘users and groups’ table. Add new users, and input the user profile table as possible as Chinese characters, special focus on ‘uid’ and ‘user name’ items. 3.3 Create large number of users In machine ‘192.168.123.22’, login as ‘root’, run the ‘./ldaptest’ script firstly. In machine ‘192.168.123.62’, login as ‘root’, issue the ‘getent passwd’ and ‘ldapsearch –x’ in command line to view the users added to LDAP database. For double checking, in machine ‘192.168.123.21’ hold LDAP service and database, open ‘iplanet’ console, and list all returned users from query. 3.4 End working When the ‘ldaptest’ script runs completely, record the ‘Start’ and ‘End’ time information. Keep on watching at ‘getent passwd’ result, and compare it with what iplanet shows. 4. Testing Result At the beginning, ‘ldaptest’ script worked well, and the added users could be viewed from ‘getent passwd’ result. In ‘192.168.123.62’, also issued ‘getent passwd | wc –l’, the number of lines increased as expected. After about 30 minutes, the machine ‘192.168.123.22’ running "ldaptest" script got warning messages: Cannot confirm uidnumber is free at /usr/local/sbin//smbldaptools.pm line 1062 No user could be inserted now. In machine ‘192.168.123.62’, ‘getent passwd’ only showed the former 2030 items. the rest added uses are not listed and seemed to be ‘lost’. But I would get those users information by issuing ‘getent passwd testuser’. For example, it proved ‘testuser4600’ was existed: # getent passwd testuser4600 This command returned the ‘testuser4600’ entry from LDAP database. Run ‘ldapsearch -x’ commands on ‘192.168.123.62’, the result did not contain all the user entries and it showed the warning message: # search result search: 2 result: 4 size limit exceeded In "192.168.123.21", iplanet console would show more users (about 4500), but not all. e.g., one user like ‘testuser4800’ would be searched and return its profile, but it is not displayed in iplanet user list. In order to specify how many users had been created, I just guessed by issuing the following commands on ‘192.168.123.62’: # getenv passwd testuser10000 If no result returned, continued with: # getenv passwd testuser5000 If ‘testuser5000’ existed, try the middle number between 5000 and 10000, and so on. If ‘testuser5000’ did not existed, user number less than 5000 to do the loop until the identified number has corresponding ‘testuser’ entry. Finally, I found the count was 4820. It means "ldaptest" had already created 4820 users. I stopped the "ldaptest", just executed: # smbldap-useradd newtestuser It failed with the same warning message like ‘ldaptest’ script got early . Then, identified the ‘uid’ and tried again: # smbldap-useradd -u 20000 -a newtestuser This operating still failed to add ‘newtestuser’, smbldap tools indicated it could not confirm the uidnumber is free. Later, I used the reversed loop script "smbldap-userdel testuser$i" to delete all users whose name begin as ‘testuser’. In the first 15 minutes, ‘getent passwd’ showed the rest ‘testuser$i’ users, and the returned lines always hold at 2030. After 15 minutes, the "getent passwd | wc -l" result became to decrease, and finally all "testuser$i" users were deleted. Now, I could add user again without smbldap tools warning messages. Then I repeated the whole test again. And the secondary result was same as the first one. Only 4820 users could be inserted to the iplanet LDAP database. It’s a limitation. Another testing project, both smbldap tools and iplaned could accept Chinese characters to setting the user profiles except of uid and email. If set Chinese uid, there was the following error message: The value is not 7-bit clean. Constraint violation Later, I deleted ‘uid’ limitation from iplanet ‘7-bit clean’ rules, Chinese was able to input as uid, and it also was found when query by Chinese string in iplanet. Smbldap tools, did not support Chinese uid as issuing in command line mode, and the inserted Chinese uid user could not be returned during query. 5. Following up In order to display all user in ‘getent passwd’, in machine ‘192.168.123.21’, I modified the ‘c:iplanetserversslapd-plz/config/des.ldif’, changed the nssizelimit value to ‘-1’(default nssizelimit is ‘2000’, ‘-1’ means no limit). Then restart iplanet service, more users were listed but not all. This way did not affect the ‘getenv passwd’ returned result, it still hold 2030 without changing. On the third tools LAT connecting to ‘192.168.123.21’ LDAP service, It would only display 1000 accounts as maximum value(Loren is fixing this issue, and today sent me a new patch). Searching the added users as "testuser4820" and "testuser4800" which were not listed on LAT, both of them could be found and return profile. When I’m going on researching, the LDAP server ‘192.168.123.21’ crashed and all the data lost. We had to format the hard disk and install new OS. Testing is also halted. Since iplanet has these issues and I have to wait its reinstallation, I plan to test on another LDAP server(OpenLDAP) in these days to focus on maximum user count. 6. Summary Iplanet LDAP server seems to have limitation on users count. This issue is waiting to be confirmed in the following up testing. ‘getent passwd’ and ‘ldapseach -x’ could not display all users, only a part of users were returned. In iplaned, Chinese could not be used as ‘uid’ until modify the ‘7-bit clean’ rules. Smbldap tools do not accept Chinese character as ‘uid’ whenever.

It took me about a week in researching OpenLDAP+SSL installtaion. The troubles I met mostly are OpenSSL and Berkeley DB configuration. Here should I write the step used to install them successfully.

Testing Operating System: CentOS 3.5 (On Virtual Machine)
Virtual Machine setting: P3/256M/6G/Bridge Network
Basic Operating System: CentOS 4.3(Final)
Hardeware: P4 1.7GHz/DDR266 512M/80G IDE

1. Install openSSL
Download the latest version “openssl-0.9.8c.tar.gz” from www.openssl.org/source. Check the former openssl which has been installed in the system, by issuing the following commands:
# rpm -qa | grep openssl
As the result, it showed openssl-0.9.7a and openssl-devel-0.9.7a. I tried to remove these two packages by “rpm -e”, but then the two have so many packages depending and I could not done the delete operation. Then I downloaded the rpm packages:0.9.8c.rpm and devel-0.9.8c and tired to update : rpm -Uvh *.rpm, it also failed. Note, the openssl-develop package must be installed, or in OpenLDAP installation would have errors. Finally, I decided to use and complie the source package like “.tar.gz”. This source code has already included the development packages as openssl website indicates.

Unzip the tarball package and go to its directory:
# tar zxvf openssl-0.9.8c.tar.gz
# cd openssl-0.9.8c
Here, I set the “–prefix” paramter as “/usr/local/newssl”, if this parameter is not set, it will use “/usr/local” as default. The most important thing could pay attention, is “shared” parameter must be add with configure command. “shared” means in addition to the usual static libraries create shared libraries. If shared is not set, OpenLDAP installation will failed.
# ./configure –prefix=/usr/local/newssl shared
Guess on system mode by issuing:
# ./config -t
Begin to build:
# make depend
# make
# make test
# make install
Create links as following:
# cd /usr/local/newssl/lib
# ln -s libcrypto.so libcrypto.so.2
# ln -s libssl.so.0.9.8c libssl.so.c
Update the library:
# echo /usr/local/newssl/lib >> /etc/ld.so.conf
# lddconfig -v
Update the PATH:
# vi /root/.bash_profile
PATH=/usr/local/newssl/bin:$PATH:…
Note, here “/usr/local/newssl” could be added in the first position.
Check SSL installation:
# which openssl
If successful, it will show “/usr/loca/newssl/bin/openssl”
# openssl version
If successful, it will show “0.9.8c”.

2.Install Berkeley DB4.3
Download the source code, unzip and compile:
# tar zxvf BerkeleyDB.4.3.tar.gz
# cd BerkeleyDB.4.3/build_unix
# ../dist/configure
As the default, Berkeley DB will be installed at “/usr/local” directory.
# make && make install
The most important in this stage is recovery the former Berkeley DB version 4.1 which has been installed in the OS. If ignore this step, during OpenLDAP installation, it failed with “Berkeley DB version dismatch”.
# cd /usr/lib
Remove all items named “libdb4.1”, and copy all the 4.3 libraries in “/usr/local/BerkeleyDB.4.3/lib” to “/usr/libdb4.1”. Ok, everything about Berkeley DB has been configurated successfully.

3.Install OpenLDAP
Download the source code from www.openldap.org, the version I used is 2.3.29.
Unzip the package:
# tar zxvf openldap-2.3.29.tar.gz
Before “configure”, the env must be set rightly,”CPPFLAGS” is the path of OpenSSL and Berkeley DB’s include directories location, and “LDFLAGS” is the path of OpenSSL and Berkeley DB’s library directories location.
# env CPPFLAGS=”-I/usr/local/newssl/include -I/usr/local/BerkeleyDB.4.3/include” LDFLAGS=”-L/usr/local/newssl/lib -L/usr/local/BerkeleyDB.4.3/lib” ./configure –with-tls
If all the above steps are set rightly, the configure process will create make file without errors.
# make
# make install

Finally, run “/usr/local/libexec/sladp” in the command line to check whether the installation has been done or not. if the sladp runs well, it means the successful installation.