1. Setup Sun’s JES Directory Server on a Solaris 10 machine
2. Configure the DS to have the AIX schema and objectclasses needed for user and group info
3. Configure a AIX test machine to authenticate against the Sun LDAP Server
4. Eventually move all AIX machines from the IBM DS to Sun DS, thereby having one set of servers that control all users/passwords for all Sun/Linux/AIX machines

Step 1: AIX Schema
The first thing I had to overcome is how AIX has 4 different ways of using LDAP for authentication. AIX 4.3.3 and AIX 5.1 used a non RFC2307 compliant schema. AIX 5.2 and AIX 5.3 can use this old schema or RFC2307, or a new one called RFC2307AIX, which combines the old with the new (there is also another one that I will not cover). When I originally setup the IBM LDAP I used the RFC2307AIX because it allows me to store ulimits and other info about AIX accounts in LDAP and not on each individual machine. But this also makes it harder to port these things over to Sun’s LDAP. Which lead me to yesterday’s afternoon adventure, creating a schema file that would work. I will link to my final copy below.

Step 2: AIX ObjectClasses
Second up was to create the objectclasses required for AIX Authentication, which consisted of creating the eAccount, AIXAccount,AIXaccessGroup, ibm-SecurityIdentities, container, and account. Some of these may not be needed for a fresh install, but I am trying to move entries from IBM’s LDAP to Sun’s LDAP with the least amount of editing an extremely huge ldap ldif export file. I will link to my final copy of this file below as well.

Step 3: Install JES DS
The third step was to download and install the DS 5.2.P4 on my fresh install of Solaris 10 U3 running on a Sparc machine. I did the custom install as I wanted to change the location of where it was installed to. The other thing I did is not load any sample data. Once the install was done, I ran the /usr/lib/ldap/idsconfig script to setup the DS. This is sort of how it went (copied from another doc):

Unfortunately the “directoryserver” command does not exist in Solaris 10, so i did the following:

(I installed the ldap server to /ldapserver)

Now that the indexes are created we can go on to the next step of modifying the schema.

Step 4: Importing new schema
Now I can import the AIXAttributes.ldif and the AIXObjectClasses.ldif files to my fresh newly installed server:

All should go well on the above imports. There were a couple of quirks that I found when creating the files, like how IBM uses one OID for a value when Sun uses a different one.

Step 5: Creating an OU for AIX data
By this time I have fired up the Console for the LDAP server and was doing things through the gui. The first thing I did was create a new OU for my aix data, i.e. ou=aixdata,dc=example,dc=com. This OU is where all my AIX stuff will be, the ou=people,dc=example,dc=com will be where my Sun users will go. (Can’t combine them yet because of massive amounts of differing UIDS between the AIX users and Sun Users).

After creating this, create 2 more OU’s under the aixdata. The first one will be for all users, ou=aixuser,ou=aixdata,dc=example,dc=com. The second will be for group information, ou=aixgroup,ou=aixdata,dc=example,dc=com.

Step 6: Create and AIX LDAP Admin Account
Because of how the AIX servers need to connect and get/put info into ldap, you will need to create an account that has read/write access to the 2 new ou’s you created. (This account is sort of similar to the Sun proxyagent account created with the idsconfig). I created my user, uid=aixldap,ou=aixdata,dc=example,dc=com. Also set the password for it to never expire (if you make it expire, you will have to update every AIX server every time the password expires). Once this user is created give it full read/write access to the ou=aixuser and ou=aixgroup with ACI’s.

Step 7: Export info from IBM LDAP
Since I am planning on moving from IBM LDAP to Sun LDAP I need to export the data from my IBM LDAP to an ldif format:

Do the above on the IBM LDAP server, it will put a file called /tmp/ldapexport.ldif. But now I need to “clean” some stuff out of it. Some of the stuff I need to remove is anything that is not User and Group related. For example I had IBM LDAP Replication setup so there are a ton of entries for that. (so the only thing you should have in your ldif file are entries for the dn’s like username=*,ou=aixuser,ou=aixdata,dc=example,dc=com and groupname=*,ou=aixgroup,dc=example,dc=com
)

Step 8: Import users and groups
Next I imported the cleaned file:

Now all your users and groups should be in the new ldap server.

Step 9: Misc config in Sun LDAP
Some other stuff I did was add a couple indexes to the non-standard attributes that AIX uses:
groupname
username
hostsallowedlogin

The hostsallowedlogin allows us to put an entry in the persons LDAP entry to say which hosts they can log in to. If the attribute does not exist they can log in to any host that is served by this LDAP server. But if they have a value in this attribute, they can only log in to those host(s). (there is also a hostsdeniedlogin, which is the opposite of the hostsallowedlogin, if you want them to log in to every machine but one you can just populate that single host in to the hostsdeniedlogin).

Step 10: Configure AIX to talk to ldap server
One of the fall backs I don’t like about LDAP on AIX is that you have to have a local ldap user, and the ldap client software does not come with the base os. So you will have to install the ldap.client.adt and ldap.client.rte (probably don’t need the adt, but I install it anyways). During this install it usually creates the ldap user and group, which is never where we want it so either create an ldap group and ldap user before you install it, or after it is installed do the following, change the userid and groupid to what you want it to be in /etc/passwd and /etc/group and then run:

Now we can run the mksecldap command:

The above is all on one line. You must make sure the -t is set to 0, if it is not then you will get some weirdness that I will talk about later.

Once this is done, then you need to tell AIX that it is to look in LDAP for it’s info, you will need to edit another file /etc/security/user:

in the “default:” stanza, you will need to change the SYSTEM variable to LDAP, and add a registry variable with the value of LDAP.

I.E.:

Now you should be able to do an id username, and see some results:

Next up try logging in remotely (you may have to create your home directory first). It should work.

Some Notes

1. If you do not set the cachetimeout to be 0, if you change a users password as root, the user will get thrown in to a loop of changing their passwords. I.E. They will never be able to login as everytime they login it will say their password has expired and make them change it again and then it will kick them off (ie close their ssh session). Lather/rinse/repeat.
2. After importing the users from an existing IBM server, you can delete the IBM-ENTRYUUID and the control attributes, they are for IBM DS only and have no use in Sun’s LDAP.
3. Any problems on the import/etc, make sure to look at the ldap server error logs (/ldapserver/slapd-ldap2/logs/error_log) it should tell you exactly what is wrong.
4. If you replicate this LDAP server, you should probably do a Master/Master relationship because of how AIX always stores info about last logins/etc in LDAP. I have not tested yet if it can follow referrals yet.

Here are the two files I was talking about:

AIXAttributes.ldif
AIXObjectClasses.ldif

Some other links:
IBM’s Redbook : Integrating AIX into Heterogeneous LDAP Environments, which I found was missing some stuff

Sun’s Cookbook for Solaris 8 client with Directory Server 5.1/Solaris 9 which I follow some times if I need to connect Solaris 8 machines in.

Hope this helps some one, if it does leave me a message.

Technorati Tags: IBM, Sun, LDAP

1. Install took 3 reboots to install. You would think that since it is delivered on DVD, that it would only need 1 boot, and then you are done.
2. Too many popup’s. Every time you download a program to install, or try to run something it constantly asks are you sure you want to run this?
3. You can not set Firefox as the default browser. I tell Firefox every time it starts to make it the default browser, and as soon as you close it IE becomes the default again. I even changed it in the Default Program’s settings in Windows and it never sticks.
4. During the Install it asks you to create an account, this account is automatically given Administrator rights still, and even with Admin rights it still keeps asking you all the questions.
5. Before I changed the start menu to the classic mode, I clicked what I thought was the “shutdown” icon. The machine immediately went to sleep. It took me unplugging the power from the machine to get it to boot right again. I think this is how they are trying to say that Vista boots so fast, when it never really is booting just resuming from hibernate mode.
6. The desktop icons are either freakishly huge or small and crappy, no real in between.
7. The pop-ups, did I mention that already, I will get screen shots later, but they are so annoying
8. The constant popping/fading of windows. Every time an application opens a new window it will pop and fade in/out. How annoying..
9. Activation failed every time with some “DNS” error.. Ended up going in and clicking on the “Change Product Key” and typing the same product key in and it all of the sudden said it was activated.
10. Control Panel is almost completely different, new names for old stuff
11. Logging, take a look in the system log stuff and see all the stuff that it logs, install Office 2007 and see any more of what is logged.

Overall I am not impressed at all. If you put it besides Mac OS X, it is trying to mimic everything, but is so badly done that it requires a huge machine to run it on.

And if you did not see The Daily Show last night on Comedy Central, John Stewart was interviewing Bill Gates about Vista, it was a very funny interview and John kept trying to get Bill’s password out of him. Sorry Bill but this is one OS i will not be installing on my home PC.

(N.B. The version of Windows Vista I was using was the Enterprise Edition.)

Now if you add up the Aborted/Discarded/Quarantined/Rejected you get 462,908 messages, which gives you about 92% of the mail coming in was listed as spam. And this is just for 1 of 7 incoming servers we have. If I were to expand this by 7 (assuming all were equal, which they are not), then there would be 3.5 million messages coming in and 3.2 million spam messages.

And based on this article on CNN looks like we are right on the money. If only we could block all gif images in email I think we could get the number a little higher on the catch rate.

To reindex 6.4 million messages, 7+ hours
To reimport the header information of those messages back in to PostgreSQL: 38 hours 28 minutes, 29 seconds.

What is the outcome of this? The Spam DB went from 80+ gig down to 7.5Gig and the searchs are MUCH faster now. Hopefully this will fix some of the problems we have been having over the last week with people trying to release their spam messages.

Technorati Tags: Solaris, ZFS, TSM, Tivoli

Anyways tonight I took a freshly installed zone on my home server and installed Gaim on it from blastwave, 67 packages and 402 Meg later it is installed. Here is a list of the packages it installs, and the size of them in bytes:

Notice the first 2 packages, Firefox and Mozilla (quarter of the space used), now seemed to be required to run Gaim 2.0 for some reason. So back to my title for this post, is it better to compile your own software or use binaries? Well I guess it depends on what you want to do. I usually don’t like having more than one copy of a particular piece of software on a machine (for example I usually get firefox directly from mozilla since it seems to be a more up to date one than the blastwave one). And when looking through the list of what was installed most of that is already included in Solaris 10, so there is now two copies of each on the machine.

So a question to the blastwave people, any chance of building special packages just for solaris 10 that are linked againest the libraries already in solaris 10?

Interesting, we then spent a while trying to figure out what was supposed to be in there. Running “inetadm -l network/apocd/udp” produced this:

What I ended up doing was this:

So now apoc runs, but now only part of the config stuff that I set in the Desktop Manager actually works. For example, I got the splash screen not to show, but I can’t get the default terminal to be dtterm instead of gnome-terminal (dtterm uses about 7meg of ram, whereas gnome-terminal uses about 78 meg..Take that and add about 20 users with about 10 or 15 terminal windows open and you have 2gig of ram for dtterm vs 23.4 gig of ram) So now we are trying to figure out some other performance enhancements. Thinking about putting a less intensive graphical environment on it for the people to use.

Any one have some good tips for speeding up a 10 x 1.2GHz UltraIII box with 16gb of ram running Solaris 10?

Technorati Tags: Sun Ray, Solaris 10

12 x 300gb FC drives in the array, 2 assigned as Global spares, and the rest were assigned to 2 RAID 5 arrays of 5 disks each. One array on each controller. Now comes the fun part. Because of the way that the firmware on the controllers works (we have redundent controllers in the 3510 and 2 qlogic cards in the E25K domain) we had to connect 4 links between the 3510 to our San Director. So we have something that looks sort of like this:

What this produces is 3 Luns from the primary controller and 3 luns from the secondary controller being visible on each of the qlogic cards. On the host side we are using MPxIO to handle the multipathing. So if you are trying to do the same thing, remember that you need 4 connections from the Array to the SAN Fabric, 2 to each fabric, if you have different fabric domains. Otherwise, you will end up with only seeing half of the disks on each controller and you will not be in a redundent state. If you try to directly attach the array to the host, then you still need 4 connections and will have to use dual ported cards.. Sun needs to update the firmware on this device so you can make the luns appear on each controller with out having to use 4 different connections and still be redundent.