389 Directory Server – “disallow_pw_change_aci”

Another addition to my own F(#$)king M(anual). I recently updated my 389 Directory Server and encountered an permission error with changing of passwords. In my ACI list, there’s this “disallow_pw_change_aci” which doesn’t allow user to change password. First thing I missed after the upgrade was to run setup-ds.pl -u, so I did that immediately. Still doesn’t work when I tried to do a password change on the machine that I upgraded. My setup is a pair of DS servers running Multimaster Replication. Turns out that both machines has to updated with the ds-setup.pl script in order the password change to work.

Hope this helps for anyone else encountering this error.

Bluetooth Support In Ubuntu Is Weak…..

I just got myself a bluetooth keyboard to get rid of all the wires running on my desk. First thing I tried was to pair it with my notebook running Ubuntu 10.10. Pairing was ok. And that’s about it?! It was painful trying to get the keyboard properly connected. There’s no indication in dmesg that a keyboard is found, and after a few tries restarting bluetooth, restarting the keyboard, dmesg showed HID device detected, ie the keyboard, but it still doesn’t work.

At first I thought it could be the keyboard itself. Afterall, I got it from http://ww.taobao.com. So, I decided to pair it with my iPhone. Seamless. Paired, got it working right away. Switched off the keyboard, turned it on again and iPhone connected the keyboard automatically. My Macbook was the ultimate. Even in sleep mode, it was holding on to the connection to the keyboard. and I could wake the Macbook from sleep mode with this keyboard. The experience was perfect!

So, what’s wrong with Ubuntu? I know, with some troubleshooting and tinkering, I can definitely get it to work eventually, but it’s so much more troublesome compared to Mac. The Ubuntu desktop experience has improved and surpassed other Linux distros, but it’s still way way way behind Mac.

Enough of rants, I still need to try to get the keyboard to work. Shall update the blog once I solve the problem.

Solaris Zone Administration – Changing IP Address

I had to get my hands dirty recently to migrate some Solaris boxes.  While I’m not totally unfamiliar with Solaris zones, the commands slipped my mind since I don’t use it on a day to day basis.

zonecfg -z zonename
select net address=x.x.x.x (where x.x.x.x is the current address)
set address=y.y.y.y (where y.y.y.y is the new address)

That’s it. Another quick reference and addition to my own F(**king)M(anual).

OpenSSL Certificate Format Conversion

I have been working on SSL/TLS on my 389 Directory Server lately. That in turn requires me to dive slightly deeper into OpenSSL.

Here’s a few useful commands to convert the different certificate formats. Source: https://www.sslshopper.com/ssl-converter.html

OpenSSL Convert PEM

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

OpenSSL Convert DER

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

OpenSSL Convert P7B

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

OpenSSL Convert PFX

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

LDAP Authentication On Red Hat Enterprise 6

red hat logoAfter receiving a comment from my previous post on LDAP authentication on RHEL5, I decided to test it on RHEL6. According to the reader, Nick, there are some differences in the LDAP authentication in RHEL6. I tried it out myself and indeed it doesn’t work. Even getent passwd doesn’t work. Nick mentioned that configuration is needed in nslcd.conf. This is a file which I have not seen before.

In any case, I looked up on nslcd and found that it’s the local LDAP name service daemon. And on my machine, this daemon isn’t running. I started the daemon and everything sprang to life. SSH and getent works. In all my previous deployments, I made sure there’s was no caching on the local machine by disabling nscd (Name Service Caching Daemon). Now that there’s a dependency on another caching daemon, I need to consider the pros and cons again and possibly disabling the caching.

This is an interesting note for upgraders from RHEL5 to RHEL6. Thanks to Nick for raising this issue.

My H1N1 Encounter

My wife and I developed flu symptoms early this week. Because she’s from the healthcare sector, it’s mandatory for her to take the H1N1 swab test. After that she given MC to wait at home for the results. As for me, I was given a day of MC by my doctor. I took an additional day of leave in case her results were positive. I didn’t want to go back to office and spread the virus to more people.

Results were out 24 hours after taking the test. Unfortunately the result is positive. I immediately accompanied her back to the A&E for follow up and see the doctor take the test for myself.

This is where the idiotic thing occurred. I identified myself as having direct contact with a H1N1 patient ie. my wife. After running through a series of questions and some basic check, I was told that they will not conduct the test for me because my symptoms did not fit the criteria. I reasoned with the doctor that although I don’t have the full blown symptoms, my risk was significantly higher. We got the flu at the same time so it not likely that she has H1N1 and me having a common flu. He agreed with me but said it was protocol that stipulated that the test would not be conducted. According to him, it some MOH guideline. He then suggested I do the test at a polyclinic or a GP. My case was treated as normal flu. Upon my request he gave me MC until the end of the week so that I don’t go around spreading the either flu or H1N1 virus in office.

In my opinion, it’s baffling. The hospital does not have a conclusive diagnosis that it’s not H1N1 but they can’t perform the test due to protocol. So assuming I’m carrying the virus, I would need to travel to another location, in the process possibly spreading the virus. All because of rigid protocol that doesn’t make sense. I’m not blaming the doctor. He’s just doing his job.

Anyway I’m calling my own doctor tomorrow to see what’s his recommendation.

– Posted using BlogPress from my iPhone