389 Directory Server – “disallow_pw_change_aci”

Another addition to my own F(#$)king M(anual). I recently updated my 389 Directory Server and encountered an permission error with changing of passwords. In my ACI list, there’s this “disallow_pw_change_aci” which doesn’t allow user to change password. First thing I missed after the upgrade was to run setup-ds.pl -u, so I did that immediately. Still doesn’t work when I tried to do a password change on the machine that I upgraded. My setup is a pair of DS servers running Multimaster Replication. Turns out that both machines has to updated with the ds-setup.pl script in order the password change to work.

Hope this helps for anyone else encountering this error.

Bluetooth Support In Ubuntu Is Weak…..

I just got myself a bluetooth keyboard to get rid of all the wires running on my desk. First thing I tried was to pair it with my notebook running Ubuntu 10.10. Pairing was ok. And that’s about it?! It was painful trying to get the keyboard properly connected. There’s no indication in dmesg that a keyboard is found, and after a few tries restarting bluetooth, restarting the keyboard, dmesg showed HID device detected, ie the keyboard, but it still doesn’t work.

At first I thought it could be the keyboard itself. Afterall, I got it from http://ww.taobao.com. So, I decided to pair it with my iPhone. Seamless. Paired, got it working right away. Switched off the keyboard, turned it on again and iPhone connected the keyboard automatically. My Macbook was the ultimate. Even in sleep mode, it was holding on to the connection to the keyboard. and I could wake the Macbook from sleep mode with this keyboard. The experience was perfect!

So, what’s wrong with Ubuntu? I know, with some troubleshooting and tinkering, I can definitely get it to work eventually, but it’s so much more troublesome compared to Mac. The Ubuntu desktop experience has improved and surpassed other Linux distros, but it’s still way way way behind Mac.

Enough of rants, I still need to try to get the keyboard to work. Shall update the blog once I solve the problem.

Solaris Zone Administration – Changing IP Address

I had to get my hands dirty recently to migrate some Solaris boxes.  While I’m not totally unfamiliar with Solaris zones, the commands slipped my mind since I don’t use it on a day to day basis.

zonecfg -z zonename
select net address=x.x.x.x (where x.x.x.x is the current address)
set address=y.y.y.y (where y.y.y.y is the new address)

That’s it. Another quick reference and addition to my own F(**king)M(anual).

OpenSSL Certificate Format Conversion

I have been working on SSL/TLS on my 389 Directory Server lately. That in turn requires me to dive slightly deeper into OpenSSL.

Here’s a few useful commands to convert the different certificate formats. Source: https://www.sslshopper.com/ssl-converter.html

OpenSSL Convert PEM

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

OpenSSL Convert DER

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

OpenSSL Convert P7B

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

OpenSSL Convert PFX

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

LDAP Authentication On Red Hat Enterprise 6

red hat logoAfter receiving a comment from my previous post on LDAP authentication on RHEL5, I decided to test it on RHEL6. According to the reader, Nick, there are some differences in the LDAP authentication in RHEL6. I tried it out myself and indeed it doesn’t work. Even getent passwd doesn’t work. Nick mentioned that configuration is needed in nslcd.conf. This is a file which I have not seen before.

In any case, I looked up on nslcd and found that it’s the local LDAP name service daemon. And on my machine, this daemon isn’t running. I started the daemon and everything sprang to life. SSH and getent works. In all my previous deployments, I made sure there’s was no caching on the local machine by disabling nscd (Name Service Caching Daemon). Now that there’s a dependency on another caching daemon, I need to consider the pros and cons again and possibly disabling the caching.

This is an interesting note for upgraders from RHEL5 to RHEL6. Thanks to Nick for raising this issue.