ldapmodify: be careful with attribute options

Posted on May 24, 2013 by

Clients must include the attribute options when using an attribute name following a mod-spec. Consider the following LDIF:

# wrong
dn: cn=test,c=us
changetype: modify
replace: your-attribute-name
your-attribute-name;binary: binary-stuff

your-attribute-name must contain the option (binary in this case). Here is the corrected LDIF:

# right
dn: cn=test,c=us
changetype: modify
replace: your-attribute-name;binary
your-attribute-name;binary: binary-stuff

Some broken ldapmodify tools (notably the legacy OpenLDAP ldapmodify tool) and directory servers accept the first wrong LDIF as correct. Be sure to follow the standards.

Posted in computing, LDAP | Tagged , | Leave a comment

Pass-Through Authentication Plugin

Posted on May 22, 2013 by

The UnboundID Directory Server provides a way to capture passwords and store those passwords in a local entry. This is useful when migrating to UnboundID Directory Server from a server which does not allow the extraction of passwords, for example, NetIQ eDirectory.

Configure the Pass-Through Authentication Plugin to verify a password that is presented by a user via a Simple Bind Request against the system where the password is actually stored. Once the password is verified against the external server (by a BIND request), then the password can be stored locally, and the external server is never contacted again for that user. Then that user account can be deleted from the external server.

Posted in computing, UnboundID | Tagged , , | 2 Comments

Evernote drop-down font list

Posted on January 2, 2013 by

“Evernote is a suite of software and services designed for notetaking and archiving. A “note” can be a piece of formatted text, a full webpage or webpage excerpt, a photograph, a voice memo, or a handwritten “ink” note. Notes can also have file attachments. Notes can be sorted into folders, then tagged, annotated, edited, given comments, searched and exported as part of a notebook. Evernote supports a number of operating system platforms (including Microsoft Windows, Mac OS X, Chrome OS, Android, iOS, Windows Phone, and WebOS), and also offers online synchronization and backup services.” — Wikipedia (English) entry retrieved 08-JAN-2012

Evernote is a useful application for taking and making notes. On the Mac, the list of fonts in the drop-down list for a note is taken from the “Web” font collection. To add fonts to the list of fonts in the drop-down list, open the Font Book application and add fonts to the “Web” collection. For example, to add additional fixed-width fonts make the “Web” font collection look like this:

font-book web collection

Restart the evernote application if it is already running. Then the drop-down list should look like:

font-book web collection

Posted in computing, evernote, mac | Tagged , , | 2 Comments

LDAP: Using parallel-update for concurrent multiple updates

Posted on December 10, 2012 by

For applying a small number of changes, ldapmodify is satisfactory. For a large number of changes, parallel-update has the capability of applying multiple changes simultaneously using an operator-provided number of threads. The following example uses 1024 threads to apply 1,000,000 changes in 156 seconds:

parallel-update --hostname ldap.example.com \
                --port 389                  \
                --bindDN cn=RootDN          \
                --bindPassword password     \
                --rejectFile rejects.ldif   \
                --numThreads 1024           \
                --ldifFile changes.ldif
 Attempts Successes   Rejects   ToRetry  AvgOps/S  RctOps/S  AvgDurMS  RctDurMS
--------- --------- --------- --------- --------- --------- --------- ---------
     2421      2421         0         0       483       483        11        11
    27565     27565         0         0      2752      5018        11        11
    61828     61828         0         0      4115      6838        10         9
    92657     92657         0         0      4625      6153         9         9
   127157    127157         0         0      5077      6886        10        10
   161335    161335         0         0      5368      6821         9         7
   193517    193517         0         0      5519      6423         9         9
   221584    221584         0         0      5529      5602        12        28
   253812    253812         0         0      5629      6432        12        11
   288367    288367         0         0      5756      6895        11         8
   321482    321482         0         0      5834      6609        11        11
   354634    354634         0         0      5899      6618        11         8
   392753    392753         0         0      6030      7607        11         8
   420788    420788         0         0      5999      5596        11        17
   455094    455094         0         0      6056      6843        11        11
   490436    490436         0         0      6118      7054        11         8
   524579    524579         0         0      6159      6817        11         7
   556483    556483         0         0      6171      6366        11         9
   588915    588915         0         0      6187      6473        10         8
   623031    623031         0         0      6218      6809        10        11
   655533    655533         0         0      6231      6490        11        19
   688598    688598         0         0      6247      6599        11         8
   724066    724066         0         0      6284      7079        11         9
   759697    759697         0         0      6318      7110        11         8
   794089    794089         0         0      6340      6864        10         8
   829215    829215         0         0      6366      7012        10        11
   861592    861592         0         0      6369      6461        11        14
   895619    895619         0         0      6384      6791        10         7
   930062    930062         0         0      6401      6872        10         9
   962579    962579         0         0      6404      6493        10        14
   995666    995666         0         0      6411      6605        10         7
Reached the end of the LDIF file
  1000004   1000004         0         0      6384      3298        10        12
All processing complete
Attempted 1000004 operations in 156 seconds

This tool is superior to using bulkmodify because parallel-update can be used to modify any attribute. bulkmodify cannot be used to modify dn, cn, and other attributes. bulkmodify also has some important limitations where multi-valued attributes are involved. bulkmodify does not accept an LDIF file as input. These limitations reduce the effectiveness and usability of bulkmodify … use parallel-update instead.

Posted in LDAP, UnboundID | Tagged , , , | Leave a comment

LDAP: Using authrate to measure authentication performance

Posted on December 9, 2012 by

Use the authrate command line tool to measure authentication performance of a directory server.

The example below illustrates how to execute searches and binds against an LDAP directory server. The example:

  • searches and binds against random entries in the range uid=user.0 - user.1000000
  • using password "password"
  • 256 threads simultaneously
  • measurements are reported at 1 second intervals
  • a 5 minute “warmup” period is used
  • the duration of the test is 1 hour (3600 seconds) + the 5 minute warmup
  • SIMPLE authentication
authrate --hostname ldap.example.com -p 389  \
         --baseDN dc=example,dc=com          \
         --filter 'uid=user.[0-1000000]'     \
         --credentials password              \
         --scope sub                         \
         --attribute uid                     \
         --authType SIMPLE                   \
         --numThreads 256                    \
         --intervalDuration 1                \
         --warmupIntervals 300               \
         --csv                               \
         --numIntervals 3600
Recent Auths/Sec,Recent Avg Dur ms,Recent Errors/Sec,Overall Auths/Sec,Overall Avg Dur ms
36526.782,5.658,0.000,warming up,warming up
18490.217,16.509,0.000,warming up,warming up
46487.706,5.506,0.000,warming up,warming up
46122.294,5.547,0.000,warming up,warming up
46891.769,5.403,0.000,warming up,warming up
46885.624,5.511,0.000,warming up,warming up
...
Warm-up completed.  Beginning overall statistics collection.
46727.472,5.478,0.000,46727.472,5.478
46395.864,5.517,0.000,46561.585,5.498
46635.677,5.486,0.000,46586.274,5.494
45997.237,5.564,0.000,46438.944,5.511
45708.767,5.599,0.000,46292.996,5.529
...
Posted in LDAP, UnboundID | Tagged , , , | Leave a comment

LDAP: Example of Processing Time Histogram

Posted on December 7, 2012 by

The UnboundID Directory Server provides a breakdown of LDAP operations that been processed by the server. Below is an example of the processing time histogram from the directory server monitor:

Screen Shot 2012 12 07 at 8 36 42 AM

The following ldapsearch example shows how to retrieve information about search operations (this example uses the legacy OpenLDAP ldapsearch syntax):

ldapsearch -h ldap.example.com -p 389 -D cn=RootDN -x \
        -b 'cn=processing time histogram,cn=monitor' -LLL \
        '(&)' searchOpsTotalCount searchOpsPercent \
        searchOpsAggregatePercent
dn: cn=processing time histogram,cn=monitor
searchOpsTotalCount: 490186258
searchOpsPercent: Less than 1ms: 99.7966%
searchOpsPercent: Between 1ms and 2ms: 0.1073%
searchOpsPercent: Between 2ms and 3ms: 0.0159%
searchOpsPercent: Between 3ms and 5ms: 0.0164%
searchOpsPercent: Between 5ms and 10ms: 0.0294%
searchOpsPercent: Between 10ms and 20ms: 0.0334%
searchOpsPercent: Between 20ms and 30ms: 0.0007%
searchOpsPercent: Between 30ms and 50ms: 0.0000%
searchOpsPercent: Between 50ms and 100ms: 0.0000%
searchOpsPercent: Between 100ms and 1000ms: 0.0002%
searchOpsPercent: At least 1000ms: 0.0000%
searchOpsAggregatePercent: Less than 1ms: 99.7966%
searchOpsAggregatePercent: Between 1ms and 2ms: 99.9039%
searchOpsAggregatePercent: Between 2ms and 3ms: 99.9198%
searchOpsAggregatePercent: Between 3ms and 5ms: 99.9362%
searchOpsAggregatePercent: Between 5ms and 10ms: 99.9657%
searchOpsAggregatePercent: Between 10ms and 20ms: 99.9991%
searchOpsAggregatePercent: Between 20ms and 30ms: 99.9997%
searchOpsAggregatePercent: Between 30ms and 50ms: 99.9998%
searchOpsAggregatePercent: Between 50ms and 100ms: 99.9998%
searchOpsAggregatePercent: Between 100ms and 1000ms: 100.0000%
searchOpsAggregatePercent: At least 1000ms: 100.0000%
Posted in LDAP, UnboundID | Tagged , | Leave a comment

LDAP: Authentication Best Practices

Posted on November 16, 2012 by

LDAP: Authentication Best Practices is now available (but still under construction).

Posted in LDAP | Tagged , , , , | 2 Comments