DevTech101

DevTech101

Note: For most up-to-date OUD/ODSM information click here click here
Note: If you have any issues with the Directory Server Control Center(DSCC) and you needed to re-initialize it Click here

Contents

Directory Server Control Center certificates

Make sure to setup Directory Server Control Center certificates

For a list of steps on how to configure the DSCC certificates Click Here (This is needed for DSCC replication)

Before you begin
Make sure your storage is setup with the correct block size check this first Directory Server Databases and Usage of db_stat
Another place to look on how to tune the files system is Filesystem Cache Optimization Strategies

Directory Proxy configuration

Create a Directory Proxy

dpadm create -p 389 -P 636 -D "cn=Proxy Manager" -w pwfile /data1/ldaproxy

Start the Directory Proxy instance

dpadm start /data1/ldaproxy

Request a self sign certificate

dpadm request-cert /data1/ldaproxy ldaproxy1

Install the self sign CA certificate

dpadm add-cert /data1/ldaproxy my-ca /tmp/ca.cert

Install self sign certificate

dpadm add-cert /data1/ldaproxy ldaproxy1-cert /tmp/new.cert

At this point we would have a self sign working certificate with owner own CA certificate installed add to our proxy instance.

To get the directory proxy CA certificate run

The certificate is needed for the load balancer (NetScaler) to be able to connect to the Directory proxy’s

dpadm show-cert -F ascii /data1/ldaproxy

Proxy Server configuration tuning and changes

Heap Memory tuning (restart reqierd)

Change the proxy to use 2048M memory (from default 256M)

dpadm set-flags /data1/ldaproxy jvm-args="-Xmx2048M -Xms2048M -XX:NewRatio=1 -XX:+PrintGCDetails -Xloggc:/var/java/java-gc.log -XX:NewSize=1024M -XX:MaxNewSize=1024M -XX:PermSize=128M -XX:MaxPermSize=128M -XX:SurvivorRatio=32 -XX:MaxLiveObjectEvacuationRatio=15 -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+PrintGCTimeStamps -Dsun.security.pkcs11.enable-solaris=false"

Verify the change:
dpadm get-flags /data1/ldaproxy

Restart for the change to take affect
dpadm restart /data1/ldaproxy

Directory Proxy configuration

Setup the Directory Proxy destinations

Crate a password file (used by the whole configuration) and setup the destinations

echo 'password'>/tmp/pw

On proxy1:
dpconf create-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap1-389" ldap1.domain.com:389
dpconf create-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap1-636" ldap1.domain.com:636
dpconf create-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap2-389" ldap2.domain.com:389
dpconf create-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap2-636" ldap2.domain.com:636

On proxy2:
dpconf create-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap1-389" ldap1.domain.com:389
dpconf create-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap1-636" ldap1.domain.com:636
dpconf create-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap2-389" ldap2.domain.com:389
dpconf create-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap2-636" ldap2.domain.com:636

Setup the Directory Proxy LDAP Pools

On ldaproxy1:
dpconf create-ldap-data-source-pool -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "DataSource-Pool"

On ldaproxy2:
dpconf create-ldap-data-source-pool -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "DataSource-Pool"

Assign the pools to destinations

Assign the pools to LDAP destinations

On ldaproxy1:
For both secure and non secure run
dpconf attach-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-389" "ldap1-636" "ldap2-389" "ldap2-636"
Note: For both secure only non secure rnn:
dpconf attach-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-636" "ldap2-636"

On ldaproxy2:
For both secure and non secure run:
dpconf attach-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-389" "ldap1-636" "ldap2-389" "ldap2-636"
Note: For both secure only non secure run:
dpconf attach-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-636" "ldap2-636"

Setup your LDAP views

Create your LDAP views and assign the pool to use

On ldaproxy1:
dpconf create-ldap-data-view -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "View" "DataSource-Pool" dc=domain,dc=com
On ldaproxy2:
dpconf create-ldap-data-view -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "View" "DataSource-Pool" dc=domain,dc=com

Enable the data sources

Finaley we needed to enable the data source and restart the proxy server for the LDAP connection pools to work

dpadm restart /data1/ldaproxy

Disable Non secure data source (if not used)

dpconf set-ldap-data-source-prop -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap1-389" is-enabled:false
dpconf set-ldap-data-source-prop -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap2-389" is-enabled:false
dpconf set-ldap-data-source-prop -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap1-389" is-enabled:false
dpconf set-ldap-data-source-prop -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap2-389" is-enabled:false

Set the Directory Proxy weight

dpconf set-attached-ldap-data-source-prop -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-636" add-weight:50 bind-weight:50 compare-weight:50 delete-weight:50 modify-dn-weight:50 modify-weight:50 search-weight:50
dpconf set-attached-ldap-data-source-prop -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap2-636" add-weight:50 bind-weight:50 compare-weight:50 delete-weight:50 modify-dn-weight:50 modify-weight:50 search-weight:50
dpconf set-attached-ldap-data-source-prop -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-636" add-weight:50 bind-weight:50 compare-weight:50 delete-weight:50 modify-dn-weight:50 modify-weight:50 search-weight:50
dpconf set-attached-ldap-data-source-prop -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap2-636" add-weight:50 bind-weight:50 compare-weight:50 delete-weight:50 modify-dn-weight:50 modify-weight:50 search-weight:50

Directory Proxy native LDAP tuning

Directory Proxy Session Tuning

Log in as root

Then Log in as admin

Click on Directory Proxy Tab > server

Click on this proxy server and click on …

Proxy Servers > ldaproxy1:389 > General TAB

Check the box in…

VLV Request LDAPv3 control
Server Side Sorting

Proxy Servers > ldaproxy1:389 > Performance TAB

From 50 to 70 (20 per each connection)

Worker Threads: 70

Directory Proxy Access log Tuning

Click on Proxy Servers > ldaproxy2.domain.com:389 > Access Logging
Log Rotation Policy:
Size Limit: 1000
Max Files to Keep: 15

Setup Solaris (SMF) services and Auto restart

To autostrat/stop for the Directory Proxy
Note: Need to run this when the instance is down

dpadm  enable-service -T SMF /data1/ldaproxy-config

Problems and resolution doing directory proxy configuration

Problem 1

Problem: Connections time out with error’s of LDAP to quick disconnect

  • Problem: Getting error “connection idle time-out has expired” in the access log

Solution: Modify conf.ldif from milliseconds to seconds

Solution: Set this in the /data1/ldaproxy1/config/conf.ldif on port 389/636 from 3600 milliseconds (3 seconds) to 3600000 milliseconds
Note: This is reference as seconds but relay is milliseconds

From:
connectionIdleTimeOutInSec: 3600
To:
connectionIdleTimeOutInSec: 3600000

Enable all LDAP controls to pass Directory Proxy

To allow all controls true the proxy run this then restart

dpconf set-server-prop -i -h ldaproxy1.domain.com -P 636 --pwd-file /tmp/pw \
allowed-ldap-controls:2.16.840.1.113730.3.4.2 \
allowed-ldap-controls:2.16.840.1.113730.3.4.3 \
allowed-ldap-controls:2.16.840.1.113730.3.4.4 \
allowed-ldap-controls:2.16.840.1.113730.3.4.5 \
allowed-ldap-controls:2.16.840.1.113730.3.4.16 \
allowed-ldap-controls:2.16.840.1.113730.3.4.15 \
allowed-ldap-controls:2.16.840.1.113730.3.4.17 \
allowed-ldap-controls:2.16.840.1.113730.3.4.19 \
allowed-ldap-controls:1.3.6.1.4.1.42.2.27.9.5.2 \
allowed-ldap-controls:1.3.6.1.4.1.42.2.27.9.5.6 \
allowed-ldap-controls:1.3.6.1.4.1.42.2.27.9.5.8 \
allowed-ldap-controls:1.3.6.1.4.1.42.2.27.8.5.1 \
allowed-ldap-controls:1.3.6.1.4.1.42.2.27.8.5.1 \
allowed-ldap-controls:2.16.840.1.113730.3.4.14 \
allowed-ldap-controls:1.3.6.1.4.1.1466.29539.12 \
allowed-ldap-controls:2.16.840.1.113730.3.4.12 \
allowed-ldap-controls:2.16.840.1.113730.3.4.18 \
allowed-ldap-controls:2.16.840.1.113730.3.4.13 \
allowed-ldap-controls:1.3.6.1.4.1.42.2.27.9.5.4 \
allowed-ldap-controls:1.3.6.1.4.1.42.2.27.9.5.7 \
allowed-ldap-controls:1.2.840.113556.1.4.473 \
allowed-ldap-controls:2.16.840.1.113730.3.4.9

To verfiy the change:
ldapsearch -h ldaproxy1.domain.com -b "" -s base objectclass=\*

Disabling or limit Anonymous access

In the DSCC console change
Click on Proxy Servers > ldaproxy1.domain.com:389 > Policies
New Policy
Name: Annonymes-Policy
Connection Limit:1
Single IP Connection Limit:1
Operation Limit:1
Simultaneous Operation Limit:1
Search Limits
Minimum Size For Substrings in Searches:3
Maximum Search Time:5
Default Search Size Limit:1

Re initialize the Directory Server Control Center(DSCC)

To re-initialize the Directory Server Control Center(DSCC) run this, then restart the Sun Management web console

/dse61/dscc6/bin/dsccsetup dismantle

/dse61/dscc6/bin/dsccsetup initialize

smcwebserver restart

Troubleshooting a hung Directory Proxy

Collecting jmap create a cron job

#
## collect script perf stat for Sun Proxy Server
#
* * * * * /data1/sun_collect/collect_jmap.sh
 
#!/bin/bash
 
echo "======================
Ran at `date`
======================" >>/data1/sun_collect/collect_jmap.out
 
proxy_process=`/usr/jdk/instances/jdk1.5.0/bin/sparcv9/jps |grep DistributionServerMain |awk '{print $1}'`
/usr/jdk/instances/jdk1.5.0/bin/sparcv9/jmap -d64 -heap $proxy_process >> /data1/sun_collect/collect_jmap.out
 
cat /data1/sun_collect/collect_jmap.out
======================
Ran at Tue Jun 23 10:58:00 EDT 2009
======================
 
using thread-local object allocation.
Parallel GC with 24 thread(s)
 
Heap Configuration:
   MinHeapFreeRatio = 40
   MaxHeapFreeRatio = 70
   MaxHeapSize      = 2147483648 (2048.0MB)
   NewSize          = 2883584 (2.75MB)
   MaxNewSize       = -65536 (-0.0625MB)
   OldSize          = 1835008 (1.75MB)
   NewRatio         = 1
   SurvivorRatio    = 32
   PermSize         = 21757952 (20.75MB)
   MaxPermSize      = 88080384 (84.0MB)
 
Heap Usage:
PS Young Generation
Eden Space:
   capacity = 432537600 (412.5MB)
   used     = 112557816 (107.34349822998047MB)
   free     = 319979784 (305.15650177001953MB)
   26.022666237571023% used
From Space:
   capacity = 3014656 (2.875MB)
   used     = 2981888 (2.84375MB)
   free     = 32768 (0.03125MB)
   98.91304347826087% used
To Space:
   capacity = 8323072 (7.9375MB)
   used     = 0 (0.0MB)
   free     = 8323072 (7.9375MB)
   0.0% used
PS Old Generation
   capacity = 1073741824 (1024.0MB)
   used     = 36454704 (34.76591491699219MB)
   free     = 1037287120 (989.2340850830078MB)
   3.3951088786125183% used
PS Perm Generation
   capacity = 25165824 (24.0MB)
   used     = 12957168 (12.356918334960938MB)
   free     = 12208656 (11.643081665039062MB)
   51.487159729003906% used

Collecting jstat

#!/bin/bash
 
proxy_process=`/usr/jdk/instances/jdk1.5.0/bin/sparcv9/jps |grep DistributionServerMain |awk '{print $1}'`
/usr/jdk/instances/jdk1.5.0/bin/sparcv9/jstat -gcutil $proxy_process 1000 >> /data1/sun_collect/jstat.out
 
# cat jstat.out|head -10
  S0     S1     E      O      P     YGC     YGCT    FGC    FGCT     GCT
 53.54   0.00  84.20   3.10  51.43     34    2.511     0    0.000    2.511
 53.54   0.00  85.41   3.10  51.43     34    2.511     0    0.000    2.511
 53.54   0.00  85.94   3.10  51.43     34    2.511     0    0.000    2.511
 53.54   0.00  87.13   3.10  51.43     34    2.511     0    0.000    2.511
 53.54   0.00  88.44   3.10  51.43     34    2.511     0    0.000    2.511
 53.54   0.00  90.22   3.10  51.43     34    2.511     0    0.000    2.511
 53.54   0.00  91.02   3.10  51.43     34    2.511     0    0.000    2.511
 53.54   0.00  93.08   3.10  51.43     34    2.511     0    0.000    2.511
 53.54   0.00  96.34   3.10  51.43     34    2.511     0    0.000    2.511

Debugging a low performance proxy incident
Troubleshooting a Crashed Directory Proxy Server Process

Setup Directory and Proxy Server Monitoring

Sun Directory and Directory proxy server Monitoring

Note: You can not install the Monitoring Server and Client on the same server (or it will not work)
Run the JES installer and select Sun Monitoring Console version 1.0 on the Monitoring Server

On the monitoring server setup the Console

/opt/SUNWmfwk/bin/mfwksetup -i
/opt/SUNWmfwk/bin/masetup -i

On all Directory Servers and Proxy Servers enable the monitor plugin to be able to monitor it and restart
Login to the Monitoring Console server and click on Sun Monitoring Console
In discovery enter the IP or Host of the Directory client to Monitor.

Reference are avalble here

Monitoring Console configuration reference

%d bloggers like this: