Eric
mercredi févr. 03, 2010
OpenDS 2.2.0 installation
### ### http://developers.sun.com/identity/reference/techart/opends-namesvcs.html ### http://developers.sun.com/identity/reference/techart/opends-namesvcs2.html ### ### préparation du répertoire de l'usager # mkdir /exprt/home1/daemons/opendsd # chown -R 905:1 /exprt/home1/daemons/opendsd ### ajout d'un role opendsd # roleadd -c "OpenDS role" -s /bin/bash -K defaultpriv=basic,net_privaddr,sys_resource opendsd ### definisstion du mot de passe # passwd opendsd ### modification de l'usager opendsd # vi /etc/passwd opendsd:x:905:1:OpenDS role:/export/home1/daemons/opendsd:/bin/bash ### ajout du role opendsd # usermod -R opendsd usager1 # vi /etc/user_attr usager1::::type=normal;roles=root,opendsd ### creation d'un cert $ su - opendsd $ mkdir certs $ cd certs $ /usr/sfw/bin/certutil -N -d ./certs -P "amalthe.cants.org" $ /usr/sfw/bin/64/certutil -S -x -n "amalthe.cants.org" -s "cn=amalthe.cants.org,ou=Directory Services,o=cants.org,c=CA" -t CTPu -v 12 -d ./certs -P "amalthe.cants.org" -5 $ /usr/sfw/bin/certutil -L -d ./certs -P "amalthe.cants.org" -n "amalthe.cants.org" -a > mycert.pem $ /usr/sfw/bin/pk12util -o mypk12 -d /opt/certs -P "amalthe.cants.org" -n "amalthe.cants.org" ### installation openDS $ unzip OpenDS-2.2.0.zip $ setup ### configuration openDS $ ~/OpenDS-2.2.0/bin/import-ldif -a -b dc=cants,dc=org -l ~/schema/install/myskel.ldif $ ~/OpenDS-2.2.0/bin/import-ldif -a -b dc=cants,dc=org -l ~/schema/install/myproxy.ldif $ ~/OpenDS-2.2.0/bin/import-ldif -a -b dc=cants,dc=org -l ~/schema/install/myprofile.ldif $ ~/OpenDS-2.2.0/bin/import-ldif -a -b dc=cants,dc=org -l ~/schema/install/myusers.ldif $ ~/OpenDS-2.2.0/bin/import-ldif -a -b dc=cants,dc=org -l ~/schema/install/mygroups.ldif ### Démarrer openDS $ b~/OpenDS-2.2.0/in/start-ds ### Config suplémentaire $ vi ~/.dmp### Grant the Proxy user permission to retrieve user account status so that pam_ldap enables users to log in with the rsh, rlogin, rcp, or ssh ~/OpenDS-2.2.0/bin/dsconfig -h amalthe -p 4444 -D "cn=directory manager" -j ~/.dmp -n \ set-access-control-handler-prop --add global-aci:'(targetcontrol="1.3.6.1.4.1.42.2.27.9.5.8" ) \ (version 3.0; acl "Allow Account Status control for Proxy"; allow(read,proxy) \ userdn="ldap:///cn=solaris,ou=LDAPauth,dc=cants,dc=org";)' ### Store the user's password in clear text in OpenDS. ~/OpenDS-2.2.0/bin/dsconfig -h amalthe -p 4444 -D "cn=directory manager" -j ~/.dmp -n \ set-password-policy-prop --policy-name "Default Password Policy" \ --set default-password-storage-scheme:CLEAR ### Configure the Identity mappers. ~/OpenDS-2.2.0/bin/dsconfig -h amalthe -p 4444 -D "cn=directory manager" -j ~/.dmp -n \ set-identity-mapper-prop \ --mapper-name 'Regular Expression' \ --add match-attribute:cn \ --set match-pattern:'cn=(.*),ou=LDAPauth.*|uid=(.*),ou=People.*' \ --set replace-pattern:'$1$2' ### Configure Simple Authentication and Security Layer (SASL) ~/OpenDS-2.2.0/bin/dsconfig -h amalthe -p 4444 -D "cn=directory manager" -j ~/.dmp -n \ set-sasl-mechanism-handler-prop \ --handler-name CRAM-MD5 \ --set identity-mapper:Regular Expression
Posted at 10:54PM févr. 03, 2010 by Éric in Java |
jeudi janv. 07, 2010
OpenDS changement du type encription pour les mots de passe
[root@ldap]:/opt/OpenDS-2.0.0/bin# dsconfig --advanced -p 4444 -h localhost -D "cn=directory manager" -X
>>>> OpenDS configuration console main menu
What do you want to configure?
1) Access Control Handler 23) Matching Rule
2) Account Status Notification Handler 24) Monitor Provider
3) Administration Connector 25) Network Group
4) Alert Handler 26) Network Group QOS Policy
5) Attribute Syntax 27) Password Generator
6) Backend 28) Password Policy
7) Certificate Mapper 29) Password Storage Scheme
8) Connection Handler 30) Password Validator
9) Crypto Manager 31) Plugin
10) Debug Target 32) Plugin Root
11) Entry Cache 33) Replication Domain
12) Extended Operation Handler 34) Replication Server
13) Extension 35) Root DN
14) Global Configuration 36) Root DSE Backend
15) Group Implementation 37) SASL Mechanism Handler
16) Identity Mapper 38) Synchronization Provider
17) Key Manager Provider 39) Trust Manager Provider
18) Local DB Index 40) Virtual Attribute
19) Local DB VLV Index 41) Work Queue
20) Log Publisher 42) Workflow
21) Log Retention Policy 43) Workflow Element
22) Log Rotation Policy
q) quit
28 Password Policy
>>>> Password Policy management menu
What would you like to do?
1) List existing Password Policies
2) Create a new Password Policy
3) View and edit an existing Password Policy
4) Delete an existing Password Policy
b) back
q) quit
Enter choice [b]: 3
>>>> Configure the properties of the Password Policy
Property Value(s)
--------------------------------------------------------------------
1) account-status-notification-handler -
2) allow-expired-password-changes false
3) allow-multiple-password-values false
4) allow-pre-encoded-passwords true
5) allow-user-password-changes true
6) default-password-storage-scheme Salted SHA-512
7) deprecated-password-storage-scheme -
8) expire-passwords-without-warning false
9) force-change-on-add false
10) force-change-on-reset false
11) grace-login-count 0
12) idle-lockout-interval 0 s
13) last-login-time-attribute -
14) last-login-time-format -
15) lockout-duration 0 s
16) lockout-failure-count 0
17) lockout-failure-expiration-interval 0 s
18) max-password-age 0 s
19) max-password-reset-age 0 s
20) min-password-age 0 s
21) password-attribute userpassword
22) password-change-requires-current-password false
23) password-expiration-warning-interval 5 d
24) password-generator Random Password Generator
25) password-history-count 0
26) password-history-duration 0 s
27) password-validator -
28) previous-last-login-time-format -
29) require-change-by-time -
30) require-secure-authentication false
31) require-secure-password-changes false
32) skip-validation-for-administrators false
33) state-update-failure-policy reactive
?) help
f) finish - apply any changes to the Password Policy
c) cancel
q) quit
Enter choice [f]: 6
Posted at 11:43PM janv. 07, 2010 by Éric in Java |
jeudi août 27, 2009
OpenDS 1.2 SMF (service management facility)
Comment faire pour ajouter OpenDS au service SMF.
# ./opends-smf.bash -a enable -n ds1 -i /opt/OpenDS-1.2.0 # ./opends-smf.bash -a list STATE STIME FMRI offline* 13:45:12 svc:/network/opends/server:ds1
# ./opends-smf.bash -a disable -n ds1 # ./opends-smf.bash -a list STATE STIME FMRI disabled 13:47:02 svc:/network/opends/server:ds1
# svcs -x ds1 svc:/network/opends/server:ds1 (OpenDS LDAP directory server) State: disabled since August 27, 2009 1:47:02 PM EDT Reason: Disabled by an administrator. See: http://sun.com/msg/SMF-8000-05 See: /var/svc/log/network-opends-server:ds1.log Impact: This service is not running.
# svcadm enable ds1 # svcs -x ds1 svc:/network/opends/server:ds1 (OpenDS LDAP directory server) State: online since August 27, 2009 1:48:40 PM EDT See: /var/svc/log/network-opends-server:ds1.log Impact: None.
# ./opends-smf.bash -a unconfigure -n ds1 # ./opends-smf.bash -a list STATE STIME FMRI
Code:
# vi opends-smf.bash # chmod +x opends-smf.bash
#!/bin/bash
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License, Version 1.0 only
# (the "License"). You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE
# or https://OpenDS.dev.java.net/OpenDS.LICENSE.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
# add the following below this CDDL HEADER, with the fields enclosed
# by brackets "[]" replaced with your own identifying information:
# Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
# Copyright 2006-2008 Sun Microsystems, Inc.
##############################################################################
#
# The purpose of this script is to provide a single script to provide the
# following Solaris 10 Service Management Facility (SMF) capabilities to
# OpenDS 2.0.0:
# * Configure a specific OpenDS instance for SMF
# * [Enable|Start] a specific OpenDS instance via SMF
# * [Disable|Stop] a specific OpenDS instance via SMF
# * Unconfigure an OpenDS instance from SMF
# * List OpenDS instances
#
##############################################################################
#
# Define global default variables
#
manifest="$HOME/.opends_manifest.$$"
##############################################################################
#
# Find pager
#
findpager() {
#
# Set the page command
#
pgcmd='cat - '
ck4less=`which less 2>&1 | /usr/bin/grep -v "no less"`
if [ -n "${ck4less}" ]
then
pgcmd='less'
else
ck4more=`which more 2>&1 | /usr/bin/grep -v "no more"`
if [ -n "${ck4more}" ]
then
pgcmd='more'
fi
fi
}
##############################################################################
#
# Define appropriate usage
#
usage() {
errmsg=${1}
findpager
cat <
System Administration Commands opends-smf(1M)
NAME
opends-smf - set up and manage OpenDS SMF instances
SYNOPSIS
Normal usage:
opends-smf -a [options]
See proper usage:
opends-smf -h
DESCRIPTION
The purpose of opends-smf is to simplify Solaris 10 zones
management. There are many pre-defined actions that can be
applied to one or more zones depending on the action.
The purpose of opends-smf is to provide a single script to
provide simplified integration of OpenDS instances into the
Solaris 10 Service Management Facility (SMF).
OPTIONS
The following options are supported:
-a Specify the action to be performed
-n SMF Instance Name
-i Directory of the OpenDS instance.
-u Specify the run-time user of the OpenDS instance.
-g Specify the run-time group of the OpenDS instance.
-h See this usage information
ACTIONS
The following actions are supported:
list: List SMF enabled OpenDS instances
configure: Create an SMF manifest and import it for a particular OpenDS instance.
unconfigure: Export the SMF configuration for a particular OpenDS instance.
enable|start: Enable or start a particular OpenDS instance
disable|stop: Disable or stop a particular OpenDS instance
restart: Disable or stop a particular OpenDS instance followed by Enable or starting
of the same OpenDSinstance.
EXIT STATUS
The following exit values are returned:
0 Successful completion.
1 An error occurred.
2 Invalid usage.
SEE ALSO
smf(5), pfexec(1)
EOF
if [ -n "${errmsg}" ]; then echo "${errmsg}";fi
exit 2
}
############################################################################
#
# Define exit level error message routine
#
error_message() {
if [ -f "${manifest}" ]; then rm -f "${manifest}"; fi
errmsg=${1}
if [ -n "${errmsg}" ]
then
echo -e "Error: ${errmsg}"
exit 1
fi
}
##############################################################################
#
# Validate the user and group existence and OpenDS ownership
#
validate_ownership() {
ck4user=`/usr/bin/grep "^$user:" /etc/passwd`
if [ -z "${ck4user}" ]; then error_message "The operating system user ($user) must exist."; fi
ck4uowner=`/usr/bin/ls -ald $inst_dir | /usr/bin/awk '{ print $3 }'`
if [ "$ck4uowner" != "$user" ]; then error_message "The specified user ($user) does not match the OpenDS instance user ownership ($ck4uowner)."; fi
ck4group=`/usr/bin/grep "^$group:" /etc/group`
if [ -z "${ck4group}" ]; then error_message "The operating system group ($group) must exist."; fi
ck4gowner=`/usr/bin/ls -ald $inst_dir | /usr/bin/awk '{ print $4 }'`
if [ "$ck4gowner" != "$group" ]; then error_message "The specified group ($group) does not match the OpenDS instance group ownership ($ck4gowner)."; fi
}
##############################################################################
#
# Make and import manifest
#
configure_smf() {
# Qualify the import request
if [ -z "${inst_name}" ]; then error_message "Must provide instance name via -n "; fi
ck4smf=`/usr/bin/svcs -a svc:/network/opends/server:$inst_name 2>&1 | /usr/bin/grep "svc:/network/opends/server:$inst_name$"`
if [ -n "$ck4smf" ]; then error_message "OpenDS instance \"$inst_name\" already exists."; fi
if [ -z "${inst_dir}" ]; then error_message "Must provide instance path via -i "; fi
if [ -d "${inst_dir}" ]; then true; else error_message "OpenDS Instance directory \"${inst_dir}\" does not exist."; fi
validate_ownership;
cat << EOF > "$manifest"
OpenDS LDAP directory server
EOF
/usr/sbin/svccfg import "$manifest"
if [ "$?" -ne 0 ]
then
error_message "SMF Import Failed!"
fi
}
enable_smf() {
validate_ownership
ck4smf=`/usr/bin/svcs -a svc:/network/opends/server:$inst_name 2>&1 | /usr/bin/grep "doesn't match any instances"`
if [ -n "$ck4smf" ]; then configure_smf; fi
if [ -z "${inst_name}" ]; then error_message "Must provide instance name via -n "; fi
/usr/sbin/svcadm enable $inst_name
}
disable_smf() {
if [ -z "${inst_name}" ]; then error_message "Must provide instance name via -n "; fi
# Don't exit until the service finishes shutting down
ck4state=`/usr/bin/svcs -aH svc:/network/opends/server:$inst_name 2> /dev/null | awk '{ print $1 }'`
if [ -n "$ck4state" ]
then
/usr/sbin/svcadm disable svc:/network/opends/server:$inst_name
while [ "$ck4state" != 'disabled' ]
do
sleep 3
/usr/sbin/svcadm disable svc:/network/opends/server:$inst_name
ck4state=`/usr/bin/svcs -aH svc:/network/opends/server:$inst_name 2> /dev/null | awk '{ print $1 }'`
done
fi
}
unconfigure_smf() {
if [ -z "${inst_name}" ]; then error_message "Must provide instance name via -n "; fi
disable_smf
/usr/sbin/svccfg delete $inst_name
}
list_smf() {
/usr/bin/svcs -a | /usr/bin/egrep "FMRI|svc:/network/opends/server:$inst_name"
}
##############################################################################
#
# Ensure this program is run as the root user
#
ck4root=`id | cut -d'(' -f2 | cut -d ')' -f1`
if [ "$ck4root" != 'root' ];then error_message "Must run as root user."; fi
##############################################################################
#
# If any parameters were passed evaluate their usage...
#
while getopts ha:n:i:u:g: OPT
do
case ${OPT} in
h|+h) usage;;
a|+a) if [ -z "${OPTARG}" ];then error_message "Must provide a valid action with the -a flag";fi
action="${OPTARG}"
;;
n|+n) if [ -z "${OPTARG}" ];then error_message "Must provide a valid OpenDS instance name with the -n flag";fi
inst_name="${OPTARG}"
;;
i|+i) if [ -z "${OPTARG}" ];then error_message "Must provide a valid OpenDS instance directory with the -i flag";fi
inst_dir="${OPTARG}"
;;
u|+u) if [ -z "${OPTARG}" ];then error_message "Must provide a valid and unused user name with the -u flag";fi
user="${OPTARG}"
;;
g|+g) if [ -z "${OPTARG}" ];then error_message "Must provide a valid and unused group name with the -g flag";fi
group="${OPTARG}"
;;
*) usage;;
esac
done
shift `expr ${OPTIND} - 1`
##############################################################################
#
# Test usage
#
if [ -z "${action}" ]; then error_message "Must provide action via -a "; fi
##############################################################################
#
# Set user and group info
#
if [ -z "$user" ]
then
user=`/usr/bin/svcprop -p start/user svc:/network/opends/server:$inst_name 2> /dev/null`
if [ -z "$user" ]
then
if [ -n "$inst_dir" ]
then
user=`/usr/bin/ls -ald $inst_dir | /usr/bin/awk '{ print $3 }'`
fi
fi
if [ -z "$user" ]; then user='ldap'; fi
fi
if [ -z "$group" ]
then
group=`/usr/bin/svcprop -p start/group svc:/network/opends/server:$inst_name 2> /dev/null`
if [ -z "$group" ]
then
if [ -n "$inst_dir" ]
then
group=`/usr/bin/ls -ald $inst_dir | /usr/bin/awk '{ print $4 }'`
fi
fi
if [ -z "$group" ]; then group='ldap'; fi
fi
case ${action} in
'configure') configure_smf;;
'unconfigure') unconfigure_smf;;
'enable') enable_smf;;
'start') enable_smf;;
'disable') disable_smf;;
'stop') disable_smf;;
'restart') disable_smf; enable_smf;;
'list') list_smf;;
*) usage;;
esac
Posted at 02:07PM août 27, 2009 by Éric in Java |
samedi févr. 07, 2009
jstatd - Virtual Machine jstat Daemon
Description
jstatd est un utilitaire fournie sous JDK qui permet de instrumenter (monitoring) sous le serveur d'application les Java virtual machines (JVMs) et de partager les information avec une machine distante.
Sous Solaris les outils JDK sont sous /usr/jdk/<version>/bin.
Sécurité
Afin de pouvoir partager les informations avec une machine distante, vous devez créer un fichier dans lequel vous donnez tous les droits.
# vi jstatd.all.policy
grant codebase "file:${java.home}/../lib/tools.jar" {
permission java.security.AllPermission;
};
Exemple
- Comment démarrer le service sur un port.
- -J-Djava.security.policy défie le fichier des politiques
- -p défie le port du service
- -n défie le nom du service JstatdServer
jstatd -J-Djava.security.policy=jstatd.all.policy -p 2020 -n JstatdServer
Local
The first test is a simple test that verifies that the bundled jstat tool is working as expected. This test runs the jstat command such that it attaches to its own JVM, by specifying 0 as the lvmid of the target process, and takes 3 samples of the instrumentation at 1000 millisecond intervals.
# jstat -gcutil 0 1000 3 S0 S1 E O P YGC YGCT FGC FGCT GCT 0.00 0.00 37.20 55.10 15.77 106 0.174 58 5.268 5.442 0.00 0.00 45.87 55.14 15.77 106 0.174 59 5.357 5.531 0.00 0.00 96.42 55.14 15.77 106 0.174 59 5.357 5.531
-gcutil Option Table 11 Summary of Garbage Collection Statistics Column Description S0 Survivor space 0 utilization as a percentage of the space's current capacity. S1 Survivor space 1 utilization as a percentage of the space's current capacity. E Eden space utilization as a percentage of the space's current capacity. O Old space utilization as a percentage of the space's current capacity. P Permanent space utilization as a percentage of the space's current capacity. YGC Number of young generation GC events. YGCT Young generation garbage collection time. FGC Number of full GC events. FGCT Full garbage collection time. GCT Total garbage collection time.
liste les applications web par process
# jps 23551 Java2Demo.jar 23581 Jps# jstat -gcutil 23551 1000 3
Remote
Par la suite on peut utiliser une application graphique sous JDK qui est jvisualvm.exe
En graphique on n'a pas de besoin de démarrer un service comme en local.
https://visualvm.dev.java.net/applications_remote.html
http://java.sun.com/javase/6/docs/technotes/guides/visualvm/applications_remote.html
À distance avec Java VisualVM qui est inclus dans le java JDK ("C:\Program Files\Java\jdk1.6.0_11\bin\jvisualvm.exe").
- Sous la section Remote il faut ajouter une nouvelle machine.
- Sous la machine on ajoute une nouvelle machine JMX.
Exemple:
service:jmx:rmi:///jndi/rmi://<adresse ip ou nom de la machine>:8686/jmxrmi
L'usager et mot de passe sont ceux de la console de gestion Glassfish.
Source
http://java.sun.com/javase/6/docs/technotes/tools/share/jstatd.html
http://java.sun.com/performance/jvmstat/solaris.html
Posted at 06:48PM févr. 07, 2009 by Éric in Java |
lundi janv. 05, 2009
Update JDK sous Solaris X64
Pour mettre à jour la version de Java. Il faut télécharger Java SE Development Kit (JDK) depuis le site http://java.sun.com/javase/downloads/index.jsp.
# cd /usr/jdk/instances # chmod +x jdk-6u11-solaris-i586.sh # ./jdk-6u11-solaris-i586.sh yes # ./jdk-6u11-solaris-x64.sh yes # rm jdk-6u18-solaris-* # ln -s /usr/jdk/instances/jdk1.6.0_11 /usr/java/jdk1.6.0_11 # rm /usr/jdk/latest # ln -s /usr/jdk/jdk1.6.0_11 /usr/jdk/latest # rm /usr/java # ln -s /usr/jdk/jdk1.6.0_11 /usr/java
Posted at 06:00PM janv. 05, 2009 by Éric in Java |
