LDAP search descriptors and ‘user_attr’

I setup several Solaris systems to authenticate via LDAP last year, and periodically get the following error message in /var/adm/messages:

Dec 21 08:44:17 sparky nscd[1174]: [ID 293258 user.error] libsldap: Status: 4 Mesg: Service search
descriptor for service ‘passwd’ contains filter, which can not be used for service ‘user_attr’.

We use SSDs (service search descriptors) to tailor the search string that is sent to the directory server. This allows us to tailor who can and cannot login to our Solaris systems. After doing some digging, it looks like the following search descriptors are required to make libsldap.so happy:

NS_LDAP_SERVICE_SEARCH_DESC= user_attr:ou=people,dc=daemons,dc=net?one?&(acctActive=yes)
NS_LDAP_SERVICE_SEARCH_DESC= audit_user:ou=people,dc=daemons,dc=net?one?&(acctACtive=yes)

Since we use sudo instead of RBAC, I am still researching why the secure LDAP client queries the directory server for the user_attr information. Hopefully I can find an answer in RFC 2307 ( An approach to using LDAP as a network information service), or the documentation on docs.sun.com.

Safari/Firefox “Site not found” errors

Numerous people have posted to the Apple discussion board regarding “site not found” errors, and web browsers requiring two attempts to load a page. This was REALLY annoying me, so I started doing some digging to see what was wrong. When I broke out tcpdump, I noticed that OS X was sending AAAA record ( these are the IPv6 equivalent to an IPv4 A record ) requests to my DNS server:

$ sudo tcpdump -i en1 -vvvv -n -e port 53

[ ... ]

08:51:49.710240 00:0d:93:83:1d:73 > 00:03:ba:05:9d:9f, ethertype IPv4 (0x0800), length 73: IP (tos 0x0, ttl 64, id 29629, offset 0, flags [none], length: 59) 192.168.1.8.49428 > 192.168.1.1.53: [udp sum ok] 20324+ AAAA? www.apple.com. (31)

08:51:49.712412 00:03:ba:05:9d:9f > 00:0d:93:83:1d:73, ethertype IPv4 (0x0800), length 171: IP (tos 0x0, ttl 64, id 20532, offset 0, flags [none], length: 157) 192.168.1.1.53 > 192.168.1.8.49428: 20324 q: AAAA? www.apple.com. 1/1/0 www.apple.com. CNAME[|domain]

Now, why Safari is causing the name resolution libraries to query “www.apple.com” when I visit www.cnn.com is beyond me ( I will have to do some more digging). Since I am on a pure IPv4 network, I tried disabling IPv6 in the network preferences tab to see if it would stop sending AAAA record requests. This was not the case, and I still had trouble loading pages. While reviewing the latest errata on the OpenBSD errata page, I came across the following:

“BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in cases where IPv6 connectivity is non-existent. This results in unneccessary timeouts and thus slow DNS queries.”

Well hot dog, this seems to align with what I was seeing and experiencing!!!! I applied the patch to my OpenBSD name server, restarted named, and the problem seems to be fixed. Several of the folks on the discussion board also mentioned hard coding the DNS servers, which may or may not fix the issue ( if this is a BIND specific issue, then your ISP will need to patch their servers). Once I get some additional time, I will check to see if this is BIND or OpenBSD specific. Stay tuned!

Command line dictionary

The UNIX tips mailing list provides daily UNIX hints and tricks:

http://www.ugu.com/sui/ugu/show?tip.today

I received a tip a few months back that showed how to use lynx to lookup a word on dictionary.com, and decided to add this to my .profile:

dict () {
if [ “${1}” != “” ]
then
lynx -cfg=/dev/null -dump “http://www.dictionary.com/cgi-bin/dict.pl?term=$1”
| more
else
echo “USAGE: dict word”
fi
}

This function accepts an argument, and passes the URL with the word to lookup to lynx. The function can be invoked by typing “dict” at a shell prompt:

$ dict manager

The one who ruins my life with their clueless ways

I had to throw that in :) Here is a real run:

$ dict orthogonal

[1]Dictionary.com _________________________ Search
(_) Dictionary (_) Thesaurus (_) Web
[2]Home Premium: [3]Sign up | [4]Login

or?thog?o?nal [5] Audio pronunciation of “orthogonal”
( P ) [6]Pronunciation Key (?r-th g -n l)
adj.
1. Relating to or composed of right angles.
2. Mathematics.
a. Of or relating to a matrix whose transpose equals its
inverse.
b. Of or relating to a linear transformation that preserves the
length of vectors.

[ … ]

As you can see, this is rather useful (especially when you use vi to draft all of your documents).

Ever wanted to check your POP3 email from the command line?

I have an article titled debugging SSL in the December issue of SysAdmin magazine. The article covers techniques to debug SSL communications, and includes several useful examples. One of the examples shows how openssl can be used to check the operational status of a POP3s server. This is accomplished by feeding POP3 commands to openssl ( or telnet if you want eavesdroppers to learn your username and password ):

$ openssl s_client -connect prefetch.net:995
CONNECTED(00000003)

[ … ]

user ME@my.domain < ---- This is the username you login as ---->
+OK Name is a valid mailbox

pass SOMETHING_OR_ANOTHER < ---- This is your POP3 password ---->
+OK Mailbox locked and ready

list
+OK scan listing follows
1 1518

retr 1
+OK Message follows

dele 1
+OK message deleted

quit
+OK

This allows you to open an SSL connection to your mail server, “list” the messages in your inbox, “retr” message number 1, and “dele” it after you are done reviewing it’s contents. This also has the awesome feature of dumping the complete headers from the message (most email clients provide this capability as well). The headers can help you get an idea of which path a message took to get to you (when the headers have not been modified).

Reading text files while FTP’ing

If your not already aware, most FTP client come with a “more” command to allow text and data to be displayed a page at a time. This allows you to display text files inline, and alleviates the need to download the file and fire up a viewer:

$ ftp ftp.veritas.com
Name (ftp.veritas.com:matty): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Logged in anonymously.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> cd pub
250 “/pub” is new cwd.

ftp> cd /pub/products
250 “/pub/products” is new cwd.

ftp> get sf.4.0.sol.list |more
local: |more remote: sf.4.0.sol.list
227 Entering Passive Mode (143,127,12,46,219,207)
150 Data connection accepted from 198.185.0.144:53603; transfer starting for sf.4.0.sol.list (3310 bytes).
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
VERITAS Storage Foundation 4.0 for Solaris
Old Name: Foundation Suite
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Storage Foundation 4.0 for Solaris download files:
sf.4.0.sol.tar.gz 397228323 bytes Storage Foundation
sts.docCD.4.0.sol.tar.gz 248766169 bytes Documentation CD

After downloading to Solaris, verify the checksum of each file.
# cksum sf.4.0.sol.tar.gz
2051927958 397228323 sf.4.0.sol.tar.gz

[ … ]

I have found this super useful over the years.

Encrypting data with OpenSSL

I often find myself needing to protect sensitive data, and usually turn to OpenSSL for help. OpenSSL support a plethora of symmetric key encryption algorithms (AES, DES3, Blowfish, RC4), and comes with a variety of Operating Systems. To encrypt a file named private, we can pass one of the available symmetric key algorithms to OpenSSL:

$ openssl aes-256-ecb -in private -out private.aes256
enter aes-256-ecb encryption password:
Verifying – enter aes-256-ecb encryption password:

$ ls private*
private private.aes256

To decrypt the file private.aes256, the symmetric key algorithm and decryption option can be passed to OpenSSL:

$ openssl aes-256-ecb -d -in private.aes256 | tail -5
enter aes-256-ecb decryption password:
pop 109/tcp
pop3 110/tcp
imap 143/tcp
imaps 993/tcp
pop3s 995/tcp

As you can see, private wasn’t so private after all :) You can get a full list of available symmetric key ciphers by appending the help flag to openssl. If you are interesting in learning about more practical uses for OpenSSL, check out my article Real World Uses For OpenSSL.