Blog O' Matty

LDAP search descriptors and 'user_attr'

This article was posted by Matty on 2005-01-18 00:07:00 -0400 -0400

I setup several Solaris systems to authenticate via LDAP last year, and periodically get the following error message in /var/adm/messages:

Dec 21 08:44:17 sparky nscd[1174]: [ID 293258 user.error] libsldap: Status: 4 Mesg: Service search descriptor for service ‘passwd’ contains filter, which can not be used for service ‘user_attr’.

We use SSDs (service search descriptors) to tailor the search string that is sent to the directory server. This allows us to tailor who can and cannot login to our Solaris systems. After doing some digging, it looks like the following search descriptors are required to make happy:

NS_LDAP_SERVICE_SEARCH_DESC= user_attr:ou=people,dc=daemons,dc=net?one?&(acctActive=yes) NS_LDAP_SERVICE_SEARCH_DESC= audit_user:ou=people,dc=daemons,dc=net?one?&(acctACtive=yes)

Since we use sudo instead of RBAC, I am still researching why the secure LDAP client queries the directory server for the user_attr information. Hopefully I can find an answer in RFC 2307 ( An approach to using LDAP as a network information service), or the documentation on

Safari/Firefox Site not found errors

This article was posted by Matty on 2005-01-16 00:04:00 -0400 -0400

Numerous people have posted to the Apple discussion board regarding “site not found” errors, and web browsers requiring two attempts to load a page. This was REALLY annoying me, so I started doing some digging to see what was wrong. When I broke out tcpdump, I noticed that OS X was sending AAAA record ( these are the IPv6 equivalent to an IPv4 A record ) requests to my DNS server:

$ sudo tcpdump -i en1 -vvvv -n -e port 53

[ ... ]

08:51:49.710240 00:0d:93:83:1d:73 > 00:03:ba:05:9d:9f, ethertype IPv4 (0x0800), length 73: IP (tos 0x0, ttl 64, id 29629, offset 0, flags [none], length: 59) > [udp sum ok] 20324+ AAAA? (31)
08:51:49.712412 00:03:ba:05:9d:9f > 00:0d:93:83:1d:73, ethertype IPv4 (0x0800), length 171: IP (tos 0x0, ttl 64, id 20532, offset 0, flags [none], length: 157) > 20324 q: AAAA? 1/1/0 CNAME[|domain]

Now, why Safari is causing the name resolution libraries to query “” when I visit is beyond me ( I will have to do some more digging). Since I am on a pure IPv4 network, I tried disabling IPv6 in the network preferences tab to see if it would stop sending AAAA record requests. This was not the case, and I still had trouble loading pages. While reviewing the latest errata on the OpenBSD errata page, I came across the following:

“BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in cases where IPv6 connectivity is non-existent. This results in unneccessary timeouts and thus slow DNS queries.”

Well hot dog, this seems to align with what I was seeing and experiencing!!!! I applied the patch to my OpenBSD name server, restarted named, and the problem seems to be fixed. Several of the folks on the discussion board also mentioned hard coding the DNS servers, which may or may not fix the issue ( if this is a BIND specific issue, then your ISP will need to patch their servers). Once I get some additional time, I will check to see if this is BIND or OpenBSD specific. Stay tuned!

Command line dictionary

This article was posted by Matty on 2005-01-15 00:06:00 -0400 -0400

The UNIX tips mailing list provides daily UNIX hints and tricks:

I received a tip a few months back that showed how to use lynx to lookup a word on, and decided to add this to my .profile:

dict () {
if [ "${1}" != "" ]
lynx -cfg=/dev/null -dump
| more
echo "USAGE: dict word"

This function accepts an argument, and passes the URL with the word to lookup to lynx. The function can be invoked by typing “dict” at a shell prompt:

$ dict manager

The one who ruins my life with their clueless ways

I had to throw that in :) Here is a real run:

$ dict orthogonal

[1] _________________________
(_) Dictionary (_) Thesaurus (_) Web
[2]Home Premium: [3]Sign up | [4]Login

or?thog?o?nal [5] Audio pronunciation of "orthogonal"
( P ) [6]Pronunciation Key (?r-th g -n l)
1. Relating to or composed of right angles.
2. Mathematics.
a. Of or relating to a matrix whose transpose equals its
b. Of or relating to a linear transformation that preserves the
length of vectors.

[ ... ]

As you can see, this is rather useful (especially when you use vi to draft all of your documents).

Ever wanted to check your POP3 email from the command line?

This article was posted by Matty on 2005-01-14 00:01:00 -0400 -0400

I have an article titled debugging SSL in the December issue of SysAdmin magazine. The article covers techniques to debug SSL communications, and includes several useful examples. One of the examples shows how openssl can be used to check the operational status of a POP3s server. This is accomplished by feeding POP3 commands to openssl ( or telnet if you want eavesdroppers to learn your username and password ):

$ openssl s_client -connect


[ ... ]

user ME@my.domain < ---- This is the username you login as ---->
+OK Name is a valid mailbox

pass SOMETHING_OR_ANOTHER < ---- This is your POP3 password ---->
+OK Mailbox locked and ready

+OK scan listing follows
1 1518

retr 1
+OK Message follows

dele 1
+OK message deleted


This allows you to open an SSL connection to your mail server, “list” the messages in your inbox, “retr” message number 1, and “dele” it after you are done reviewing it’s contents. This also has the awesome feature of dumping the complete headers from the message (most email clients provide this capability as well). The headers can help you get an idea of which path a message took to get to you (when the headers have not been modified).

Reading text files while FTP'ing

This article was posted by Matty on 2005-01-10 23:55:00 -0400 -0400

If your not already aware, most FTP client come with a “more” command to allow text and data to be displayed a page at a time. This allows you to display text files inline, and alleviates the need to download the file and fire up a viewer:

$ ftp

Name ( anonymous
331 Guest login ok, send your complete e-mail address as password.
230 Logged in anonymously.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp>cd pub
250 "/pub" is new cwd.

ftp>cd /pub/products
250 "/pub/products" is new cwd.

ftp> get sf.4.0.sol.list |more
local: |more remote: sf.4.0.sol.list
227 Entering Passive Mode (143,127,12,46,219,207)
150 Data connection accepted from; transfer
starting for sf.4.0.sol.list (3310 bytes).
VERITAS Storage Foundation 4.0 for Solaris
Old Name: Foundation Suite

Storage Foundation 4.0 for Solaris download files:
sf.4.0.sol.tar.gz 397228323 bytes Storage Foundation
sts.docCD.4.0.sol.tar.gz 248766169 bytes Documentation CD

After downloading to Solaris, verify the checksum of each file.
# cksum sf.4.0.sol.tar.gz
2051927958 397228323 sf.4.0.sol.tar.gz

[ ... ]

I have found this super useful over the years.