Fixed LDAP after upgrading from CentOS 5.4 to 5.5

Some months ago I upgraded my CentOS servers from version 5.4 to 5.5. One of these servers were running LDAP Master and LDAP Slave as playground. Although after the upgrade to CentOS 5.5 it was broken, but due to other priorities I didn’t had a change to fix it. 

On my systems I enabled TLS to communicate to LDAP-servers and also enabled kerberos. So this results in a modified /etc/sysconfig/ldap:

# Enable Kerberos
export KRB5_KTNAME=”FILE:/etc/openldap/ldap.keytab”

But I noticed that the RPM installed a new version of that, although with the extension .rpmnew. So after applying the changes that were in the .rpmnew file and when I set SLAPD_LDAPS and SLAPD_LDAPI to “yes” I end up with the following content:

# Parameters to ulimit called right before starting slapd
# – use this to change system limits for slapd
ULIMIT_SETTINGS=

# How long to wait between sending slapd TERM and KILL
# signals when stopping slapd by init script
# – format is the same as used when calling sleep
STOP_DELAY=3s

# By default only listening on ldap:/// is turned on.
# If you want to change listening options for slapd,
# set following three variables to yes or no
SLAPD_LDAP=yes
SLAPD_LDAPS=yes
SLAPD_LDAPI=yes
export KRB5_KTNAME=”FILE:/etc/openldap/ldap.keytab”

And guess what… It works again :-)

Load Grid Engine accounting file into MySQL

Recently I need to create a report about utilization of an HPC Cluster that uses Grid Engine, but we didn’t had ARCO and so not running yet for that cluster :-(

So I digged into my brain on how to load data from a “RAW” format into a database… it’s something I did when I worked for PricewaterhouseCoopers Advisory, but then I used financial data.

Please press the continue reading link below… to read more :-D

First you need to create a database within MySQL:

mysql> create database ge_accounting;

Then we create a table containing the accounting information, so we create a file name (for example) create-tables.sql:

create table ge_jobs
(
ge_qname char(30) not null,
ge_hostname char(30) not null,
ge_group char(10) not null,
ge_owner char(10) not null,
ge_job_name char(255) not null,
ge_job_number int unsigned not null primary key,
ge_account char(30) not null,
ge_account_prio int unsigned not null,

tmp_submission_time int unsigned not null,
tmp_start_time int unsigned not null,
tmp_end_time int unsigned not null,

ge_failed int unsigned not null,
ge_exit_status int unsigned not null,
ge_ru_wallclock int unsigned not null,
ge_ru_utime int unsigned not null,
ge_ru_stime int unsigned not null,
ge_ru_maxrss int unsigned not null,
ge_ru_ixrss int unsigned not null,
ge_ru_ismrss int unsigned not null,
ge_ru_idrss int unsigned not null,
ge_ru_isrss int unsigned not null,
ge_ru_minflt int unsigned not null,
ge_ru_majflt int unsigned not null,
ge_ru_nswap int unsigned not null,
ge_ru_inblock int unsigned not null,
ge_ru_oublock int unsigned not null,
ge_ru_msgsnd int unsigned not null,
ge_ru_msgrcv int unsigned not null,
ge_ru_nsignals int unsigned not null,
ge_ru_nvcsw int unsigned not null,
ge_ru_nivcsw int unsigned not null,
ge_project char(30) not null,
ge_department char(30) not null,
ge_granted_pe char(30),
ge_slots int unsigned not null,
ge_task_number int unsigned not null,
ge_cpu int unsigned not null,
ge_mem int unsigned not null,
ge_io int unsigned not null,
ge_category char(255),
ge_iow int unsigned not null,
ge_pe_taskid char(30),
ge_maxvmem int unsigned not null,
ge_arid int unsigned not null,

tmp_ar_submission_time int unsigned not null,

ge_submission_time timestamp not null,
ge_start_time timestamp not null,
ge_end_time timestamp not null,
ge_ar_submission_time timestamp not null

);

So use mysql to load the data:

$ mysql -u root -p ge_accounting < create-tables.sql

Now we can load the data into the database. For this example $SGE_ROOT is set to /apps/ge and the $SGE_CELL is set to default.

$ mysql -u root -p ge_accounting

mysql> LOAD DATA INFILE ‘/apps/ge/default/accounting/accounting’
REPLACE
INTO TABLE ge_jobs
FIELDS TERMINATED BY ‘:’
IGNORE 4 LINES;

And now we’ve to convert the EPOCH time stamps into nice timestamps using the following query:

mysql> UPDATE ge_jobs
SET ge_submission_time = (SELECT FROM_UNIXTIME(tmp_submission_time)),
ge_start_time = (SELECT FROM_UNIXTIME(tmp_start_time)),
ge_end_time = (SELECT FROM_UNIXTIME(tmp_end_time)),
ge_ar_submission_time = (SELECT FROM_UNIXTIME(tmp_ar_submission_time));

And now you can make a query that show a utilization per month based on 16 available slots, but with a 10% reserved non availability due to maintanance by admins:

mysql> SELECT MONTH(ge_submission_time) AS show_month,
SUM(ge_ru_wallclock * ge_slots) AS total_wallclock,
(SUM(ge_ru_wallclock * ge_slots) / (DATE_FORMAT(LAST_DAY(ge_submission_time),’%d’) * 86400 * 16 * 0.9) * 100) AS total_util
FROM ge_jobs
WHERE YEAR(ge_submission_time) = ‘2009’
GROUP BY show_month
ORDER BY show_month;

Please note, the query above is not perferct! I use it based on the submission time… but it doesn’t handle jobs that run in multiple months… have to tweak my query a little bit more for this.

Bleeding edge, is indeed bleeding edge

Yesterday I thought let’s play with FC12 (aka Rawhide, aka FC11.90). So I enabled the Rawhide-repositories on my FC11 laptop and entered “yum -y update”. And after a while it was there… bleeding edge kernel and other packages.

The first issue I run into, was that Firefox 3.5 was not able to run, it caused a segfault. :-( There seems to be a bug in the xulrunner package. So I was able to fix it, by “downgrading” Firefox to 3.0.11, but that one crashed on pages using “Adobe Flash plugin”. So I removed the flash plugin, because I wanted bleeding edge Fedora. So having that “sort out” I wanted to suspend my laptop, and guess what… It didn’t want to suspend… so after some hacking around… it still didn’t work.

So my final decision was Go back to FC11. I was able to “downgrade” my system in about 60 minutes. At home I’ve a mirror repository with al the backups, so during installation I added these repositories, so I also had all the updates in one go.

Lesson learned: “Bleeding edge… is indeed bleeding edge!”

I need my work for my daily work… If I won’t need it for my daily work I would have keep FC12 (aka Rawhide, aka FC11.90) on it to participate in developing FC12.

Require client-SSL certificate for certain content.

On a kind of “intranet” website, which is secured with username/password combinations and HTTPS I’ve implemented the next feature:

– Authorized users can read everything on the website

– Files with in their filename “classified” requires a valid SSL-Client certificate…

Here is the output of my apache config:

<Directory /usr/sites/ssl-site/intranet/htdocs>
  Options Indexes MultiViews
  AllowOverride Authconfig
  Order allow,deny
  Allow from all
  AuthName “intranet”
  AuthType “Basic”
  AuthUserFile /usr/sites/ssl-site/intranet/etc/users.pwl
  require valid-user
</Directory>

<LocationMatch .*(c|C)(l|L)(a|A)(s|S)(s|S)(i|I)(f|F)(i|I)(e|E)(d|D).+>
  SSLVerifyClient require
  SSLVerifyDepth 1
  SSLOptions +OptRenegotiate
</LocationMatch>

 

I still have to sort out some issues, like directories having a directory with the name “classified” in them.

“Easy share” IMAP folders with Courier-imap

Recently I got a iPhone, but I have multiple mails coming into my mailbox (private/business/sysop). I use maildrop to put them into the right folders. I want share my business (sub)folder(s) with my special iPhone-account… but how could we do that… (please note you should have admin-privileges)

Step 1 – Create new user and put the “source” mailbox user in the right group

Create a iPhone user on your server (in my case user is iphone) and add the user (in my case pieter) to the iphone group (created during the creation of the iphone user).

Step 2 – Set permissions correct of the source mailbox

Make sure the world can access ~pieter/Maildir, set this by entering:

[ root@server ~]# chmod o+x ~pieter/Maildir

New we also have to set the grouppermissions correct of the source sub-folders:

[ root@server ~]# chown -R pieter:iphone ~pieter/Maildir/.Business*

Set groupbit and grouppermissions on the folders you want to share:

[ root@server ~]# find ~pieter/Maildir/.Business* -type d -exec chmod 2770 {} ;

Set the grouppermissions on the current messages”

[ root@server ~]# find ~pieter/Maildir/.Business* -type f -exec chmod  0660 {} ;

Step 3 – Setup the functional account and mailstructure

Become that user (can be done via sudo).
[ pieter@server ~]$ sudo su – iphone
Password: ****
[ iphone@server ~]$

Create the maildir structure:

[ iphone@server ~]$ maildirmake ~/Maildir

Remove the cur, new and tmp folders:

[ iphone@server ~]$ rm -rf ~/Maildir/[cnt]*

Now link them to the source:

[ iphone@server ~]$ for x in cur new tmp; do ln -s /home/pieter/Maildir/.Business/$x ~iphone/Maildir/$x; done

Step 4 – Share the subfolders as well

[ iphone@server ~]$ cd ~/Maildir
[ iphone@server Maildir]$ maildirmake .Archive
[ iphone@server Maildir]$ rm -rf ~/.Archive/[cnt]*
[ iphone@server Maildir]$ for x in cur new tmp; do ln -s /home/pieter/Maildir/.Business.Archive/$x ~iphone/Maildir/.Archive/$x; done

Perform step 4 for al the other subfolders you would like to share ;-) (Please note that you’ve to set the permissions in step 2 as well). This was done on a FreeBSD6.3 system, I don’t know what the impact might be on Linux systems with SELinux… nor I don’t know what the impact might be of the chmod o+x on Maildir… we wil investigate. Initially I did a chown pieter:iphone on the source maildir… but my imap-server refused connection due to wrong gid.

Also keep in mind to put in your procmail/maildrop filter a umask of 007!

But… conclusion… it works cool.

Linux SUDO-hack

It can happen, you have sudo-access to another account (most of the time it will be access to the root account). But most of the time the NOPASSWD option is not used due to security reasons. But there are moments you want to have sudo-credentials available, think about a script or something else…. I had the same issue, so I found the next “hack” to get the timestamp refreshed every 60 seconds.

(Please note the script will use user “root” but it can be another user, please modify the scripts so it fits your needs).

Step 1)

Create a script in you $HOME/bin with the next content (I call it sudo-hack.sh):


#!/bin/bash 
while [ true ];
do
sudo -u root /bin/true > /dev/null 2> /dev/null
sleep 60
done


Step 2)

Get a valid sudo-timestamp:

$ sudo -u root /bin/true
Password:
$

Step 3)

Start sudo-hack.sh in the background:

$ $HOME/bin/sudo-hack.sh &
$

That’s all!

Passed – RH423 Red Hat Enterprise Directory Services and Authentication

This week I had the “Red Hat Enterprise Directory Services and Authentication” course and exam in Amsterdam.

In the course we had some very nice stuff, like Red Hat DS and at the end Red Hat Enterprise IPA… all very cool… but today I had the exam (due to the RedHat NDA I am not allowed to say anything about the exam, so I won’t do it)… but a few hours after the exam I received my results… and I passed the exam :-D