LDAP on OpenVMS

Tags

acme, LDAP, ldapacme$config-std.ini, open, OpenVMS, systart_vms.com, sysuaf

HP introduced LDAP support for password authentication in OpenVMS 8.3, which is fantastic. However, when looking for documentation about how it is configured and implemented, one comes up short – there is a dearth of information to be found.

Thanks to Hoffman Labs, this is no longer the case: their article on LDAP exposes the configuration details of ACME LDAP on OpenVMS quite nicely. They have the technical details as well as the README from the ACME LDAP add-on posted there; I’ll try to summarize installation and configuration concisely here.

ACME is the Authentication and Credential Management Extensions, which appear to be an architecture for creating plugins for authentication and so forth, like PAM (the Pluggable Authentication Modules) for UNIX. ACME appears to have been introduced in OpenVMS 8.3.

ACME LDAP is perhaps the most visible of the first of these extensions. This, perhaps, explains its dearth of publically accessible documentation. Currently, ACME LDAP has these features:

• Support for TLS/SSL
• Support for StartTLS
• Support for Active Directory
• Support for Netscape “expired password” mechanisms

ACME LDAP also has these restrictions:

• Still requires local username; password only is checked against LDAP
• Characters in usernames and passwords are restricted to ISO 8859-1 eight bit characters; UTF-8 support not present.
• Characters in passwords used in Active Directory are restricted to ISO 8859-1 7-bit ASCII characters.

Each user account to be authenticated with LDAP must exist on the system (in the SYSUAF file) and must have the EXTAUTH flag set.

To use ACME LDAP, you must configure the SYS$STARTUP:LDAPACME$CONFIG-STD.INI file. The file can be started by copying the LDAPACME$CONFIG-STD.INI_TEMPLATE file:

$ COPY SYS$STARTUP:LDAPACME$CONFIG-STD.INI_TEMPLATE SYS$STARTUP:LDAPACME$CONFIG-STD.INI

An example LDAPACME$CONFIG-STD.INI may look like this:

server = roux.zko.hp.com
port = 636
port_security = ssl
bind_dn = uid=acme-admin,ou=people,dc=acme,dc=mycompany,dc=com
bind_password = swordfish
base_dn = ou=people,dc=acme,dc=mycompany,dc=com
login_attribute = uid
scope = sub
ca_file = sys$manager:acme_ca.crt

This example is suitable for the Red Hat Directory Server (also known as the Fedora Directory Server).

The LDAP Persona extension must also be loaded using the MCR utility:

$ MCR SYSMAN
SYSMAN> SYS_LOADABLE ADD LDAPACME LDAPACME$EXT
SYSMAN> exit

$ @SYS$UPDATE:VMS$SYSTEM_IMAGES.COM

Following the load of the LDAP Persona extension, the system must be rebooted:

$ @SYS$SYSTEM:SHUTDOWN

If there are no errors during startup, then the LDAP Persona extension was loaded correctly.

Change the SYS$MANAGER:ACME$START.COM file to contain a pointer to the initialization file and to start the LDAP extension automatically.

Add the following definition line to ACME$START.COM:

$ DEFINE/SYSTEM/EXECUTIVE LDAPACME$INIT SYS$STARTUP:LDAPACME$CONFIG-STD.INI

To start the server at ACME load time, add this line:

$ @SYS$STARTUP:LDAPACME$STARTUP-STD ! LDAP

Finally, configure the system to start the ACME subsystem by adding this line to SYS$MANAGER:SYSTART_VMS.COM:

$ SET SERVER ACME/RESTART

The description from Hoffman Labs is a perfect example of how community support works!

Update: A nice description (from the VMS Help subsystem) of the ACME server can be found here; it describes SET SERVER ACME_SERVER.

Directory Sizes

Each directory in UNIX is just another file in UNIX like any other. Directories contain information about the names of files and their locations on disk. As more and more files are added to a directory, the directory itself grows larger and larger. However, the directory does not shrink when files are removed.

For example:

# ls -ld /tmp
drwxrwxrwt 14 root root 4096 2007-10-29 11:14 /tmp

This directory is 4096 bytes (4k) in size. There is no way to actually shrink this directory. To reduce its size, the directory must be moved (renamed) and its contents copied into a new directory.

This could be done this way:

# mv /tmp /tmp.old
# mkdir /tmp
# chmod 1777 /tmp

The chmod will change the /tmp directory permissions to the appropriate ones. Note that the “sticky” bit is set, which means that files may be created, accessed, and deleted by anyone, but that files may be deleted only by their owner.

In the case of the /tmp directory, it may be best to reboot before deleting the old directory to avoid problems with programs using /tmp.

Supporting Open Source with a Linux Credit Card? Think Twice…

Tags

credit, creditcard, linuxfund

This credit card from the LinuxFund seems like a good idea.  You and I would certainly like to support open source projects like Linux and KDE and so on.  Each purchase on this credit card results in a donation to a worthy open source cause, and you can send all of your cash-back rewards back as donations as well.

However, this turns out to be a lesson in reading the fine print.  This card has some very ominous conditions, which they don’t tell you except in the fine print:

• The rate is not fixed, but variable: that means it can go up and down over time, with no changes in the terms.
• The terms (including APR, fees, and conditions) may be changed at any time and without notice to you.
• The default rate is (approximately) 12% over prime up to 21% over prime.
• Cash advances are 24% over prime.
• If you miss a payment by more than 15 days, your rate will skyrocket to 32% over prime.
• If you miss a payment by more than 5 days twice in a year, your rate will skyrocket to 32% over prime.
• If you miss any payment on any card you own they will raise your rate.

As you can see, there are a number of gotcha! features to this card.  However, it is not alone.  Here are some ways to avoid the gotchas:

• Is the advertized rate an introductory rate?  When does it expire?
• What is the rate for purchases?
• What is the rate for cash advances?
• Are there any other rates?
• Are the rates fixed or variable?
• Is there a grace period?  What happens if you miss a payment?
• Are the rates dependent on other cards?

It has been said that consumer credit is the riskiest form of credit, and the terms on most cards suggest that the credit card companies think so.  Read the fine print carefully!

Researching the Dynamic Loader on Any System

Tags

dld.sl, HPUX, ld-linux.so, ldd, Linux, nm, objdump, readelf

In finding information about the dynamic loader and shared libraries in general, there are several places to look. The obvious Internet location is Google; however, the system itself has a lot of information about shared libraries if one only knows where to look.

The first place is the information on the dynamic loader’s man page. Unfortunately, most loaders have names that are unique among their UNIX peers (Linux is almost universal). You can start by looking at the /lib directory for a program containing the string “ld” (or perhaps, “dl”). On Linux, this produces:

# ls -d *ld*
ld-2.6.so ld-linux.so.2

The proper Linux loader is ld-linux.so.

On HP-UX, this produces:

# ls -d *ld*
dld.sl* libdld.2* libldap_send.1*
libdld.0@ libdld.sl@ libldap_send.sl@
libdld.1* libldap.sl@ libnss_ldap.1*

Here, the proper loader is dld.sl.

Looking at the man pages for ld-linux.so or dld.sl or whatever was found gives a vast amount of information directly related to the dynamic loader and how it loads shared libraries, as well as debugging tools to report on how the libraries are found and loaded.

This man page will also mention utilities that will help you manipulate shared libraries. For example, the Linux man page for ld-linux.so mentions ldconfig(8); the HP-UX man page for dld.sl mentions the utilities fastbind(8) and chatr(8).

There are other utilities that remain fairly generic and which can help, though these tend to be specific to machines that are configured for development. If the development tools are not loaded, these tools may be missing. These utilities may include:

• ldd – list libraries used by a binary
• nm – list symbols from program binaries and/or libraries
• objdump – display information from binaries and/or libraries
• readelf – display information from ELF-formatted binaries

Always look at the SEE ALSO section in order find more information.

Shared Libraries (Linux)

The loading of shared libraries in Linux is somewhat complicated (though not any more than other UNIX systems). Firstly, Linux has gone through tremendous growth; as a result, the method and format of loadable libraries has changed several times, necessitating a change in the library loader:

• ld.so – for a.out formatted binaries
• ld-linux.so.1 – for ELF binaries that used libc5
• ld-linux.so.2 – for ELF binaries that use glibc

Nearly everything today will use ld-linux.so.2. All three use the same support files, configuration files, and so forth. The loaders ld-linux.so.1 and ld.so will not be discussed further.

The search for shared libraries goes in this order:

• Use the binary’s internally stored RPATH (deprecated).
• Use the environment variable LD_LIBRARY_PATH (except for suid and sgid binaries).
• Use the binary’s internally stored RUNPATH.
• Use the cache file /etc/ld.so.cache.
• Search /lib then /usr/lib.

If the binary being loaded was linked with the -z nodeflib (that is, no default libraries) option then the last two steps are ignored.

Conveniently, the loader is an actual program which can be executed and with a variety of options. There are only two that will be of assistance when debugging the loading of system libraries. To use a specified path instead of LD_LIBRARY_PATH, use the loader this way:

/lib/ld-linux.so.2 --library-path path binary

…where path is the library path, and binary is the program binary to be loaded and executed. To keep the program binary’s preconfigured RPATH and RUNPATH from being used, use this invocation:

/lib/ld-linux.so.2 --inhibit-rpath binary

The loader also recognizes a lot of different environment variables; only a few are relevant for most purposes:

• LD_LIBRARY_PATH: a path of directories to search for ELF libraries. Formatted like PATH.
• LD_PRELOAD: a list of libraries (separated by whitespace) to be loaded before all others. For suid and sgid binaries, only libraries in standard search directories that are also suid will be loaded.
• LD_BIND_NOW: bind (and load) all necessary libraries at startup instead of on demand. This is useful when using a debugger.
• LD_TRACE_LOADED_OBJECTS: produces output like ldd(8).
• LD_DEBUG: output debugging information related to the linker. If set to help will provide help for using this variable. If set to all, will provide full and detailed debugging of all portions of the dynamic loading process and of the dynamic loader.

The variable LD_DEBUG can be quite useful when debugging a missing library. The help for LD_DEBUG looks like this:

# LD_DEBUG=help nm --help
Valid options for the LD_DEBUG environment variable are:
.
libs display library search paths
reloc display relocation processing
files display progress for input file
symbols display symbol table processing
bindings display information about symbol binding
versions display version dependencies
all all previous options combined
statistics display relocation statistics
unused determined unused DSOs
help display this help message and exit
.
To direct the debugging output into a file instead of standard output
a filename can be specified using the LD_DEBUG_OUTPUT environment variable.

To debug a program’s shared libraries, try invoking the program with this environment variable set. As the program executes, each library search and library invocation will be reported. For example:

# LD_DEBUG=libs,versions ls -m
28927: find library=librt.so.1 [0]; searching
28927: search cache=/etc/ld.so.cache
28927: trying file=/lib/librt.so.1
28927:
28927: find library=libselinux.so.1 [0]; searching
28927: search cache=/etc/ld.so.cache
28927: trying file=/lib/libselinux.so.1
28927:
28927: find library=libacl.so.1 [0]; searching
28927: search cache=/etc/ld.so.cache
28927: trying file=/lib/libacl.so.1
28927:
28927: find library=libc.so.6 [0]; searching
28927: search cache=/etc/ld.so.cache
28927: trying file=/lib/libc.so.6
28927:
28927: find library=libpthread.so.0 [0]; searching
28927: search cache=/etc/ld.so.cache
28927: trying file=/lib/libpthread.so.0
28927:
28927: find library=libdl.so.2 [0]; searching
28927: search cache=/etc/ld.so.cache
28927: trying file=/lib/libdl.so.2
28927:
28927: find library=libsepol.so.1 [0]; searching
28927: search cache=/etc/ld.so.cache
28927: trying file=/lib/libsepol.so.1
28927:
28927: find library=libattr.so.1 [0]; searching
28927: search cache=/etc/ld.so.cache
28927: trying file=/lib/libattr.so.1
28927:
28927: checking for version `GLIBC_2.2' in file /lib/librt.so.1 [0] required by file ls [0]
28927: checking for version `ACL_1.0' in file /lib/libacl.so.1 [0] required by file ls [0]
28927: checking for version `GLIBC_2.2.3' in file /lib/libc.so.6 [0] required by file ls [0]
28927: checking for version `GLIBC_2.4' in file /lib/libc.so.6 [0] required by file ls [0]
28927: checking for version `GLIBC_2.3' in file /lib/libc.so.6 [0] required by file ls [0]
28927: checking for version `GLIBC_2.3.4' in file /lib/libc.so.6 [0] required by file ls [0]
28927: checking for version `GLIBC_2.1' in file /lib/libc.so.6 [0] required by file ls [0]
28927: checking for version `GLIBC_2.1.3' in file /lib/libc.so.6 [0] required by file ls [0]
28927: checking for version `GLIBC_2.2' in file /lib/libc.so.6 [0] required by file ls [0]
28927: checking for version `GLIBC_2.0' in file /lib/libc.so.6 [0] required by file ls [0]

[…Snip…]

The output can be quite verbose, but you can get the idea. This output can be most useful when a library is not being loaded by the loader (when you think it should be).

Warning: be aware, too, that the C compiler (gcc) as of version 4.0 requires a shared library for every program by default. If you are trying to create a static program, it will not truly be static until the gcc library is actually built into the binary. This requires a special gcc option for linking in addition to the standard -static option: -static-libgcc. The -static option alone is not enough. This library can be seen by using the -print-libgcc-file-name option:

# gcc -print-libgcc-file-name
/usr/lib/gcc/i386-redhat-linux/4.1.2/libgcc.a

Note, too, that any library required by a program has its own requirements: thus, if the library requires another library, and cannot find a static build version, then that library will be used as a shared library.

The program ldd can be used (as always) to find the libraries that a program requires:

# ldd $(which ls)
linux-gate.so.1 => (0x00ef8000)
librt.so.1 => /lib/librt.so.1 (0x0585b000)
libselinux.so.1 => /lib/libselinux.so.1 (0x004b2000)
libacl.so.1 => /lib/libacl.so.1 (0x05c0c000)
libc.so.6 => /lib/libc.so.6 (0x00101000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00282000)
/lib/ld-linux.so.2 (0x00dc2000)
libdl.so.2 => /lib/libdl.so.2 (0x00de1000)
libsepol.so.1 => /lib/libsepol.so.1 (0x0046a000)
libattr.so.1 => /lib/libattr.so.1 (0x05c05000)

The ldd program will also report if a library is missing.

Update: I forgot to mention these resources for further information about using (and creating) shared libraries in Linux:

• David Wheeler’s Program Library HOWTO
• Peter Seeback, Dissecting Shared Libraries, IBM DeveloperWorks, January 2005
• Russ Allbery, Shared Library Paths
• Ulrich Drepper, How to Write Shared Libraries (PDF)

In particular, I found Russ Allbery’s description most illuminating.

A “new” file pager: view

Tags

FreeBSD, HP-UX, Linux, man, redhat, Solaris, vi, view, vim

I, like most people I know, adore the file pager less. However, for whatever inconceivable reason, new UNIX systems (Linux doesn’t count here!) virtually never come with less. So… what to do when less is missing?

HP-UX, for one, comes with more and pg. Everything comes with more – but once you’ve used less you’ll never want to use a standard more again. The pager pg really isn’t any better.

Is there a solution? Yes – view.

What is view? The program view is a file pager which is included on virtually all UNIX and Linux systems. The view program is available, for example, in Solaris 9, HP-UX 11i v2, FreeBSD 6.2, Red Hat Linux 9, and more.

If you know vi, then you’ll know view. Why? Because view is actually vi in disguise, acting as a file pager with read-only access to the file.

The biggest drawback to view is that it does not handle stdin; that is, using view as the destination of a pipe gets very messy very fast (i.e., don’t do that!).

Apparently, vim handles this situation much better. Perhaps much better: there are ways to specify the use of vim with less keymappings, and to use view (i.e., vim) for general pager use! There are directions on how to make vim work as a man page viewer complete with syntax highlighting. Here is the quick and dirty instructions (for ksh):

export MANPAGER="col -b | view -c 'set ft=man nomod nolist' -"

For less key bindings, use (for ksh again):

export MANPAGER="col -b | /usr/share/vim/vim61/macros/less.sh -c 'set ft=man nomod nolist' -"

Be sure to use the right macro location for your version of vim. If you check out the original directions, be sure to read all of the comments: there are directions on how to properly configure the environment so reading man pages inside vim will work properly, and so that non-English locales can be handled properly, and more.

Next time you find yourself suffering without less – stop suffering through more and use view instead. You’ll be glad you did.

OpenVMS celebrates its 30th anniversary!

You may have noticed recently that VMS got mentioned a few times.  OpenVMS remains alive, despite people’s perceptions, because of a large (in numbers) user base and a proven track record for solid and stable performance and for security.  In fact, at DEFCON 9 (2001) a VMS system (in a “out of the box” configuration) proved unhackable.  The VAX, in comparison, is long gone (OpenVMS 8 does not support VAXes) and the Alpha was discontinued as of April 2007; OpenVMS on Itanium is the future (yes, OpenVMS 8 runs on Itanium!).

OpenVMS celebrates its 30th anniversary today.  In the future, as I start my journey towards becoming a VMS System Administrator, I’ll post some details here and there about VMS for new system administrators.

That won’t take away from the primary focus: UNIX and Linux.  However, UNIX does owe a lot to the VAX and to VMS: it was the VAX that the first UNIX virtual memory system was designed to take advantage of.  To this day, there are parts of UNIX that are a direct result of that first VAX implementation (of the memory management system).

Why Tomcat won’t start (with error in dependencyCheck)

Tags

7zip, batik, Windows

Under HP-UX (and apparently several other systems, including Windows), Cocoon won’t start up.  Cocoon is an XML-based system that implements the “separation of concerns” for web development and runs on top of Tomcat.

The Tomcat error logs (located in $CATALINA_BASE/logs/catalina.out) report the following:

SEVERE: Error in dependencyCheck
java.util.zip.ZipException: invalid entry size (expected 2472738816 but got 48 bytes)

Checking and rechecking the cocoon.war file reports no errors – and checking all of the *.jar files located in cocoon/WEB-INF/lib report no errors. There is has been much discussion about this specific error in various mail files, and someone even put it into the Cocoon FAQ on their wiki (without a satisfactory answer).

The only hint of a resolution was one message that suggested that the batik-all-1.5b2.jar file was corrupted. The Windows-based 7zip reported no errors on batik-all-1.5b2.jar (at 2080760 bytes), but extracting and repacking Batik (with 7zip on Windows XP Professional) fixed the problem. The repacked batik-all-1.5b2.jar was 2075222 bytes, and now it works.

Apparently this error has been around for quite some time (months at least); why it exists in HP-UX 11i v3 is beyond me.

Why df and du don’t report the same disk space used….

Sooner or later, you’re bound to come up against this mystery.  Once you understand it, it’s not that much of a mystery – but it does seem quite unusual until you understand it.

The utility df reports disk used and disk free from the disk’s internal information; that is, how many blocks on disk are marked as free, and how many are not.  The utility du, on the other hand, reports how much space the selected files take up on disk.

Consider:

• df reports blocks marked as used.
• du reports blocks used by files.

The discreprency comes in based on those two facts: there are blocks marked as used that are not used by files.

How can that be?  Well, the mystery shall be revealed: when a file is deleted, if another process has it open, that file is not marked as free (though it is no longer in the filesystem).  This file remains open by the other process, but is no longer discoverable in the filesystem directory structure – and its disk blocks remain in use.

Now you know.

Shared Libraries (HP-UX)

Tags

dynamic libraries, lib, library path, shlib

On occasion, it may happen that trying to run a binary may provide an error message like the following:

# screen -DR
/usr/lib/hpux32/dld.so: Unable to find library 'libtermcap.so'.
Killed

When a binary is loaded in UNIX (and Linux), shared libraries may need to be loaded (like the above example, libtermcap.so). Each version of UNIX has its own specific method of searching for libraries; specifically, this process is done by a program called ld.so or (on HP-UX) dld.so or similar. The Linux dynamic loader is part of the GNU libc libraries; the loader thus generally works the same across Linux distributions that use GNU libc.

Each program has an embedded library search path, in addition to the system search process. In HP-UX, there are several places that may influence the search for dynamic libraries:

• LD_LIBRARY_PATH (environment variable – standard PATH format)
• SHLIB_PATH (environment variable – standard PATH format – from /etc/SHLIB_PATH)
• LD_PRELOAD (environment variable – specifies library names)
• rpath (the executable’s embedded path, embedded at link time by ld)
• /etc/dld.sl.conf (one library directory per line)

The search can also be influenced by a number of factors:

• How the executable was linked and with which options
• Whether the executable is setguid or setuid
• Whether dld.sl.conf has the right permissions or not (must be writable only by root)
• Whether the system is PA-RISC or Itanium
• Whether the system is 32-bit or 64-bit
• What the settings of _HP_DLDOPTS are

On HP-UX for PA-RISC, the loader was dld.sl(5) and all the libraries had .sl extensions. On Itanium, the loader is dld.so(5). Both loaders are loaded and run by a “starter” program called crt0.o (although there are different versions for each architecture).

To get a view of the search process, use the ldd(1) command. Here is an example of successful ldd output:

# ldd `which screen`
libtermcap.so => /opt/termcap-1.3.1/lib/hpux32/libtermcap.so
libelf.so.1 => /usr/lib/hpux32/libelf.so.1
libc.so.1 => /usr/lib/hpux32/libc.so.1
libdl.so.1 => /usr/lib/hpux32/libdl.so.1

Note that if a library cannot be found by the HP-UX loader, an error will be returned about the missing library and nothing else will be reported. In HP-UX, the -s option to ldd provides a detailed list of what directories are being searched.

When you add libraries to the system, make sure to check the following:

• Does the library directory need to be in /etc/dld.sl.conf? The dld.sl.conf file is used as a very basic search path; it is used when security or other factors mandate that virtually no shared libraries be used. Note that both Itanium and PA-RISC systems use this file (that is, both dld.so and dld.sl check /etc/dld.sl.conf). If you put a directory into dld.sl.conf, it must also be in either SHLIB_PATH (through the use of /etc/SHLIB_PATH) or in LD_LIBRARY_PATH.
• Check file and path permissions. Libraries must not be world-writable, and the directories in the path must also not be world-writable – and almost certainly, none of these should be group-writable. Make sure that directories in the path are owned by root.
• Check the executable for setuid and setgid flags. If testing a shared library, check if the executable is setgid or setuid. If these are set, then the loader will strip down the shared library search to almost nil. Check if the library search directory needs to be put in /etc/dld.sl.conf.
• Check the permissions of /etc/dld.sl.conf. If this file is not writable only by root, then it will be ignored.
• Check SHLIB_PATH for directories contained in /etc/dld.sl.conf. If a search directory contained in /etc/dld.sl.conf is not located in either SHLIB_PATH (from /etc/SHLIB_PATH) or in LD_LIBRARY_PATH, then it is ignored.
• Is the directory fully specified from root? If a directory is not fully specified starting with ‘/’ then it wil be ignored.

When debugging the library search path, there are several utilities that can help. The aforementioned ldd -s command is one. Another is the _HP_DLDOPTS environment variable:

• _HP_DLDOPTS=”-symtab_stat” – get statistical information
• _HP_DLDOPTS=”-no_setuidpath” – disable all dynamic path lookup for setuid programs
• _HP_DLDOPTS=”-warnings” – display additional dynamic loader warning messages
• _HP_DLDOPTS=”-fbverbose” – related to fastbind(1)
• _HP_DLDOPTS=”-nofastbind” – related to fastbind(1)

In addition, Itanium systems and PA-RISC 64-bit systems will recognize the variable DLD_VERBOSE_ERR: when set to true, all error messages will be displayed.

When programming, it is also possible to manipulate the loader, including loading and unloading of shared libraries. The functions are:

• dlclose(3C)
• dlerror(3C)
• dlget(3C)
• dlgetname(3C)
• dlmodinfo(3C)
• dlopen(3C)
• dlsym(3C)
• shl_load(3X)

Next week I’ll talk about shared libraries on Linux.