User passwords may not be provided in pre-encoded form

One of the very first differences between the OpenDS and DSEE I have noticed
was the possibility of ldapmodifing the userPassword value. In OpenDS this feature is disabled by default.

$ ldapmodify -p 1389 -D cn=dirmgr -j ~/.odspwd
dn: cn=odsmgr,cn=Root DNs,cn=config
changetype: modify
replace: userpassword
userpassword: {SSHA512}1g9Byn7MOZ1TgZCNY8gw4NA6o8UguyYg0b48d89zJS+AyIs9OP2rHfbZ6aaqTluryTh3Ux1ZW5RSWuTjH9wvtBxFXCxJzyt0

Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config
MODIFY operation failed
Result Code:  53 (Unwilling to Perform)
Additional Information:  User passwords may not be provided in pre-encoded form

$ ldapsearch -p 1389 -D cn=dirmgr -j ~/.odspwd -b cn=config "cn=Default Password Policy" ds-cfg-allow-pre-encoded-passwords
dn: cn=Default Password Policy,cn=Password Policies,cn=config
ds-cfg-allow-pre-encoded-passwords: false

$ ldapsearch -p 1389 -D cn=dirmgr -j ~/.odspwd -b cn=config "cn=Root Password Policy" ds-cfg-allow-pre-encoded-passwords
dn: cn=Root Password Policy,cn=Password Policies,cn=config
ds-cfg-allow-pre-encoded-passwords: false

I do not know the pro and con voices in this discussion, but for me there is only one disadvantage - the ability to observe
multiple instances of the same encoded password strings. And it is only the risk when the one who would notice this fact is the bad guy.
In contrast I see only the advantages.
So...

dn: cn=Root Password Policy,cn=Password Policies,cn=config
changetype: modify
replace: ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords: true

LDIF has been implemented.

$ encode-password -s SSHA512 -f ~/.odspwd
Encoded Password:  "{SSHA512}Gur7YkCGk4oP2sun+KqpXF4rB9wmzUgjhb3P6hBNmNRLBBQgTxSwLR5WuO41yytG9sUzslYc2HyUAM1otujRW+UkAOapbB7c"

$ ldapmodify -p 1389 -D cn=dirmgr -j ~/.odspwd
dn: cn=odsmgr,cn=Root DNs,cn=config
changetype: modify
replace: userpassword
userpassword: {SSHA512}Gur7YkCGk4oP2sun+KqpXF4rB9wmzUgjhb3P6hBNmNRLBBQgTxSwLR5WuO41yytG9sUzslYc2HyUAM1otujRW+UkAOapbB7c

Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config
MODIFY operation successful for DN cn=odsmgr,cn=Root DNs,cn=config

$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.dspwd -b cn=config "cn=odsmgr" +
The simple bind attempt failed
Result Code:  49 (Invalid Credentials)
$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.odspwd -b cn=config "cn=odsmgr" +
dn: cn=odsmgr,cn=Root DNs,cn=config
modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
modifyTimestamp: 20100927104857Z
createTimestamp: 20100924124513Z
pwdChangedTime: 20100927104857.435Z
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
entryDN: cn=odsmgr,cn=root dns,cn=config
entryUUID: 99296ddd-e705-468b-8112-afd19bb38821
hasSubordinates: false
subschemaSubentry: cn=schema
ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=confi
 g
structuralObjectClass: inetOrgPerson
numSubordinates: 0

Directory Managers. Lots of Directory Managers.

Last week I have decided to take some OpenDS practise. The practical solving of a problem is better
then hundreds lines of reading about the others activity. At least that's the way I feel.
Task: Multiple the Directory Manager account to delegate administration without providing your secret password.

In theory it is possible without any problems.
The only requirement is the object class of ds-cfg-root-dn-user.
I have copied almost the all attributes from the current "root" account into a new one.

$ ldapsearch -p 1389 -D cn=dirmgr -j ~/.odspwd -b cn=config "cn=Directory Manager"
dn: cn=Directory Manager,cn=Root DNs,cn=config
sn: Manager
ds-cfg-alternate-bind-dn: cn=dirmgr
cn: Directory Manager
givenName: Directory
objectClass: ds-cfg-root-dn-user
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
userpassword: {SSHA512}1g9Byn7MOZ1TgZCNY8gw4NA6o8UguyYg0b48d89zJS+AyIs9OP2rHfbZ6
 aaqTluryTh3Ux1ZW5RSWuTjH9wvtBxFXCxJzyt0


$ ldapmodify -p 1389 -D cn=dirmgr -j ~/.odspwd
dn: cn=odsmgr,cn=Root DNs,cn=config
changetype: add
objectClass: ds-cfg-root-dn-user
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: odsmgr
givenName: ODS
sn: Manager
userPAssword: secret

Processing ADD request for cn=odsmgr,cn=Root DNs,cn=config
ADD operation successful for DN cn=odsmgr,cn=Root DNs,cn=config

For the initial testing I have duplicated also the password.

$ ldappasswordmodify -p 1389 -D "cn=dirmgr" -j ~/.odspwd \
> -a "dn:cn=odsmgr,cn=Root DNs,cn=config" -c secret -N ~/.odspwd  
The LDAP password modify operation was successful

During the cut'n'copy session of ldapmodify I have omitted ds-cfg-alternate-bind-dn intentionally.
I thought the adjective "alternate" is self-explanatory.
Wrong!

$ ldapsearch -p 1389 -D cn=odsmgr -j ~/.odspwd -b cn=config cn=odsmgr
The simple bind attempt failed
Result Code:  49 (Invalid Credentials)

$ ldapmodify -p 1389 -D "cn=dirmgr" -j ~/.odspwd
dn: cn=odsmgr,cn=Root DNs,cn=config
changetype: modify
add: ds-cfg-alternate-bind-dn
ds-cfg-alternate-bind-dn: cn=odsmgr

Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config
MODIFY operation successful for DN cn=odsmgr,cn=Root DNs,cn=config

$ ldapsearch -p 1389 -D cn=odsmgr -j ~/.odspwd -b cn=config cn=odsmgr
dn: cn=odsmgr,cn=Root DNs,cn=config
sn: Manager
ds-cfg-alternate-bind-dn: cn=odsmgr
cn: odsmgr
givenName: ODS
objectClass: top
objectClass: ds-cfg-root-dn-user
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: person
userPassword: {SSHA}gF7nQ6N6gmpuufM1/8FemlwH1/HikScaVOlP3Q==

Why not to test a case with multiple ds-cfg-alternate-bind-dn attibute values.

$ ldapmodify -p 1389 -D "cn=dirmgr" -j ~/.odspwd
dn: cn=odsmgr,cn=Root DNs,cn=config
changetype: modify
add: ds-cfg-alternate-bind-dn
ds-cfg-alternate-bind-dn: cn=dsmgr

Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config
MODIFY operation successful for DN cn=odsmgr,cn=Root DNs,cn=config

$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.odspwd -b cn=config cn=odsmgr
dn: cn=odsmgr,cn=Root DNs,cn=config
ds-cfg-alternate-bind-dn: cn=odsmgr
ds-cfg-alternate-bind-dn: cn=dsmgr
sn: Manager
cn: odsmgr
givenName: ODS
objectClass: ds-cfg-root-dn-user
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
userPassword: {SSHA}gF7nQ6N6gmpuufM1/8FemlwH1/HikScaVOlP3Q==

But wait a minute. Why the userPassword value is encoded with a SSHA password scheme, while
the Directory Manager and the default root scheme is pointing to SSHA512.

$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.odspwd -b cn=config cn="Directory Manager" userpassword
dn: cn=Directory Manager,cn=Root DNs,cn=config
userpassword: {SSHA512}1g9Byn7MOZ1TgZCNY8gw4NA6o8UguyYg0b48d89zJS+AyIs9OP2rHfbZ6
 aaqTluryTh3Ux1ZW5RSWuTjH9wvtBxFXCxJzyt0
 
$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.dspwd -b cn=config "cn=Root Password Policy" \
> ds-cfg-default-password-storage-scheme
dn: cn=Root Password Policy,cn=Password Policies,cn=config
ds-cfg-default-password-storage-scheme: cn=Salted SHA-512,cn=Password Storage Sc
 hemes,cn=config 

The answer has come with the hint from Ludovic Poitou.
The virtual attribute of ds-pwp-password-policy-dn should be set explicitly.

$ ldapmodify -p 1389 -D cn=dsmgr -j ~/.odspwd
dn: cn=odsmgr,cn=Root DNs,cn=config
changetype: modify
add: ds-pwp-password-policy-dn
ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config

Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config
MODIFY operation successful for DN cn=odsmgr,cn=Root DNs,cn=config

$ openssl rand -base64 12 > ~/.dspwd

$ ldappasswordmodify -p 1389 -D cn=dsmgr -j ~/.odspwd -a "cn=odsmgr,cn=Root DNs,cn=config" \
> -C ~/.odspwd -N ~/.dspwd
The LDAP password modify operation was successful

$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.dspwd -b cn=config cn=odsmgr userpassword
dn: cn=odsmgr,cn=Root DNs,cn=config
userpassword: {SSHA512}BxvZzrhuVpwOv6FMc9sI1infjPC7PQ0dXXdry4ZLNgq6FJbjCVfSiLwBO
 A1uzaXAscS7pkNbfkP4hG11L9DTPsRfpusta+4x

Nice.

Custom Service Packages

During each subsequent comms implementation I forget one or more steps from the following recipe.
So, here comes the milestones to remember.
For the complete documentation refer to the wikis.sun.com.

Template for basic set of packages - da.cos.skeleton.ldif can be found in directory:
/opt/sun/comms/da/lib/config-templates/
on Delegated Administrator default installation path.

Usually I use only the packages for MailUser, MailCalendarUser and MailGroup.
After the customization the file might look like:

dn: cn=wisniosMailUser,o=mailuser,o=cosTemplates,o=root
changetype: add
objectclass: top
objectclass: LDAPsubentry
objectclass: extensibleobject
objectclass: cosTemplate
cn: wisniosMailUser
mailMsgMaxBlocks: 5000
mailAllowedServiceAccess: +imap,imaps,pop,pops,smtp,smtps,http,smime:ALL
daServiceType: mail user

dn: cn=wisniosMailCalendarUser,o=mailcalendaruser,o=cosTemplates,o=root
changetype: add
objectclass: top
objectclass: LDAPsubentry
objectclass: extensibleobject
objectclass: cosTemplate
cn: wisniosMailCalendarUser
mailMsgMaxBlocks: 5000
mailAllowedServiceAccess: +imap,imaps,pop,pops,smtp,smtps,http,smime:ALL
daServiceType: calendar user
daServiceType: mail user

dn: cn=wisniosMailGroup,o=mailgroup,o=cosTemplates,o=root
changetype: add
objectclass: top
objectclass: LDAPsubentry
objectclass: extensibleobject
objectclass: cosTemplate
cn: wisniosMailGroup
mailMsgMaxBlocks: 5000
daServiceType: mail group

Dry run:

# ldapmodify -p 1389 -D cn=dirmgr -j /root/.dspwd -n -f da.cos.wisnios.ldif 
!adding new entry cn=wisniosMailUser,o=mailuser,o=cosTemplates,o=root

!adding new entry cn=wisniosMailCalendarUser,o=mailcalendaruser,o=cosTemplates,o=root

!adding new entry cn=wisniosMailGroup,o=mailgroup,o=cosTemplates,o=root

Wet run:

# ldapmodify -p 1389 -D cn=dirmgr -j /root/.dspwd -f da.cos.wisnios.ldif 
adding new entry cn=wisniosMailUser,o=mailuser,o=cosTemplates,o=root

adding new entry cn=wisniosMailCalendarUser,o=mailcalendaruser,o=cosTemplates,o=root

adding new entry cn=wisniosMailGroup,o=mailgroup,o=cosTemplates,o=root

Check:

# ldapsearch -p 1389 -D cn=dirmgr -j /root/.dspwd -b o=cosTemplates,o=root \
> "(&(cn=wisnios*)(objectclass=LDAPsubentry))" daServiceType
version: 1
dn: cn=wisniosMailUser,o=mailuser,o=cosTemplates,o=root
daServiceType: mail user

dn: cn=wisniosMailCalendarUser,o=mailcalendaruser,o=cosTemplates,o=root
daServiceType: calendar user
daServiceType: mail user

dn: cn=wisniosMailGroup,o=mailgroup,o=cosTemplates,o=root
daServiceType: mail group

To make sure that the changes (packages) will be visible restart the app/web container.

How to automate the SpamAssassin feeding

This post is my answer to the Sun Wikis' entry about Enabling Anti-Spam functionality in Convergence.

Technologies used:
Messaging Server
SpamAssassin
RBAC - execution profiles

Messaging Server use the two variables to hold the email accounts for feeding anti-spam system
with the positive and false positive spam messages:

• service.feedback.spam


• service.feedback.notspam

But there is no embedded mechanism to deal with them.
Here comes my solution.

Every time the Convergence user marks the spam (ot not spam), with the appropriate button from its interface,
the mail is being sent to the address provided within the configuration.
The email messages accumulate in the accounts and waiting for the action.

Scenario:

• fetching messages from spam account


• teaching spamassassin with spam


• cleaing INBOX folder


• fetching messages from notspam account


• teaching SA with ham


• cleaning account

Methods:

• fetching messages from spam account




1. imsexport




• teaching spamassassin with spam




1. sa-learn --spam




• cleaing INBOX folder




1. mboxutil -d


2. mboxutil -c




• fetching messages from notspam account




1. imsexport




• teaching SA with ham




1. sa-learn --ham




• cleaning account




1. mboxutil -d


2. mboxutil -c

Due to a fact the script will be invoked by root account, to get the access either to imsexport files or sa-learn with valid Bayes DB,
I have decided to use one of the Solaris RBAC mechanisms - profiles.

I would not describe the profile creation step-by-step, because the learning by example is much more valuable.

# /usr/sadm/bin/smexec add -H localhost -u root -- \
-n "SpamAssassin Administration" -t cmd -c /export/home/sa/bin/sa-learn -U 105 -G 102
Authenticating as user: root

Type /? for help, pressing  accepts the default denoted by [ ]
Please enter a string value for: password ::
There is no Solaris Management Console Server running on localhost.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
\
# svcadm enable wbem

# /usr/sadm/bin/smexec add -H localhost -u root -- \
-n "SpamAssassin Administration" -t cmd -c /export/home/sa/bin/sa-learn -U 105 -G 102
Authenticating as user: root

Type /? for help, pressing  accepts the default denoted by [ ]
Please enter a string value for: password ::
Loading Tool: com.sun.admin.usermgr.cli.execs.UserMgrExecCli from localhost
Login to localhost as user root was successful.
Download of com.sun.admin.usermgr.cli.execs.UserMgrExecCli from localhost was successful.
You have entered a non-existent right SpamAssassin Administration.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
\
# cd /usr/lib/help/profiles/locale/C
# cat RtSAAdmin.html
< HTML >
< HEAD >
< TITLE >< /TITLE >
< /HEAD >
< BODY >
SpamAssassin Administration right allows the user or role SA management.
< /BODY >
< /HTML >

^^^^^
Spaces has been added to HTML tags in due to blogspot problems with handling this kind of stuff within the post body.

# /usr/sadm/bin/smprofile add -H localhost -u root -- \
-n "SpamAssassin Administration" -d "Manage SpamAssassin" -m RtSAAdmin.html
Authenticating as user: root

Type /? for help, pressing  accepts the default denoted by [ ]
Please enter a string value for: password ::
Loading Tool: com.sun.admin.usermgr.cli.profile.UserMgrProfCli from localhost
Login to localhost as user root was successful.
Download of com.sun.admin.usermgr.cli.profile.UserMgrProfCli from localhost was successful.

# tail -1 /etc/security/prof_attr
SpamAssassin Administration:::Manage SpamAssassin:help=RtSAAdmin.html
 
# /usr/sadm/bin/smexec add -H localhost -u root -- \
-n "SpamAssassin Administration" -t cmd -c /export/home/sa/bin/sa-learn -U 105 -G 102
Authenticating as user: root

Type /? for help, pressing  accepts the default denoted by [ ]
Please enter a string value for: password ::
Loading Tool: com.sun.admin.usermgr.cli.execs.UserMgrExecCli from localhost
Login to localhost as user root was successful.
Download of com.sun.admin.usermgr.cli.execs.UserMgrExecCli from localhost was successful.

# tail -1 /etc/security/exec_attr
SpamAssassin Administration:solaris:cmd:::/export/home/sa/bin/sa-learn:uid=105;gid=102

So, running sa-learn by the user / role with "SpamAssassin Administration" profile assigned
allow access to bayes DB files with the proper rights.
Examples can be seen in the script code provided below.

#!/usr/bin/ksh
#------------------------------------
# sa-feed.ksh
#  feed SpamAssassin with {NOT}SPAM
#   from file in mbox format
#====================================
# author: Marcin Wisnios
# e-mail: wisnios at wisnios dot com
#------------------------------------
PATH=$PATH:/opt/sun/comms/messaging64/bin:/export/home/sa/bin

TDIR=$(mktemp -td)                                      # temporary directory
FILE=$TDIR/INBOX                                        # mbox file
MUSR=$(ps -o user -p $(pgrep -nf dispatcher) | tail -1) # messaging server runtime user
SUSR=$(ps -o user -p $(pgrep -nf spamd) | tail -1)      # spamassassin runtime user
SPAM=$(configutil -o service.feedback.spam)             # feedback account for spam
NOTSPAM=$(configutil -o service.feedback.notspam)       # feedback account for not spam
BDBL=/export/home/sa/.spamassassin                      # Bayes DB location
SALEARN="pfexec sa-learn --dbpath $BDBL"                # fixed part of sa-learn invocation

chown $MUSR $TDIR
chmod 0755 $TDIR

imsexport -s INBOX -d $TDIR -u $SPAM


[ -f $FILE ] && {
        chown $SUSR $FILE

        NSPAM_BEFORE=$($SALEARN --dump magic 2> /dev/null | grep nspam | awk '{print $3}')
        $SALEARN --mbox --spam $FILE 2> /dev/null &&\
        NSPAM_AFTER=$($SALEARN --dump magic 2> /dev/null | grep nspam | awk '{print $3}')

        [ $NSPAM_BEFORE -lt $NSPAM_AFTER ] && {
                mboxutil -d user/$SPAM/INBOX
                mboxutil -c user/$SPAM/INBOX
        }

        rm $FILE
}

imsexport -s INBOX -d $TDIR -u $NOTSPAM

[ -f $FILE ] && {
        chown $SUSR $FILE

        NHAM_BEFORE=$($SALEARN --dump magic 2> /dev/null | grep nham | awk '{print $3}')
        $SALEARN --mbox --ham $FILE 2> /dev/null &&\
        NHAM_AFTER=$($SALEARN --dump magic 2> /dev/null | grep nham | awk '{print $3}')

        [ $NHAM_BEFORE -lt $NHAM_AFTER ] && {
                mboxutil -d user/$NOTSPAM/INBOX
                mboxutil -c user/$NOTSPAM/INBOX
        }
}

[ -d $TDIR ] && rm -rf $TDIR

Run the script in a way you like.
I put it directly to a crontab. Root's crontab.

Enjoy.

crle and missing libusb.so.1 library

Today I have installed SpamAssassin from a tar.gz archive on Solaris 10 10/09.
Though everything looked fine I faced the problem with invocation of sa-update - SpamAssassin rules updater.

$ sa-update
ld.so.1: gpg: fatal: libusb.so.1: open failed: No such file or directory
Killed
ld.so.1: gpg: fatal: libusb.so.1: open failed: No such file or directory
Killed
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
$ gpg
ld.so.1: gpg: fatal: libusb.so.1: open failed: No such file or directory
Killed

(gnupg has been installed from a package from sunfreeware.com, but it was not a problem)

Quick truss session:

# truss gpg
[...]
stat64("/usr/local/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT
stat64("/usr/local/ssl/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT
stat64("/usr/openwin/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT
stat64("/usr/lib/libusb.so.1", 0x080473A0)      Err#2 ENOENT
stat64("/usr/X11R6/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT
stat64("/usr/local/BerkeleyDB.4.7/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT
stat64("/lib/libusb.so.1", 0x080473A0)          Err#2 ENOENT
stat64("/usr/lib/libusb.so.1", 0x080473A0)      Err#2 ENOENT
ld.so.1: gpg: fatal: libusb.so.1: open failed: No such file or directory
[...]

find lookup:

# find /usr -name libusb.so.1
/usr/sfw/lib/libusb.so.1

...and I had to change the default library path.
The tool - crle - runtime linking environment configurator, was taken as the only fair solution.
Do not want to reproduce the manual pages, so, below is the syntax I had used.
Checking the current options:

# crle

Configuration file [version 4]: /var/ld/ld.config  
  Default Library Path (ELF):   /lib:/usr/lib  (system default)
  Trusted Directories (ELF):    /usr/lib/secure:/opt/sun/comms/calendar/SUNWics5/cal/lib

Command line:
  crle -c /var/ld/ld.config -s /usr/lib/secure:/opt/sun/comms/calendar/SUNWics5/cal/lib

Complementation of default library path:

# crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/sfw/lib -s /usr/lib/secure:/opt/sun/comms/calendar/SUNWics5/cal/lib

[CHECK]
# crle
Configuration file [version 4]: /var/ld/ld.config  
  Default Library Path (ELF):   /lib:/usr/lib:/usr/sfw/lib
  Trusted Directories (ELF):    /usr/lib/secure:/opt/sun/comms/calendar/SUNWics5/cal/lib

Command line:
  crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/sfw/lib -s /usr/lib/secure:/opt/sun/comms/calendar/SUNWics5/cal/lib
# exit
$ gpg
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: directory `/export/home/sa/.gnupg' created
gpg: new configuration file `/export/home/sa/.gnupg/gpg.conf' created
gpg: WARNING: options in `/export/home/sa/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/export/home/sa/.gnupg/secring.gpg' created
gpg: keyring `/export/home/sa/.gnupg/pubring.gpg' created
gpg: Go ahead and type your message ...
^C
gpg: signal 2 caught ... exiting
$ sa-update
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
$

Final notes
The syntax being used could be shortened to a form of:

# crle -u -l /usr/sfw/lib

where -u stands for existing configuration (file /var/ld/ld.config) update.
But be aware that by omitting the -u argument you turn your box into soldered fish tin, until you turn the other directories to the default path.

# crle -l /usr/sfw/lib
# init
ld.so.1: init: fatal: libpam.so.1: open failed: No such file or directory
Killed
# crle -u -l /lib -l /usr/lib -l /usr/sfw/lib
# init
Usage: init [0123456SsQqabc]
#

svclog

Everytime I have to check the SMF log file quickly I suffer.
I suffer in due to lack of simple method which I would provide you today with.

C'n'P:

#!/usr/bin/ksh
#------------------------------------
# svclog
#  ...run for your logs
#====================================
# author: Marcin Wisnios
# e-mail: wisnios at wisnios dot com
#------------------------------------

svcs $1 > /dev/null 2>&1
if [ $? -eq 1 ]; then
        echo "No match."
        exit
fi

if [ ! -z $1 ]; then
        LOG=$(svcs -l $1 | sed 's/logfile[ ]*\(.*\)/\1/p;d')
        echo "\n\t\t${LOG}\n"
else
        echo "Usage: $0 FMRI [n]"
        echo "n - number of lines to display"
        exit
fi

if [ ! -z $2 ]; then
        tail -$2 ${LOG}
else
        tail -f ${LOG}
fi

Save as, for ex. /usr/local/bin/svclog and... run for your logs:

# svclog ds 3

                /var/svc/log/application-sun-ds:default.log

Waiting for Directory Server instance '/instances/ds1' to start...
Directory Server instance '/instances/ds1' started: pid=434
[ Jun  7 16:53:00 Method "start" exited with status 0 ]
# svclog ms

                /var/svc/log/application-sun-ms:default.log

Stopping dispatcher server 593 ... done
Stopping sched server 591 ... done
Stopping http server 590 ... done
Stopping pop server 589 ...... done
Stopping imap server 588 ... done
Stopping purge server 587 ... done
Stopping store server 584 .... done
Stopping watcher 583 ... done
[ Jun  7 23:40:12 Method "stop" exited with status 0 ]
[ Jun  7 23:40:12 Executing start method ("/opt/sun/comms/messaging64/bin/start-msg") ]
Connecting to watcher ...
Launching watcher ... 1463
Starting store server .... 1464
Checking store server status .....
- CUT -

Enjoy.

fc-fabric(ation) of server's dysfunction

Do you like minimization? I do.
But sometimes you can go one bridge too far.

Today I have switched off the set of useless services.
One after one...
Do I need... No!
Do I need... No!
Do I need Fibre Channel Fabric device support? No.

$ svcadm disable fc-fabric

Another one bites the dust.

After the couple of hours I decided to reboot the server to check its readiness to serve.
And... it failed.



Of course at the moment of failure I dit not realize it was caused by service unavailability of fc-fabric.
Unnecessary stress.

The solution has been revealed during the dependencies check.



Keep this in mind.