Evernote drop-down font list

“Evernote is a suite of software and services designed for notetaking and archiving. A “note” can be a piece of formatted text, a full webpage or webpage excerpt, a photograph, a voice memo, or a handwritten “ink” note. Notes can also have file attachments. Notes can be sorted into folders, then tagged, annotated, edited, given comments, searched and exported as part of a notebook. Evernote supports a number of operating system platforms (including Microsoft Windows, Mac OS X, Chrome OS, Android, iOS, Windows Phone, and WebOS), and also offers online synchronization and backup services.” — Wikipedia (English) entry retrieved 08-JAN-2012

Evernote is a useful application for taking and making notes. On the Mac, the list of fonts in the drop-down list for a note is taken from the “Web” font collection. To add fonts to the list of fonts in the drop-down list, open the Font Book application and add fonts to the “Web” collection. For example, to add additional fixed-width fonts make the “Web” font collection look like this:

font-book web collection

Restart the evernote application if it is already running. Then the drop-down list should look like:

font-book web collection

Posted in computing, evernote, mac | Tagged , , | 2 Comments

LDAP: Using parallel-update for concurrent multiple updates

For applying a small number of changes, ldapmodify is satisfactory. For a large number of changes, parallel-update has the capability of applying multiple changes simultaneously using an operator-provided number of threads. The following example uses 1024 threads to apply 1,000,000 changes in 156 seconds:

parallel-update --hostname ldap.example.com \
                --port 389                  \
                --bindDN cn=RootDN          \
                --bindPassword password     \
                --rejectFile rejects.ldif   \
                --numThreads 1024           \
                --ldifFile changes.ldif
 Attempts Successes   Rejects   ToRetry  AvgOps/S  RctOps/S  AvgDurMS  RctDurMS
--------- --------- --------- --------- --------- --------- --------- ---------
     2421      2421         0         0       483       483        11        11
    27565     27565         0         0      2752      5018        11        11
    61828     61828         0         0      4115      6838        10         9
    92657     92657         0         0      4625      6153         9         9
   127157    127157         0         0      5077      6886        10        10
   161335    161335         0         0      5368      6821         9         7
   193517    193517         0         0      5519      6423         9         9
   221584    221584         0         0      5529      5602        12        28
   253812    253812         0         0      5629      6432        12        11
   288367    288367         0         0      5756      6895        11         8
   321482    321482         0         0      5834      6609        11        11
   354634    354634         0         0      5899      6618        11         8
   392753    392753         0         0      6030      7607        11         8
   420788    420788         0         0      5999      5596        11        17
   455094    455094         0         0      6056      6843        11        11
   490436    490436         0         0      6118      7054        11         8
   524579    524579         0         0      6159      6817        11         7
   556483    556483         0         0      6171      6366        11         9
   588915    588915         0         0      6187      6473        10         8
   623031    623031         0         0      6218      6809        10        11
   655533    655533         0         0      6231      6490        11        19
   688598    688598         0         0      6247      6599        11         8
   724066    724066         0         0      6284      7079        11         9
   759697    759697         0         0      6318      7110        11         8
   794089    794089         0         0      6340      6864        10         8
   829215    829215         0         0      6366      7012        10        11
   861592    861592         0         0      6369      6461        11        14
   895619    895619         0         0      6384      6791        10         7
   930062    930062         0         0      6401      6872        10         9
   962579    962579         0         0      6404      6493        10        14
   995666    995666         0         0      6411      6605        10         7
Reached the end of the LDIF file
  1000004   1000004         0         0      6384      3298        10        12
All processing complete
Attempted 1000004 operations in 156 seconds

This tool is superior to using bulkmodify because parallel-update can be used to modify any attribute. bulkmodify cannot be used to modify dn, cn, and other attributes. bulkmodify also has some important limitations where multi-valued attributes are involved. bulkmodify does not accept an LDIF file as input. These limitations reduce the effectiveness and usability of bulkmodify … use parallel-update instead.

Posted in LDAP, UnboundID | Tagged , , , | Leave a comment

LDAP: Using authrate to measure authentication performance

Use the authrate command line tool to measure authentication performance of a directory server.

The example below illustrates how to execute searches and binds against an LDAP directory server. The example:

  • searches and binds against random entries in the range uid=user.0 - user.1000000
  • using password "password"
  • 256 threads simultaneously
  • measurements are reported at 1 second intervals
  • a 5 minute “warmup” period is used
  • the duration of the test is 1 hour (3600 seconds) + the 5 minute warmup
  • SIMPLE authentication
authrate --hostname ldap.example.com -p 389  \
         --baseDN dc=example,dc=com          \
         --filter 'uid=user.[0-1000000]'     \
         --credentials password              \
         --scope sub                         \
         --attribute uid                     \
         --authType SIMPLE                   \
         --numThreads 256                    \
         --intervalDuration 1                \
         --warmupIntervals 300               \
         --csv                               \
         --numIntervals 3600
Recent Auths/Sec,Recent Avg Dur ms,Recent Errors/Sec,Overall Auths/Sec,Overall Avg Dur ms
36526.782,5.658,0.000,warming up,warming up
18490.217,16.509,0.000,warming up,warming up
46487.706,5.506,0.000,warming up,warming up
46122.294,5.547,0.000,warming up,warming up
46891.769,5.403,0.000,warming up,warming up
46885.624,5.511,0.000,warming up,warming up
...
Warm-up completed.  Beginning overall statistics collection.
46727.472,5.478,0.000,46727.472,5.478
46395.864,5.517,0.000,46561.585,5.498
46635.677,5.486,0.000,46586.274,5.494
45997.237,5.564,0.000,46438.944,5.511
45708.767,5.599,0.000,46292.996,5.529
...
Posted in LDAP, UnboundID | Tagged , , , | Leave a comment

LDAP: Example of Processing Time Histogram

The UnboundID Directory Server provides a breakdown of LDAP operations that been processed by the server. Below is an example of the processing time histogram from the directory server monitor:

Screen Shot 2012 12 07 at 8 36 42 AM

The following ldapsearch example shows how to retrieve information about search operations (this example uses the legacy OpenLDAP ldapsearch syntax):

ldapsearch -h ldap.example.com -p 389 -D cn=RootDN -x \
        -b 'cn=processing time histogram,cn=monitor' -LLL \
        '(&)' searchOpsTotalCount searchOpsPercent \
        searchOpsAggregatePercent
dn: cn=processing time histogram,cn=monitor
searchOpsTotalCount: 490186258
searchOpsPercent: Less than 1ms: 99.7966%
searchOpsPercent: Between 1ms and 2ms: 0.1073%
searchOpsPercent: Between 2ms and 3ms: 0.0159%
searchOpsPercent: Between 3ms and 5ms: 0.0164%
searchOpsPercent: Between 5ms and 10ms: 0.0294%
searchOpsPercent: Between 10ms and 20ms: 0.0334%
searchOpsPercent: Between 20ms and 30ms: 0.0007%
searchOpsPercent: Between 30ms and 50ms: 0.0000%
searchOpsPercent: Between 50ms and 100ms: 0.0000%
searchOpsPercent: Between 100ms and 1000ms: 0.0002%
searchOpsPercent: At least 1000ms: 0.0000%
searchOpsAggregatePercent: Less than 1ms: 99.7966%
searchOpsAggregatePercent: Between 1ms and 2ms: 99.9039%
searchOpsAggregatePercent: Between 2ms and 3ms: 99.9198%
searchOpsAggregatePercent: Between 3ms and 5ms: 99.9362%
searchOpsAggregatePercent: Between 5ms and 10ms: 99.9657%
searchOpsAggregatePercent: Between 10ms and 20ms: 99.9991%
searchOpsAggregatePercent: Between 20ms and 30ms: 99.9997%
searchOpsAggregatePercent: Between 30ms and 50ms: 99.9998%
searchOpsAggregatePercent: Between 50ms and 100ms: 99.9998%
searchOpsAggregatePercent: Between 100ms and 1000ms: 100.0000%
searchOpsAggregatePercent: At least 1000ms: 100.0000%
Posted in LDAP, UnboundID | Tagged , | Leave a comment

LDAP: Authentication Best Practices

LDAP: Authentication Best Practices is now available. This page offer best practices and hints from my experience with customer LDAP deployments over the last 15 years.

Posted in LDAP | Tagged , , , , | 2 Comments

Quick setup for Tomcat manager authentication using LDAP

  1. Purpose
  2. Steps
    1. Create users in the Directory Server database
    2. Create JNDI realm in the Tomcat configuration
    3. Restart Tomcat
  3. Notes


Tomcat’s manager is not enabled by default. This entry shows a quick setup for the Tomcat manager using LDAP. The steps involved are:

  1. Create users in the Directory Server database
  2. Create a JNDIRealm in server.xml
  3. Restart Tomcat

Create users in the Directory Server database

The following three entries are used by the realm example. Note that the entry "cn=manager,ou=apache,ou=people,dc=example,dc=com" has an attribute objectClass with value extensibleObject. The extensibleObject objectClass allows any attribute to be added to an entry, including attributes that are not defined in the Directory Server schema. The entry "cn=manager,ou=apache,ou=people,dc=example,dc=com" has an attribute "tomcatRole" that is used to contain the role needed by the Tomcat JNDIRealm. Using the extensibleObject objectClass is not the best idea in the world, though, and its use reminds one of the FORTRAN garbage common block. Any legal attribute could have been used and which attribute is used is set in the JNDIRealm.


ldapsearch --propertiesFilePath ds-setup/cfg-connect.properties \
   --baseDn ou=people,dc=example,dc=com --searchScope sub '(&)' 

dn: ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
userPassword: {SSHA512}pa1nS0ams9V7kmu4WQ6CDZ2iKMwBZhxco7I12+Olb7U4pnS0f6bUHdt2n
 27N8My6p3Rwu1aERgza2ihTES1FZSglW1k0rehr
ou: people
description: The ou=people entry is the top of a tree containing user entries.

dn: ou=apache,ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
userPassword: {SSHA512}XhfZEcr/YJI1ZanGYYuycQmHySry8E2nQRuPx9wzcqPmjko+jX2dLNko7
 GXKAlzmRJy6juEWHMvTP9QWIw2ilI/BAzxnZlqa
ou: apache
description: The ou=apache entry is used by the Tomcat application server to aut
 henticate to the Directory Server

dn: cn=manager,ou=apache,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: extensibleObject
cn: manager
cn: Tomcat manager
sn: Tomcat
userPassword: {SSHA512}nEO6fX0BKVFD0ff1K9Yi/KEA8Kg+iZBkQ5BaRvLUVXb5DQXh9V0XpZsgK
 mxcnp0pVesGkjFVZBaM/pxRPx+MgDNROIGniJ56
tomcatRole: manager-gui
description: The cn=manager entry is a user with Tomcat manager-gui access

An access control may also be necessary:


ldapsearch --propertiesFilePath ds-setup/cfg-connect.properties \
    --baseDn dc=example,dc=com --searchScope base '(&)' aci

dn: dc=example,dc=com
aci: (targetattr="*")(version 3.0; acl "access to description attribute for tomc
 at"; allow(all) userdn="ldap:///ou=apache,ou=people,dc=example,dc=com";)

Create JNDI realm in the Tomcat configuration

The realm below uses:

  • hostname ldap.example.com and port 10389
  • "cn=manager,ou=apache,ou=people,dc=example,dc=com" for the Tomcat server to authenticate to directory server
  • "tomcatRole" as the name of the attribute whose value is the Tomcat role (“manager-gui”)
  • "cn={0},ou=apache,ou=people,dc=example,dc=com" as the pattern for base-level user searches

      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.JNDIRealm"
               connectionURL="ldap://ldap.example.com:10389"
               connectionName="ou=apache,ou=people,dc=example,dc=com"
               connectionPassword="password"
               userPattern="cn={0},ou=apache,ou=people,dc=example,dc=com"
               userRoleName="tomcatRole" />
      </Realm>

Notes

  1. A pre-encoded password could be used in the realm, but the LDAP server would have to be configured to accept pre-encoded passwords, which is not recommended because the LDAP server could not check pre-encoded passwords for quality and history. The method shown in the realm example is not secure because the password is in the clear and SSL is not used.
  2. IMPROVEMENT: SSL should be used for the authentication (the sample does not use SSL)
  3. The LDAP server is configured to use the extremely strong SHA-2 512 salted password storage scheme, which is superior to a reversible scheme such as AES
  4. IMPROVEMENT: the "extensibleObject" should not be used unless there is no other way to accomplish the task
Posted in computing, LDAP | Tagged , , , , , | Leave a comment

LDAP: Unsolicited Notification

LDAP is a request-response protocol with the exception of the unsolicited notification. The unsolicited notification is a transmission from the server to a connected LDAP client. LDAP clients should be prepared to handle the unsolicited notification because the notification is sent when an extraordinary condition has transpired. LDAP clients that do not handle unsolicited notifications risk not receiving important information from the server.

The unsolicited notification is transmitted in the form of an extended response.

Notice of Disconnection

One standardized notification is the notice of disconnection. The object identifier contained in the extended response is 1.3.6.1.4.1.1466.20036, the response value field is absent, and the result code contains the reason for the disconnection.

Aborted Transaction Notification

Transactions provide a notification for aborted transactions.

Example

The class UnsolicitedNotification.java shows how to use the UnboundID LDAP SDK to handle an unsolicited notification.

Posted in computing, Java, LDAP, UnboundID LDAP SDK | Tagged , , , , | Leave a comment