Security Hole with Sybase ASE and LDAP User Authentication

The connection between ASE and the LDAP server is unencrypted.  The LDAP records are transmitted in clear-text across the network.


Even though Sybase has known about this security hole for more than 2 years, Sybase has yet to address this issue.  When I spoke to the engineers at techwave, it isn’t even on their radar. 🙁  If you are using ASE with LDAP User Authentication, please let Sybase know you need this security hole fixed.



  • Encrypt the connection manually by using SSH Tunneling (or similar)
  • Place the LDAP server on the same machine as ASE ASE should connect to the LOCALHOST, port to the LDAP server 
Share Button

Mailing list: sybase-dba-moderated

 For those of you that don’t know, a few months back I created the sybase-dba-moderated Yahoo Group / mailing list due to the enormous amount of spam on the sybase-dba mailing list. 

When I was finally able to convince Yahoo to contact owner of the sybase-dba mailing list, Yahoo informed me that the owner expressed no inclination to remove any of the spam / spammers from the mailing list.  So I created sybase-dba-moderated. 


We came up with a few rules:

  1. only Sybase related topics
  2. job postings are allowed if for Sybase positions
  3. debates are fine but no flaming is allowed 


As of right now, we have over 200 members (it is free) from all over the world 🙂


Click here to join sybase-dba-moderated
Click to join sybase-dba-moderated

Share Button

Sunday morning at Sybase’s TechWave

There is nothing planned for most of today.  Tonight is the welcoming bash.  I promise lots of pictures during this week.  It is almost 8am here (10am my time) so I’m going in search of food.  I’m curious as to know what Caesar’s Palace considers kosher food.

Share Button

My Sybase TechWave 2006 Schedule

Monday, August 07

  • 1:00 PM – 6:00 PM       EDU223 Advanced Replication Server Administration: Internals and Tuning  Florentine Ballroom, Salon II

Tuesday, August 08

  • 8:00 AM – 1:00 PM        FREE
  • 1:00 PM – 6:00 PM        EDU223 Advanced Replication Server Administration: Internals and Tuning  Florentine Ballroom, Salon II

Wednesday, August 09

  • 8:00 AM – 9:30 AM        INT233 A Model Approach to Sybase Replication Server  Florentine Ballroom, Salon I
  • 9:45 AM – 10:45 AM      INT240 What’s New in Replication Server 15.0.1 –  Florentine Ballroom, Salon I
  • 11:00 AM – 12:00 PM    INT223 Master Database Replication  Florentine Ballroom, Salon I
  • 1:00 PM – 2:30 PM        INT229 What’s new with ASE Replication Agent 15  Florentine Ballroom, Salon I
  • 2:45 PM – 3:45 PM        INT224 New Replication Monitoring Service in Replication Server 15.0  Florentine Ballroom, Salon I

Thursday, August 10

  • 8:00 AM – 9:30 AM       FREE
  • 9:45 AM – 10:45 AM     INT221 Using Replication Server Monitor Counters for Analysis and Tuning  Florentine Ballroom, Salon I
  • 11:00 AM – 12:30 PM   TDI131 StepByStep RepServer and OpenSwitch for ASE HA/DR  Florentine Ballroom, Salon I
Share Button

For all of you women that love a geek….

Made you look!

Anyways, doesn’t he look like this movie star?  Yes, he a full blooded geek

Share Button

Sybase Techdoc 1040311 (corruption on block devices) clarification The techdoc describes that data may be lost due to os buffering of the block devices (raw devices) if the machine goes down.  Unfortunately, it doesn’t indicate whether "shutdown with nowait", "kill -9", "kill -15" or "kill -4" also result in data loss because of the os buffering.

I asked Sybase techsupport to update the techdoc and the cr.

PSE has updated the CR 406473 description

ASE 12.5.1 or later versions prior to 12.5.3 ESD #5 and version 15.0
treat block device the same as raw device. ASE assumes all writes
have been committed to disk, while the modified pages may be retained
in the OS kernel cache. In the event of a power failure or other
system crashes, the cached modifications may be lost leading to
data inconsistency.

Using a shutdown with nowait by itself would not cause an inconsistency.
Recovery would of course take more time during the next startup if we
do a ‘shutdown with nowait’ though.

There is also a possibility that if theres a system crash or a power
outage during shutdown, it could lead to a data loss. However, note
that a system crash has to occur for us to encounter
this sort of situation.

Share Button

How to install DBD::Sybase on Windows using ActiveState Perl

Assuming that OpenClient is installed:

Install ActiveState Perl from ; (free)


1) Start -> ActiveState Perl -> Perl Package Manager  
    a) install DBI
    b) exit
2) download latest DBD-Sybase*.zip from
    a) extract zip file to temporary directory (e.g. c:\test)
    b) Start -> Run -> cmd.exe
        I) cd \test
       II) ppm install DBD-Sybase.ppd
      III) exit


That’s it 🙂

Share Button

Sybase TechWave 2006: Replication Server

I’m in Las Vegas, Nevada for the annual Sybase TechWave Conference at Caesar’s Palace.  The main entertainment will be a private showing of Penn & Teller.  Woohoo!

This year, I’m primarily focusing on Replication Server.  Increasing the performance is of keen interest to me as well as increasing stability of the replication.  There are a number of outstanding issues with Replication Server that I’m hoping to address.  The main one is an issue with firewalls.

This is the environment (very common in large corporations with segmented networks):

ASE (repAgent) tcp/ip connection <-> firewall <-> tcp/ip connection (repagent descriptor) RepServer -> ….

After a period of inactivity on the tcp/ip connection is closed by the firewall

ASE (repAgent) tcp/ip connection <X> firewall X> tcp/ip connection <X> (repagent descriptor) RepServer -> ….

The tcp/ip connection is closed, which will notify both the operating systems containing the primary ASE and replication server.

On the primary Sybase ASE side:

  • os notifies ASE of the disconnected connection. this is mostncommonly reported as a 1608 error (client connection expectedly disappeared).
  • RepAgent is notified within ASE and attempts to reconnect

On the Replication server side:

  • os notifies RepServer of the disconnected connection
  • RepServer either doesn’t handle the message from the os or doesn’t release the repagent descriptor correctly.

When the RepAgent attempts to connect to the Replication Server:

  • RepAgent connection is denied due to Replication Server says that the RepAgent is in the process of disconnecting. So it *appears* to be handling the message from the os but not completely freeing the repagent descriptor for some reason.

This can be easily reproduced with the help of someone that can set up a firewall that will close connections due to both inactivity and maximum time allowed.

Using a heartbeat of say 30secs does reduce the occurances of this issue but there are mandated, from the security group, maximum times that *any* connection can be open regardless of activity. This partial workaround is already in place. Another partial workaround is to have repagent itself disconnect after 20 secs of inactivity but we still run into the maximum connection time limit.

As it is, I’m forced to restart the repserver every 18 to 24 hours. Regardless of how the connection is closed, repserver should release the repagent descriptor fully so that a reconnect from the repagent will go through.

Share Button

moving my blogs here

I will be posting about many subjects but primarily about techie stuff.  Some Sybase, Microsoft, etc.  I’m moving the techie posts I made on my personal blog here.

Share Button