The connection between ASE and the LDAP server is unencrypted. The LDAP records are transmitted in clear-text across the network.
Even though Sybase has known about this security hole for more than 2 years, Sybase has yet to address this issue. When I spoke to the engineers at techwave, it isn’t even on their radar. 🙁 If you are using ASE with LDAP User Authentication, please let Sybase know you need this security hole fixed.
- Encrypt the connection manually by using SSH Tunneling (or similar)
- Place the LDAP server on the same machine as ASE ASE should connect to the LOCALHOST, port to the LDAP server
For those of you that don’t know, a few months back I created the sybase-dba-moderated Yahoo Group / mailing list due to the enormous amount of spam on the sybase-dba mailing list.
When I was finally able to convince Yahoo to contact owner of the sybase-dba mailing list, Yahoo informed me that the owner expressed no inclination to remove any of the spam / spammers from the mailing list. So I created sybase-dba-moderated.
We came up with a few rules:
- only Sybase related topics
- job postings are allowed if for Sybase positions
- debates are fine but no flaming is allowed
As of right now, we have over 200 members (it is free) from all over the world 🙂
Click to join sybase-dba-moderated
There is nothing planned for most of today. Tonight is the welcoming bash. I promise lots of pictures during this week. It is almost 8am here (10am my time) so I’m going in search of food. I’m curious as to know what Caesar’s Palace considers kosher food.
Made you look!
Anyways, doesn’t he look like this movie star? Yes, he a full blooded geek
http://www.sybase.com/detail?id=1040311 The techdoc describes that data may be lost due to os buffering of the block devices (raw devices) if the machine goes down. Unfortunately, it doesn’t indicate whether "shutdown with nowait", "kill -9", "kill -15" or "kill -4" also result in data loss because of the os buffering.
I asked Sybase techsupport to update the techdoc and the cr.
PSE has updated the CR 406473 description
ASE 12.5.1 or later versions prior to 12.5.3 ESD #5 and version 15.0
treat block device the same as raw device. ASE assumes all writes
have been committed to disk, while the modified pages may be retained
in the OS kernel cache. In the event of a power failure or other
system crashes, the cached modifications may be lost leading to
Using a shutdown with nowait by itself would not cause an inconsistency.
Recovery would of course take more time during the next startup if we
do a ‘shutdown with nowait’ though.
There is also a possibility that if theres a system crash or a power
outage during shutdown, it could lead to a data loss. However, note
that a system crash has to occur for us to encounter
this sort of situation.
Assuming that OpenClient is installed:
Install ActiveState Perl from http://www.activestate.com ; (free)
1) Start -> ActiveState Perl -> Perl Package Manager
a) install DBI
2) download latest DBD-Sybase*.zip from http://www.peppler.org/downloads/ActiveState
a) extract zip file to temporary directory (e.g. c:\test)
b) Start -> Run -> cmd.exe
I) cd \test
II) ppm install DBD-Sybase.ppd
That’s it 🙂
I’m in Las Vegas, Nevada for the annual Sybase TechWave Conference at Caesar’s Palace. The main entertainment will be a private showing of Penn & Teller. Woohoo!
This year, I’m primarily focusing on Replication Server. Increasing the performance is of keen interest to me as well as increasing stability of the replication. There are a number of outstanding issues with Replication Server that I’m hoping to address. The main one is an issue with firewalls.
This is the environment (very common in large corporations with segmented networks):
ASE (repAgent) tcp/ip connection <-> firewall <-> tcp/ip connection (repagent descriptor) RepServer -> ….
After a period of inactivity on the tcp/ip connection is closed by the firewall
ASE (repAgent) tcp/ip connection <X> firewall X> tcp/ip connection <X> (repagent descriptor) RepServer -> ….
The tcp/ip connection is closed, which will notify both the operating systems containing the primary ASE and replication server.
On the primary Sybase ASE side:
- os notifies ASE of the disconnected connection. this is mostncommonly reported as a 1608 error (client connection expectedly disappeared).
- RepAgent is notified within ASE and attempts to reconnect
On the Replication server side:
- os notifies RepServer of the disconnected connection
- RepServer either doesn’t handle the message from the os or doesn’t release the repagent descriptor correctly.
When the RepAgent attempts to connect to the Replication Server:
- RepAgent connection is denied due to Replication Server says that the RepAgent is in the process of disconnecting. So it *appears* to be handling the message from the os but not completely freeing the repagent descriptor for some reason.
This can be easily reproduced with the help of someone that can set up a firewall that will close connections due to both inactivity and maximum time allowed.
Using a heartbeat of say 30secs does reduce the occurances of this issue but there are mandated, from the security group, maximum times that *any* connection can be open regardless of activity. This partial workaround is already in place. Another partial workaround is to have repagent itself disconnect after 20 secs of inactivity but we still run into the maximum connection time limit.
As it is, I’m forced to restart the repserver every 18 to 24 hours. Regardless of how the connection is closed, repserver should release the repagent descriptor fully so that a reconnect from the repagent will go through.
I will be posting about many subjects but primarily about techie stuff. Some Sybase, Microsoft, etc. I’m moving the techie posts I made on my personal blog here.