title: Patching Sun DS 5.2 on Linux link: https://onemoretech.wordpress.com/2008/09/17/patching-sun-ds-52-on-linux/ author: lembobro description: post_id: 456 created: 2008/09/17 04:37:29 created_gmt: 2008/09/17 04:37:29 comment_status: open post_name: patching-sun-ds-52-on-linux status: publish post_type: post

Patching Sun DS 5.2 on Linux

Java System Directory Server 5.2 is the (nearly) final iteration of the original Netscape/iPlanet Directory Server published by Sun. The next major version, Directory Server Enterprise Edition 6 and it’s incremental updates (the latest is 6.3), is in many ways a completely different product. Not entirely new, mind you, but changed enough that installing and managing the software requires a careful reading of the (typically abysmally written) documentation to avoid finding yourself collapsing in an ocean of tears (more on this in an upcoming post here).

During a recent test of DS 5.2 I decided to install the latest patch for the application, patch 6 (a/k/a 117668-05), for RHEL AS 3 that was released 09/21/2007. My reference platform was a CentOS 4.7 machine that has so far proven compatible enough with DS 5.2, so I didn’t anticipate any issues. This is a pretty big patch, that clears a huge number of bugs — including some fairly important security vulnerabilities.

Installing the patch was easy, once I corrected a “fix” made to it by the developers so it could be run as root in cases where that user was owner of the directory instance.

You see, when setting up Sun DS 5.2, you are given a choice of running the software as a specific system user. Most of us who have been around for awhile create a system user and group for this purpose, knowing that it is generally not a very good idea to run something like a directory service as root. Given the number of hits from the wide variety of places that a typical enterprise directory takes each day, you’re always just one inevitable buffer overflow away from having the daemon “owned” by some external person or process. I always use a special system account and group for this reason. The main drawback is that neither this user, or the GUI console (which acts under this user’s privileges), will be able to start the ns-slapd daemon if the LDAP port is set to anything under 1024, e.g. like port 389 — the standard port for LDAP. There are ways to handle this cleanly, as Apache has for years. But Netscape and Sun decided not to do so.

So, back to the patch. Once you’ve unzipped, gunzipped and untared the files like some Faberge Egg, the README instructs you to run the install.sh script with some variables. At a minimum you need to include the installation base directory:

./install.sh /opt/sun/directory52

(why would anyone use the Sun example path of /var/Sun/mps ?)

Now all this shell script really does is launch the actual update program, written in Sun’s own special flavor of perl.

In order to make it “compatible” with installations where root is the owner, the developers had line 417 read as follows:

cmd "tar xof $dspkg_file";

Of course setting the “o” switch for tar when logged in as anything other that root in Linux is going to result in a “Cannot change ownership to” error, since only root can normally make ownership changes to files.

By simply removing the offending “o”, I was able to install the patch successfully. Again, the problem for me was that it would fail to restart the directory server if it were configured for a port under 1024. In my case I changed the listening port to something higher before applying the patch and then changed it back to 389 when done.

Copyright 2004-2019 Phil Lembo