The server itself was up and the relevant ports were accessible. In fact, unencrypted LDAP continued to work while LDAPS saw the error above.
I restarted slapd with -d 255 flag (-d 8 is sufficient for this error) and started seeing this error:
TLS:error:could notinitialize moznss security context-error-5925:The one-time functionwas previously called andfailed.Its error code isno longer available TLS:can'tcreate ssl handle.
At the start of the log, I saw several related errors including this one:
...isnotvalid-error-8181:Peer'sCertificate has expired..
Ultimately this meant that I had to replace not just my certificate but also the CA certificate and the signing key in OpenLDAP’s moznss database. I believe my CA’s certificate had to be replaced because of the SHA1 retirement last year.
The steps I had to follow were surprisingly involved and undocumented:
Upload the new certificates to /etc/openldap/ssl
List the existing certificates in the database:
Remove the existing certs:
certutil-D-d.-n"My CA Certificate"
Load the new OpenLDAP SSL certificate and CA certificate:
I am pretty excited about the release of git 2.9. It brings several new features that make reviewing changes easier and more sensible. It has better change grouping, and it can highlight individual changed words. Everyone should set these configuration options to enable better git diffs.
Upgrade your git
Before you can enable the new settings, you have to upgrade your git installation.
If you already have git installed through homebrew, you can upgrade it as follows:
brew update&&brew upgrade
If you do not have git installed through homebrew, you’ll want to override your ancient Mac git by installing it as follows:
brew install git
Enable better git diffs
Once you have upgraded your git, you can put the new configuration in place.
The first major change is an improvement to how git groups changes in a diff. When you add a new block of code, it’s now likelier to see the whole block as a change rather than misinterpreting it as an insertion splitting an existing block into two.
The second change is the addition of more places for you to hook in the diff-highlight utility.
diff-highlight post-processes your diffs to add more highlighting to the specific changes between two lines when you just change a few words in a line.
You can enable all of these by running the following commands in your terminal:
I use the bash command line on my Mac a lot. I typically have multiple tabs with multiple terminal panes open in iTerm2, often with multiple ssh sessions running. By default, the last terminal session to close trashes the bash history of all the other sessions. Is it possible to configure the terminal to preserve bash history?
The project I’m working on right now involve not just Dockerized Rails microservices, Meteor JS, and a data set measured in tens of terabytes, but also a big Bash code base.
Bash is a language that makes it easy to shoot yourself in the foot. I have some thoughts on how to write robust, modular, loosely coupled, unit tested Bash that go beyond Bash strict mode and shellcheck. However, let’s save those for later.
Here’s a useful shell command for today: watch
watch will run a command for you every few seconds and output the results on a clean screen. If you combine it with a split-screen or split-pane tool, you can quickly create a mini-dashboard.
For example, watch -n15 df -h will print your free disk space every 15 seconds:
FilesystemSizeUsed Avail Use%Mounted on
By way of another example, watch -n60 db2 list utilities show detail will check on the status of your DB2 load and other operations every 60 seconds.
Every60.0s:db2 list utilities show detailMon Apr1312:06:242015
I ran into this error when running ec2-upload-bundle:The specified bucket is not S3 v2 safe (see S3 documentation for details)This was due to uppercase letters or underscores. Later I also ran into an issue with periods in bucket names which showed up as this error message:ERROR: Error talking to S3: Server.AccessDenied(403): Access DeniedHere is an easy command to sanitize the bucket names:
mkdir -p is a command second only to touch in succinct utility.
touch creates a file if it does not exist, or updates its timestamp if it does. It’s handy if you want to write to a file without checking for its existence, as otherwise you’d need to determine whether or not append is the correct mode. It’s also handy for setting flags for yourself on the filesystem.
mkdir -p creates a path if it does not exist, or does nothing if the path already exists. mkdir -p /foo/bar/baz will create /foo, /foo/bar, and /foo/bar/baz for you. Conversely, mkdir -p /usr/local/bin will not complain because those directories already exist.
Why would you need this? A couple reasons that came up for me tonight:
You cannot redirect output to a file if the file is in a directory that does not yet exist
You cannot create a symbolic link in a directory that does not yet exist