Newbie: IBM Directory Server LDAP Java Implementation

Similar Messages

• JNDI Tutorial Sun and IBM Directory server v5.1

  Hi there guys,
  I'm new with JNDI and LDAP but I trying to get the tutorial started with the IBM Directory server v5.1 but with no luck. The tutorial mentions something about root naming contexts. As far as I can find in the docs of the IBM directory server there are no root naming contexts. Am I right? Further when I added the several DN's under the suffixes and I try to restart the server, the server won't start anymore. What I did was adding the following lines as suffixes:
  o=JNDITutorial
  ou=Groups, o=JNDITutorial
  cn=Directory Administrators, ou=Groups, o=JNDITutorial
  etc..
  Is there someone who had the same problems?
  Or are there any suggestions for using another (free) LDAP server?
  Hope someone can help.

  in suffixes you can only add 'o's ..not ous, cns etc.
  For that run a ldif for that o, as an admin to add a tree.
  hope this helps.

• Add a posixaccount user in posixgroup in sun directory server using java

  Hi
  Anybody now how to add posixaccount user in posixgroup in sun directory server using java code.
  I am able to add normal directory server user in ldap group in java.
  But i am getting any luck to add posixaccount user in posixgroup.
  I know we can set uid value in memberuid attribute but how to add through java program.
  Anybody can paste code for that.
  Thanks.

  To CRabel,
  My company have restriction on using the open sources product/code, but i will take a look on netscape ldap sdk as a reference~
  To raghu1978 ,
  i find a product call Directory Editor 1 2005Q1, I hope it is useful.
  thz all~

• Access read-only LDAP for username/password, Directory Server LDAP for rest

  Hello! I keep trying to find documentation on the above, but thus far I have been unable to find something that explains this well (and my attempts at figuring out thus far have failed).
  I have a read-only LDAP that is used University wide, and I am not allowed to change how it currently operates. It uses double-bind authentication in that you search for a user to get their DN, then bind to that DN with the users password to see if it was correct.
  I'd like to use the above setup to verify a user's credential as well as return some basic information about them (name, email, etc). After this, I'd like to use another freshly installed Directory Server LDAP to manage the roles that seem to be needed for Portal Server (as I cannot write to the original LDAP).
  Any help or advice on the above would be appreciated! Thank you.

  The authentication you described is the default way LDAP authentication works.
  AM Ldap auth-module allows you to 'pull' attributes from the LDAP server you're using for authentication and store it in it's 'amSDK' Directory Server - which is leveraged by Portal Server (if you're talking about Sun's Portal Server).
  However this is only done if the profile is created (set 'dynamic profile generation' in auth - service).
  As Portal Server does not support the new 'identity repsoistory API' of AM you have to stick to AM's legacy mode when using Portal Server.
  To keep the the data in sync (if needed) you have to write a post-auth class.
  -Bernhard

• Issue w/ Case Differences Using the IBM Directory Server MA

  We have the following issue using the IBM Directory Server MA using FIM 2010 R2 (Version 4.1.3479.0).
  We provision a new object, e.g., uid=jdoe,ou=users,o=contoso, into an instance of IBM Directory Server
  The object is created in IBM Directory Server as uid=jdoe,ou=users,o=contoso
  A Full Import on the IBM Directory Server MA runs and confirms the export
  Subsequent imports, sync, and exports run successfully
  <Time passes>
  A Full Import on the IBM Directory Server MA runs, and this object shows up as a staging-error (uid=jdoe,ou=Users,o=contoso)
  Subsequent imports and syncs report errors on this object (staging-error)
  Note that we do not manipulate the anchor (DN) of this object once it is created in IBM Directory Server. Other attributes are synchronized, but the object is never renamed/moved. This case change does not happen with all of the objects brought
  in during the Full Import, but the number of instances do increase periodically. At this point, it does look like the import is changing from a lowercase "u" to an uppercase "U" but not vice versa.
  I found a related
  TechNet article containing the following remark:
  "IBM Directory Server does not guarantee that the case of a DN component will match in all instances. On a synchronization or import from IBM Directory Server, this can manifest itself as an unexpected update. For example, if you create
  O=TEST, and then create the user cn=MikeDan,O=TEST, this might be imported from IBM Directory Server as
  cn=MikeDan,O=test. Because of the case difference, FIM treats this as an update on subsequent full imports."
  Unfortunately, the article does not propose a resolution.
  Has anyone encountered this issue? More importantly has anyone resolved this or found an acceptable workaround?
  Note that deleting the connector space is not an acceptable workaround. :)

  I remember experiencing this issue when we were on 5.0, and I believe it persists through 5.1 as well.
  There is a comment in the 5.2 release notes that something similar was fixed:
  Changing case sensitive attribute values failed in MMR. (4624693)
  If I had to take a wild guess, I would say that the server does some internal checking to see if the value has changed, possibly based on the attribute syntax, to avoid replicating "changes" that really don't change anything except case. I doubt that all your custom attributes are case-sensitive, though. Enabling replication probably "turns on" this behavior, which doesn't go away even if replication is disabled.
  In any case, you're probably out of luck unless/until you upgrade to 5.2.

• Retrieving user data from Directory Server using java code

  Can anyone send java code to bind to directory server and retrieve the user information from server instance.

  To CRabel,
  My company have restriction on using the open sources product/code, but i will take a look on netscape ldap sdk as a reference~
  To raghu1978 ,
  i find a product call Directory Editor 1 2005Q1, I hope it is useful.
  thz all~

• Possible to "move" Java Directory Server ?

  Hi,
  Has anyone tried moving Java Directory server (LDAP) from one host to another ?That is not having to reinstall the Directory server when moving hosts ?
  I would like to know if anyone has and if any tips and tricks would be great. Thanks

  Yes, I tried to move the DS from a zone to the global yesterday. It was not fun or intuitive. You cannot simply copy instance's dir tree or certificates. The DS creates a certificate database with a randomized password, so you need a new instance to add the certificates back.
  Start with backing up the old instance and copy the dir tree to the new server:
  dsadm stop $DSINS
  dsadm backup $DSINS /archive/path
  On the new server create a new DS instance and restore to it:
  dsadm create $DSINS
  dsadm restore $DSINS /archive/path
  Finally start it to see what breaks:
  dsadm start $DSINS
  I ended up having to request and sign a new server cert. Though, it should be realized you need to create a new DS instance on a server with the original FQDN to add the old certificates back. I modified the local /etc/hosts and the DNS with the original CNAME as a pointer to the real hostname. I had no end of fun getting everything working again. All the clients needed to be re-initialized with the modified profile for the server list. BTW, if your profiles specify the old IP for the default server-list, your ldap clients will fail/hang when being initialized.

• Make Plug-in to Directory Server

  Hi,
  Iwas trying to get some API documentations and examples to create plug-ins to Directory Server in Java, however I was not able to download any useful.
  I have to integrate a special authentication method into Directory Server (that is part of a Portal Server). Can you please help to find the appropriate SDK/documents?

  Hi,
  The java program that you want to run when add/modify occurs can be kicked off in the class that implemented the Listner.
  Also, these programs will work on only those LDAP servers which support Persistent Search Control. Probably that was the reason why you didn't see anything happening when you started the listener and modified your LDAP database.
  The listener works fine in Netscape Direcory Service LDAP but doesn't work in OID(Oracle) or AD(Microsoft) directories.
  Hope this helps!
  -Rama

• Active Directory Server Problem

  Hi All,
  This mail Seeks to get help from people who have worked with Active Directory Server.
  The following is our Current scenario.
  We are in the process of establishing an SSL connection to Active Directory Server from java environment(a standalone class) in Windows 2000.
  1.Active Directory Server is installed in an independent Win 2k machine.
  2.SSL is enabled in the Active Directory Server Machine by installing the Enterprise Root Certificate.
  3.Microsoft High Encryption pack is installed in both the client and the Server(AD)
  4.The .cer file from the AD machine is imported in to the Client's keystore(cacerts) using the keytool utility.
  5.The AD m/c is part of a domain named "rsa" and client m/c is part of the domain named "cts"
  With the above setup,The following code tries to Establish an SSL context to the AD through JNDI.
  Hashtable env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL,"ldap://blr03srv1.rsa.com:636");
  env.put(Context.SECURITY_PROTOCOL, "ssl");
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  env.put(Context.SECURITY_PRINCIPAL,"CN=Administrator,CN=Users,DC=rsa,DC=com");
  env.put(Context.SECURITY_CREDENTIALS,"password");
  try{
       DirContext ctx = new InitialDirContext(env);
       ctx.close();
  }catch (Exception e){
       e.printStackTrace();
  When we try to run this Client we are facing a SSLHandShakeException with a message saying "No trusted certificate found".
  As far as we know the .cer file is successfully imported in to the cacerts which is used by the J2SE as the default keystore.
  Hence we ran out of ideas,as we think that there could be some other issue which is causing this problem.
  We are looking forward to get inputs from AD enlightened people to Solve this issue
  Thanks in Advance,
  Manivannan.A

  I had problem the same and still I did not obtain to decide it, if for perhaps obtaining he passes me the solution.
  thank's
  Fernando Queiroz Fonseca
  Graduando em Engenharia El�trica
  Universidade Federal de Uberl�ndia
  http://www.fernandoqueiroz.com.br
  email : [email protected]

• Directory Server 6.1 and 2005Q4

  We are current running JES 2005Q4 (JES4) Directory Server:
  Sun Java(TM) System Directory Server/5.2_Patch_5 B2007.093.0303
  ns-slapd: B2007.213.1401
  We are very interested in the Identity Synchronization for Windows
  which comes as part of JES5' Directory Server 6.1.
  We are wondering if this version of the Directory Server can be run
  with the JES4 messaging and calendaring servers?
  If yes, are there any gotchas we should watch out for? More important,
  is it a good idea? And/or does anyone have any suggestions?
  Thanks!
  -- Bob

  Hi,
  As long as you can run comm_dssetup.pl against the directory install to set up all of the relevant schema and indexes, it should be fine.
  Messaging & calendar server aren't fussy about the directory version - just the data structure and speed (i.e. schema & indexes).
  Regards,
  Shane.

• Integrating Sun Java Directory Server with Sun Java Application Server 7

  Hi,
  My basic goal is to implement Single Sign On within the network i,e if the user is inside the company's network and tries to access any application, then he should not be required for Username/password again becuase he is in the network.
  My question is Is this possible with Sun Java System DIrectory server. If yes how can we integrate Directory Server with Sun Java System Application Server 7 2004Q2.
  Please help.
  Thanks

  Directory Server in itself doesn't provide any kind of SSO functions. Basically it is a high performing data repository accessible via LDAP and DSML. It is, however, a key component used by SSO applications like Access Manager. If your applications are web applications then take a look at Access Manager for your SSO needs.
  Regards,
  Scott

• Sun java directory server and Active Directory

  We are using two different directory servers Sun java directory server and active directory.
  My question is how we can have password synchronization between these two directory servers.
  I have checked Sun Java[TM] System Identity Synchronization for Windows 1 2004Q3
  http://www.sun.com/download/products.xml?id=41537425
  It seems that it's supported platforms is only for solaris and windows , but I have installed my Sun java directory server on linux and obviously it doesn't work for me.
  I would be grateful if anyone can suggest a solution to work around this situation.
  I have checked identity manager , I would like to know that if I can do this using this product.
  http://www.sun.com/software/products/identity_mgr/specs.jsp
  --regards.
  Sara

  Yes RHEL 4 is a supported OS with DSEE 6.0.
  Identity Synchronization for Windows is a part of DSEE that allows synchronization of users, passwords and groups between Sun Directory Server and Active Directory bi-directionally without altering the users environments, ie it does not require that users change their current habits.
  Identity Manager is a complete identity management solution that is targetting enterprise work flow when it comes to user provisioning and de-provisioning, but also allows to build authentication and password change forms that will provision the passwords to many different systems including Sun Directory Server and Active Directory but also IBM mainframes, legacy applications, databases...
  If you are implementing a complete identity management solution, then go with Identity Manager. If you need a lightweight and fast solution for just synchronizing users and passwords between Sun DS and MS AD, Identity Synchronization for Windows should be your choice.
  Regards,
  Ludovic.

• Sample connecting to LDAP Server in Java

  Hi,
  I am trying to establishing SSL from Java Application(via Netscape Directory SDK 4.0 - Java version) to the Directory Server(ADS) in a secure manner - i.e. LDAP over SSL.
  I am trying to run this code...
  LDAPConnection ld = null;
  LDAPModificationSet attrs = new LDAPModificationSet();
  attrs.add(LDAPModification.REPLACE,new LDAPAttribute("unicodePwd", "testpassword"));
  try
  LDAPSSLSocketFactory ssl = new LDAPSSLSocketFactory();
  ld = new LDAPConnection( ssl );
  /* Connect to server */
  ld.connect("10.10.10.7",636);
  /* Authenticate to the server as directory manager */
  ld.authenticate(adminDN,password);
  /* Now modify the entry in the directory */
  ld.modify( userDN, attrs );
  catch(Exception e)
  But I don't know where my program reads the Cert. info... I don't know
  if I have to import my internal CA via keytool or I have missed some
  special configuration ..
  When I run this code, the following error appears:
  netscape.ldap.LDAPException: Failed to create SSL socket (91); Cannot connect to the LDAP server
  at netscape.ldap.LDAPSSLSocketFactory.makeSocket(LDAPSSLSocketFactory.java:309)
  at edu.umassmed.chcf.security.ldap.LDAPHelper.setLDAPPassword(LDAPHelper.java:742)
  at edu.umassmed.chcf.security.administration.userhandler.UserHandlerBean.changePassword(User HandlerBean.java:628)
  at edu.umassmed.chcf.security.administration.userhandler.UserHandlerBean_37ncs1_ELOImpl.chan
  gePassword(UserHandlerBean_37ncs1_ELOImpl.java:409)
  at edu.umassmed.chcf.security.administration.userfacade.UserManagerBean.changePassword(UserM
  anagerBean.java:174)
  at edu.umassmed.chcf.security.administration.userfacade.UserManagerBean_3chmth_EOImpl.change
  Password(UserManagerBean_3chmth_EOImpl.java:501)
  at edu.umassmed.chcf.sbb.action.ChangePasswordAction.perform(ChangePasswordAction.java:114)
  at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)
  at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:510)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:265)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:200)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:24
  95)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2204)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  LDAPHelper - authenticateUser() - expLDAP.toString() netscape.ldap.LDAPException: Failed to create S
  SL socket (91); Cannot connect to the LDAP server
  Is this possible? If so, what hints can you give me to get started (any sample code would be greatly appreciated).
  Thanks in advance.
  With Regards,
  Gokul.

  hey guys .. i was struggling with the same thing - finally found this solution -
  use:
  import netscape.ldap.*;
  import netscape.ldap.factory.JSSESocketFactory;
  JSSESocketFactory fact = new JSSESocketFactory(null);
  //unless u wanna specify any specific ciphers in the constructor
  log("Factory created");
  LDAPConnection ld = new LDAPConnection(fact);
  log("Connection initialised");
  ld.connect(MY_HOST, MY_PORT);
  log("Connected");
  ld.authenticate(user, pwd);
  log("Authenticated!");
  Before running this, i used the "keytool" command line utility to import the SSL client certificate into my default trustStore .. as a trusted cert. Dont know if thats required.. but it worked :) Hope this helps.

• Good Java System Directory Server book?

  Does anyone know of a good book (or books) for getting up to speed on the Sun Java System stack? I am migrating from Linux and Windows-based apps to the Sun stack and need to hit the books hard to get up to speed, but can't find much of anything newer than 2002 on Amazon.
  Specifically looking for:
  - Directory Server
  - Web Application server
  - Messaging Server
  - JMS
  Anyone have any ideas?

  Well, the first place I go is http://docs.sun.com where I can either search or browse the html versions or download the PDFs of the product manuals. Beyond that I do like Michael Haines and Tom Bialaski's LDAP in the Solaris Operating Environment: Deploying Secure Directory Services book. It came out in 2004 and covers Directory Server 5.2 (I think it was patch 2 then, now we run patch 4 here...)

• Sun Java Directory Server 5.2 x86 download

  I'm trying to find a copy of the x86 version of the Sun Java Directory Server compressed archive for Solaris.  I'm trying to build out a test system for some old software, and I only have a copy of the Sparc version of ldap.  I've tried using the current DSEE version available on the Oracle e-delivery cloud, but the software is too old to work with it...it needs the 5.2 version, specifically.  Is anyone aware of where I can find a copy?
  Thanks for any assistance.      

  Nope
  This is part of the Oracle Lifetime Support policy:
  http://www.oracle.com/us/support/lifetime-support/index.html
  'OLD' products can/may still be supported under *SPECIAL* support contracts. So if you're entitled to its support, you can access it. Otherwise, I'm afraid the answer is no.
  HTH,
  Marco