Set or sign up at a LDAP Server

Similar Messages

• LDAP Server Signing requirements

  Dear All,
  Until now I have been running my two Windows Server 2008 R2 Active Directory domain controllers with the "Domain Controller: LDAP server signing requirements"
  not defined (which is the same as None) due to the fact that they allowed authentication to our web server's content management system (Squiz Matrix if you need to know). I followed the instructions in
  http://technet.microsoft.com/en-us/library/dd941856(v=ws.10).aspx
  to enable logging of 2889 events (where the server allowed a client to LDAP bind without requiring signing and also sending the passwords in cleartext!). This showed that our CMS servers were indeed doing most of the unsigned binding as expected.
  It seems that the preferred solution for this is to enable LDAP over SSL, which implies getting a certificate for each of the domain controllers, setting the "Domain
  Controller: LDAP server signing requirements" to required, and configure the CMS to use LDAP over SSL. This prompts me to ask a couple of questions:
  1) If only the CMS servers appear in the 2889 events, that would mean they are the only ones binding without signing; but so far I have not got LDAP over SSL enabled, and if none of the member servers and desktops in my domain appear there, how are
  they signing, because they are not doing it against a certificate I have not created so far?
  2) Would using a self-signed certificate in the domain controllers cause any problems?
  Thank you for your help.
  Yours,
  FD

  Hi,
  Based on my research, using a self-signed certificate for LDAP signing will work, though it is not secure enough. It’s better to install a properly formatted certificate from either
  a Microsoft certification authority (CA) or a non-Microsoft CA.
  Here are some related links below I suggest you refer to:
  How to enable LDAP over SSL with a third-party certification authority
  http://support.microsoft.com/kb/321051
  Windows Server 2008 - Enable LDAP over SSL
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/be63bfb5-6578-4590-8369-4488e9952750/windows-server-2008-enable-ldap-over-ssl?forum=winserverDS
  LDAP Server Signing Requirement
  http://social.technet.microsoft.com/Forums/en-US/e242fc9b-ed7e-4f78-b0b2-a1d9745e869e/ldap-server-signing-requirement
  LDAP over SSL (LDAPS) Certificate
  http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
  I hope this helps.
  Amy Wang

• How to change LDAP server setting in Access Manager 6.2

  Hi,
  We have initially set authentication as a SunONE Directory Server 5.1 (master DS1) in Sun Java System Access Manager 6.2. In both /etc/opt/SUNWam/config/serverconfig.xml
  /etc/opt/SUNWam/config/AMConfig.properties
  conf files, DS1 was set initially. Also on console's Service Configuration ->LDAP->Primary LDAP Server was set as "DS1"
  Now the problem is that I am not able to change the DS1 to the other master "DS2". I set DS2 in both above conf files and also the Service Configuration page as Primary LDAP Server. I restarted the server. When I stopped the DS1, I couldn't login access manager console with any user. It looks like it is still trying to get authentication from DS1.
  Does anybody know what I am missing here?
  Regards,

  After hopeless tries, I finally made it work;) The trick was actually updating the sunKeyValue attribute of the entry:
  "dn:ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthLDAPService,ou=ser
  vices,dc=company,dc=com" in one of the master DS I have.
  Even though I set DS2 and loadBalancer hosts in all conf files and in Primary LDAP conf in amconsole's Service Configuration, it just didn't work until I inserted loadBalancer host in sunKeyValue attribute.
  Hope it helps to someone....
  -Bora

• Need help setting up LDAP server for Address Book

  I've set up Panther servers before for AFP which is pretty simple but now the office I work at wants me to setup an LDAP server so they can share the same contact information, probably about 2,000+ entries. I'm guessing that this will have to be entered in the LDAP server entry by entry.
  I need to know how to setup the server and what settings need to be on the clients' computers, such as in Address Book.
  The server is an older G4 tower and I've got 8 computers hooked up to it on a simple network. I don't think I'll need to make the LDAP server accessible from outside the network but it's something I'll have to worry about for the future.
  Thanks for any help you can offer.

  bump

• Terminal Command to set LDAP server

  How do I do it? I want to save it as a template in ARD3 to blast out to our clients.

  Nick, I'm not sure what your original post was asking, but if you're just trying to figure out how to set up a LDAP server, you might want to search the forum and see if you can find a thread I started (and Gary contributed to) on LDAP several months ago.
  The bottom line was that you can more or less follow the recipe in the first few chapters in O'Reilly's LDAP book (Amazon or Barnes & Noble will have it). It's not Mac-specific (so doesn't tell you about using NetInfo) -- but the book explains how to install Berkeley DB to set up the database. Pretty much any free articles I found about LDAP were of no help (and in fact served to confuse me rather badly -- that's not hard to do in general, however).
  There are some utilities out there for exporting from Mac's address book for easy importing to LDAP. And there are also a few GUI apps for manually entering data. And there's phpLDAPadmin. You'll have to use google to track those down.
  And the REAL bottom line was that LDAP disappointed me. I wanted a universally-accessible editable universal address book for myself (I use Outlook, Thunderbird, Mail.app, SquirrelMail, Address Book, etc etc) -- LDAP provides something kind of half-baked and uneditable from any of those programs, so it didn't serve my purposes. (Though yours may be different!)
  (And I suppose I shouldn't blame LDAP alone. Those clients could include LDAP editing if the developers wanted it, I suppose. LDAP, however, is designed as a read-often write-infrequently system -- so maybe my expectations were ill placed to begin with.)

• SOLVED Setting up LDAP server.

  Arch is boring because everything runs too smooth .  So for a challenge, I tried to set up an LDAP server and I can't getting it to work.  I even have a book in front of me!!
  I keep getting this error: ldap_result: Can't contact LDAP server (-1)
  This is my query: ldapsearch -x '(objectclass=*)' -W -D "cn=admin, dc=example, dc=com"
  This is my slapd.conf:
  include /etc/openldap/schema/core.schema
  pidfile /var/run/slapd.pid
  argsfile /var/run/slapd.args
  access to *
  by self write
  by users read
  by anonymous auth
  database bdb
  suffix "dc=exemple,dc=com"
  rootdn "cn=admin,dc=exemple,dc=com"
  rootpw secret
  directory /var/lib/openldap/openldap-data
  index objectClass eq
  And this is my ldap.conf:
  BASE dc=exemple,dc=com
  URI ldap://localhost
  nmap localhost shows : 389/tcp  open  ldap so I guess the server is running
  Can someone give me some hint??
  EDIT:
  hosts.allow damn it.
  slapd:ALL:ALLOW.
  I did not see any mention whatsoever in Mastering OpenLDAP book from Packt Publishing
  Last edited by marxav (2007-09-30 22:46:47)

  That is correct. I was indeed able to use the app server (10g) to give the LDAP user permission to access the objects, then used sql commands to register the objects inside the LDAP.
  However, I am finding NOTHING about actually creating a unique connection factory that can be registered in the LDAP. I find reference to registering Queues/Topics/Factories inside the LDAP, but nothing about actually creating the factories.
  In fact, here
  http://download.oracle.com/docs/cd/B28359_01/server.111/b28420/aq_envir.htm#sthref409
  it's listed that you cannot use sql to create a connectionfactory... not to mention the create java commands for factories look strikingly similar to the queue/topic GET commands, and not the create commands. You can add an alias for that factory using sql, but can't actually create the factory using sql... ???

• Setting up LDAP Server to lookup Connection Factories using JNDI

  Can someone let me know how to setup LDAP server within 10G to lookup connection factories using JNDI?
  I read through the Advanced Queuing User Guide and Reference document where this is mentioned and it says use the Database Configuration Assistant to do this but I could not find how.
  When I install 10G is LDAP server automatically setup? How do I get to it?
  Thanks

  That is correct. I was indeed able to use the app server (10g) to give the LDAP user permission to access the objects, then used sql commands to register the objects inside the LDAP.
  However, I am finding NOTHING about actually creating a unique connection factory that can be registered in the LDAP. I find reference to registering Queues/Topics/Factories inside the LDAP, but nothing about actually creating the factories.
  In fact, here
  http://download.oracle.com/docs/cd/B28359_01/server.111/b28420/aq_envir.htm#sthref409
  it's listed that you cannot use sql to create a connectionfactory... not to mention the create java commands for factories look strikingly similar to the queue/topic GET commands, and not the create commands. You can add an alias for that factory using sql, but can't actually create the factory using sql... ???

• My MacBook Air set up stopped with "Couldn't sign on because of a server error."

  Couldn't sign on because of a server error.

  The warranty entitles you to complimentary phone support for the first 90 days of ownership.
  If you bought the product in the U.S. directly from Apple (not from a reseller), you have 14 days from the date of delivery in which to exchange or return it for a refund. In other countries, the return policy may be different. If you bought from a reseller, its return policy applies.

• Generating Self Signed Certificate for iPlanet Directory Server for testing

  Hi Experts,
  I am unable to find how to generate self signed certificate for iPlanet Directory Server for testing purpose. Actually what i mean is i want to connect to the iPlanet LDAP Server with LDAPS:// rather than LDAP:// for Secured LDAP Authentication. For this purpose How to create a Dummy Certificate to enable iPlanet Directory Server SSL. I searched in google but no help. Please provide me the solution how to test it.
  Thanks in Advance,
  Kalyan

  Here's one I did earlier.
  Refers to Solaris 10
  SSL Security
  add a new certificate that lasts for ten years (120 months).
  stop the instance:
  dsadm stop <instance>
  Remove DS from smf control:
  dsadm disable-service <instance>
  Change Certificate Database Password:
  dsadm set-flags <instance> cert-pwd-prompt=on
       Choose the new certificate database password:
       Confirm the new certificate database password:
  Certificate database password successfully updated.
  Restart the instance from the dscc:
  DSCC -> start <instance>
  Now add a new Certificate which lasts for ten years (120 months; -v 120):
  `cd <instance_path>`
  `certutil -S -d . -P slapd- -s "CN=<FQDN_server_name>" �n testcert �v 120 -t T,, -x`
       Enter Password or Pin for "NSS Certificate DB":
  Stop the Instance.
  On the DSCC Security -> Certificates tab:
       select option to "Do not Prompt for Password"
  Restart the instance.
  On the Security -> General tab, select the new certificate to use for ssl encryption
  Restart the instance
  Stop the instance
  Put DS back into smf control:
  dsadm enable-service <instance>
  Check the smf:
  svcs -a | grep ds
  # svcs -a|grep ds
  disabled Aug_16 svc:/application/sun/ds:default
  online Aug_16 svc:/application/sun/ds:ds--var-opt-SUNWdsee-dscc6-dcc-ads
  online 17:04:28 svc:/application/sun/ds:ds--var-opt-SUNWdsee-dsins1

• Problem instaliing sun one LDAP server on windows server 2008 r2

  Hi all ,
  I am trying to install Ldap server (Sun ONE Directory Server) on windows server 2008
  I am using apache-tomcat-7.0.28 and java jdk1.7.0_05
  I am following this manual for installing :
  https://blogs.oracle.com/marginNotes/entry/installing_directory_server_enterprise_edition1
  I have a problem with the cacao agent and how to install it .
  I've got this error message :
  c:\Program Files\Sun\dsee7\bin>dsccsetup cacao-reg
  Configuring Cacao...
  ## Failed to run "c:/Program Files/Sun/dsee7/ext/cacao_2/bin/cacaoadm.bat" set-
  aram "jdmk-home=c:/Program Files/Sun/dsee7/lib/private"
  #### Cannot create service for instance: [cacao.instance.name].
  #### Cannot perform firstime inialisation and configuration.
  ## Exit code is 1
  Failed to configure Cacao.
  I stuck and with no other solutions . I hope if you could to help with this issue .
  i will glad to know if there is any other ways to install this specific Ldap server ,
  Thanks,
  Alon

  You most likely skipped the step of starting the installed server prior to trying to access admin URL. Please check this document:
  http://docs.sun.com/source/817-1830-10/win.html
  Relevant section is:
  You can start the Administration Server in either of the following ways:
  # Select Start Menu -> Programs -> Sun ONE Web Server, and choose Start Web Server Administration Server.
  # From the Control Panel�s Services item.
  HTH...

• How can portal use two different LDAP Server in UME

  Hi,
  My question is Can UME in portal be configured for multiple LDAP sources.Currently i have a setting in portal
  as follows:
  Server Name : Abcd
  port : 1234
  user : CN=" ",Ou=" ",Ou=" ",Dc=AD,Dc=my company,Dc=com
  password :
  user path : DC=AD,Dc=My company,Dc=Com
  group Path : same as user path
  I want to configure one more LDAP server to my portal UME,how can give values for that in above sttings.I even want these current settings to be enabled.
  Do anyone have idea on this.
  Thanks and Regards
  Rani A

  Hi again ,
  I know it can be done. But how urgent is this for you.
  I can get back to you in couple of days, me lil busy today.
  cheers,
  Anu...

• Can an LDAP server be it's own client?

  In short yes, why would you want to do this? Many reasons, but mine is to be able to use ldap on laptops running Solaris and have them log into the machine with ldap credentials off the network. When we plug them back onto the network, I have a master server send any new data via one-way replication. I will give 2 separate ways to accomplish this. One is, to put it bluntly, a dirty hack to get it working. The second is much more elegant and it's the one I have stressed tested to verify that it works.
  Disclaimer: I have only used these methods on Solaris10 update 3 with Trusted Extensions using directory server 5.2 as well as the administration server. I have used a few different kinds of machines (all x86) and have not had a problem with it. I do not know if it will work on any other version or hardware. I haven't even looked at the source code, all assumptions made here are from observing the systems behavior while making minor changes.
  Now, the reasons why normally you can't be your own client (at least as far as I can tell) is because of the way the system boots and the dependencies that the ldap/client service needs to start up. If you boot a machine that is it's own client and ldap/client runs before the directory server starts, of course it will fail. The system boots the services first, then legacy init scripts. Directory Server 5.2 uses init scripts. Correct me if I am wrong, but that is the only real hurdle in your way.
  So the first way to get it 'working' (dirty hack) is to delay the ldap/client smf service from starting until the directory server is started. After you become a client of yourself (in this case the global zone) disable the ldap/client serrvice.
  svcadm disable ldap/clientThen enable it temporarily with the -t option
  svcadm enable -t ldap/clientWell if you were to reboot now it would not work because the service would not start at boot because it is set to be administratively down. Edit the S72directory script in /etc/rc2.d and after the start commands just add the svcadm enable -t ldap/client command and it will load right after directory server starts. Will this work? Yes, is it a clean way to do it? NO. I used this method just for testing the theory that the only reason I could not be my own client was because of the booting issue.
  Now the best way that I can see to accomplish this is to create your own smf services for the directory server and admin server. That way all you have to do is add a dependency to the ldap/client xml file to wait until the new directory server service is started before it starts. So in /var/svc/manifest/site create a folder called ldap (I put this in site because I didn't want to run into any issues of patching). In /var/svc/manifest/site/ldap/ create two xml files named:
  quick note: These are the first services I have created. There may be a much better way to make them. If you can re-code it better, please let me know so I can look at them. Also there is no restart command in here (actually I just noticed that) so adding one of those would be wise.
  ds_admin.xml and directory_server.xml.
  ds_admin.xml contains<?xml version="1.0"?>
  <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
  <!--
       Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
       Use is subject to license terms.
       ident     "@(#)client.xml     1.4     04/12/09 SMI"
       NOTE:  This service manifest is editable; its contents will not
       be overwritten by package or patch operations, including
       operating system upgrade.
  -->
  <service_bundle type='manifest' name='SUNWdsadmin:dsadmin'>
  <service
       name='site/ldap/ds_admin'
       type='service'
       version='1'>
       <create_default_instance enabled='false' />
       <single_instance />
       <dependency
           name='fs'
           grouping='require_all'
           restart_on='none'
           type='service'>
            <service_fmri value='svc:/system/filesystem/minimal' />
       </dependency>
       <dependency
           name='net'
           grouping='require_all'
           restart_on='none'
           type='service'>
            <service_fmri value='svc:/network/initial' />
       </dependency>
       <exec_method
           type='method'
           name='start'
           exec='/lib/svc/method/ds_admin start'
           timeout_seconds='120' >
            <method_context>
                 <method_credential user='root' group='sys' />
            </method_context>
       </exec_method>
       <exec_method
           type='method'
           name='stop'
           exec='/lib/svc/method/ds_admin stop'
           timeout_seconds='60' >
            <method_context>
                 <method_credential user='root' group='sys' />
            </method_context>
       </exec_method>
       <stability value='Unstable' />
       <template>
            <common_name>
                 <loctext xml:lang='C'>
                 LDAP Admin server      
                 </loctext>
            </common_name>
            <description>
                 <loctext xml:lang='C'>
  LDAP admin server
  Information Service lookups
                 </loctext>
            </description>
       </template>
  </service>
  </service_bundle>and directory_server.xml contains:
  <?xml version="1.0"?>
  <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
  <!--
       Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
       Use is subject to license terms.
       ident     "@(#)client.xml     1.4     04/12/09 SMI"
       NOTE:  This service manifest is editable; its contents will not
       be overwritten by package or patch operations, including
       operating system upgrade.
  -->
  <service_bundle type='manifest' name='SUNWds:ds'>
  <service
       name='site/ldap/directory_server'
       type='service'
       version='1'>
       <create_default_instance enabled='false' />
       <single_instance />
       <dependency
           name='usr'
           grouping='require_all'
           restart_on='none'
           type='service'>
            <service_fmri value='svc:/system/filesystem/minimal' />
       </dependency>
       <dependency
           name='net'
           grouping='require_all'
           restart_on='none'
           type='service'>
            <service_fmri value='svc:/network/initial' />
       </dependency>
    <dependency
              name='ds_admin'
              grouping='require_all'
              restart_on='none'
              type='service'>
                  <service_fmri
                      value='svc:/site/ldap/ds_admin' />
       </dependency>
       <exec_method
           type='method'
           name='start'
           exec='/lib/svc/method/directory_server start'
           timeout_seconds='120' >
            <method_context>
                 <method_credential user='root' group='sys' />
            </method_context>
       </exec_method>
       <exec_method
           type='method'
           name='stop'
           exec='/lib/svc/method/directory_server stop'
           timeout_seconds='60' >
            <method_context>
                 <method_credential user='root' group='sys' />
            </method_context>
       </exec_method>
       <stability value='Unstable' />
       <template>
            <common_name>
                 <loctext xml:lang='C'>
                 LDAP directory server      
                 </loctext>
            </common_name>
            <description>
                 <loctext xml:lang='C'>
  LDAP directory server
  Information Service lookups
                 </loctext>
            </description>
       </template>
  </service>
  </service_bundle>Now the start/stop scripts will be located in /lib/svc/method and are as followed:
  ds_admin
  #!/sbin/sh
  case "$1" in
       start)
            /usr/sbin/directoryserver start-admin
       stop)
            /usr/sbin/directoryserver stop-admin
            echo "Usage: $0 { start | stop }"
            exit 1
  esac
  exit 0simple yes.
  directory_server
  #!/sbin/sh
  HOST_NAME=`hostname`
  SERVER_ROOT=/var/opt/mps/serverroot
  DIRECTORY_SERVER_INSTANCE=slapd-${HOST_NAME}
  case "$1" in
       start)
            ${SERVER_ROOT}/${DIRECTORY_SERVER_INSTANCE}/start-slapd
       stop)
            ${SERVER_ROOT}/${DIRECTORY_SERVER_INSTANCE}/stop-slapd
            echo "Usage: $0 { start | stop }"
            exit 1
  esac
  exit 0The only thing left to do is modify the ldap/client smf file to wait until the directory server starts before it loads.
  So edit /var/svc/manifest/network/ldap/client.xml and right before the dependency for for /var/ldap/ldap_client_file add this
  <dependency
              name='directory_server'
              grouping='require_all'
              restart_on='none'
              type='service'>
                  <service_fmri
                          value='svc:/site/ldap/directory_server' />
          </dependency>
  Any changes made to the /ldap/client xml file must be made after ALL zones have been installed. If this file is copied to a zone it will never work as the directory_server service is not loaded in the zones.
  Now what? You must remove the legacy init scripts in /etc/rc2.d. Those would be S72directory and S73mpsadm. No need to keep them around, alternatively, you can just change the capital 'S' to lower case and they want start.
  You can now either use svccfg to validate and import the new services or you can reboot. Typically, I reboot and use the '-m verbose' option on boot to watch the services for any errors. I haven't had any lately but on different systems I always watch to see if it behaves different.
  That's it. I have rebooted all the machines many, many times without error. This of course does not address loading the directory server or adding users, tnrhdb file, etc... We have scripted most of loading out and once we get some error correction coded in I will post them.
  Also, if you find any errors or even a better way to accomplish this, please post it.

  This restriction is only in terms of implementing the Solaris support for LDAP as a naming service. If the Solaris OS is configured to use LDAP as a naming service, it can't use a LDAP server running on the same host.
  The reason is that the LDAP server makes naming service calls before it gets fully started up. If the OS wants to use the LDAP server for the naming service, then a deadlock happens, where the LDAP server's gethostbyname() call can't complete because the LDAP server isn't up.
  It is possible to configure the Solaris naming resolution to avoid this problem. I've got a system set up this way myself. Regardless, the official support channels won't support a system set up this way, so if you do this you do it at your own risk.

• "untrusted server cert chain" exception while connecting LDAP server

  While connecting to LDAP server using JNDI over JSSE ..This is happening when trying to get the initial context
  using
  InitialDirContext initContext = new InitialDirContext(env);
  where env is a hash table set with the default parametes.The certificate used for is a Novell CA certificate converted to X509 format and the key store is initialized with this

  This got resolved when in the code the following
  System.setProperty("javax.net.ssl.tmrustStore", CertFileName);
  where cert file name is the filename with complete path.the file is a CA certificate of the LDAP server
  in X509 format

• Unable to Retrieve Attributes from LDAP Server

  I have a problem. I was wondering if anyone can assist me. I am new to LDAP servers and JNDI. I cannot retrieve any attributes from the users listed in my data entry. Any assistance would be greatly appreciated! Thanks.
  I created an entry in the LDAP server that looks like this:
  �o=somedn�
  |
  �ou=people, o=somedn�
  The �ou=people, o=somedn� entry contains fictitious users. The LDAP server is connected to a MySQL database. When I write Java code to read the attributes of a given user whose fullname (cn) is �Vinny Luigi�, as listed in the database, I receive an error that starts with the following:
  javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'cn=Vinny Luigi,ou=people'
  The code I used is based on the Sun JNDI tutorial. Sun�s code is at http://java.sun.com/products/jndi/tutorial/basics/directory/src/GetattrsAll.java. My version of the code is below:
  * @(#)GetattrsAll.java     1.5 00/04/28
  * Copyright 1997, 1998, 1999 Sun Microsystems, Inc. All Rights
  * Reserved.
  * Sun grants you ("Licensee") a non-exclusive, royalty free,
  * license to use, modify and redistribute this software in source and
  * binary code form, provided that i) this copyright notice and license
  * appear on all copies of the software; and ii) Licensee does not
  * utilize the software in a manner which is disparaging to Sun.
  * This software is provided "AS IS," without a warranty of any
  * kind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
  * WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
  * HEREBY EXCLUDED. SUN AND ITS LICENSORS SHALL NOT BE LIABLE
  * FOR ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING,
  * MODIFYING OR DISTRIBUTING THE SOFTWARE OR ITS DERIVATIVES. IN
  * NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST
  * REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL,
  * CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER
  * CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT
  * OF THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS
  * BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
  * This software is not designed or intended for use in on-line
  * control of aircraft, air traffic, aircraft navigation or aircraft
  * communications; or in the design, construction, operation or
  * maintenance of any nuclear facility. Licensee represents and warrants
  * that it will not use or redistribute the Software for such purposes.
  import javax.naming.*;
  import javax.naming.directory.*;
  import java.util.Hashtable;
  * Demonstrates how to retrieve all attributes of a named object.
  * usage: java GetattrsAll
  class GetattrsAll
       static void printAttrs(Attributes attrs)
            if (attrs == null)
                 System.out.println("No attributes");
            else
                 /* Print each attribute */
                 try
                      for (NamingEnumeration ae = attrs.getAll(); ae.hasMore();)
                           Attribute attr = (Attribute) ae.next();
                           System.out.println("attribute: " + attr.getID());
                           /* print each value */
                           for (NamingEnumeration e = attr.getAll(); e.hasMore(); System.out.println("value: " + e.next()) )
                 } catch (NamingException e) {
                      e.printStackTrace();
       public static void main(String[] args) {
            // Set up the environment for creating the initial context
            Hashtable env = new Hashtable(100);
            env.put(Context.INITIAL_CONTEXT_FACTORY,
                      "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, "ldap://localhost:10389/o=somedn");
            try {
                 // Create the initial context
                 DirContext ctx = new InitialDirContext(env);
                 // Get all the attributes of named object
                 System.out.println("About to use ctx.getAttributes()");
                 Attributes answer = ctx.getAttributes("cn=Vinny Luigi,ou=people");
                 // Print the answer
                 printAttrs(answer);
                 // Close the context when we're done
                 ctx.close();
            } catch (Exception e) {
                 e.printStackTrace();
  The primary key of the database is id_pk. Below is a copy of the mapping.xml file which maps the LDAP server entry to the database:
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE mapping PUBLIC "-//Penrose/DTD Mapping 1.2//EN" "http://penrose.safehaus.org/dtd/mapping.dtd">
  <mapping>
  <entry dn="o=somedn">
  <oc>organization</oc>
  <oc>top</oc>
  <at name="o" rdn="true">
  <constant>somedn</constant>
  </at>
  <aci>
  <permission>rs</permission>
  </aci>
  </entry>
  <entry dn="ou=people,o=somedn">
  <oc>inetOrgPerson</oc>
  <oc>organizationalPerson</oc>
  <oc>organizationalUnit</oc>
  <oc>person</oc>
  <oc>top</oc>
  <at name="cn">
  <constant>"fullname"</constant>
  </at>
  <at name="ou" rdn="true">
  <constant>people</constant>
  </at>
  <at name="sn">
  <constant>"lastname"</constant>
  </at>
  </entry>
  <entry dn="id_pk=...,ou=people,o=somedn">
  <oc>inetOrgPerson</oc>
  <oc>organizationalPerson</oc>
  <oc>person</oc>
  <oc>top</oc>
  <at name="Position_">
  <variable>usertable9.Position_</variable>
  </at>
  <at name="id_pk" rdn="true">
  <variable>usertable9.id_pk</variable>
  </at>
  <at name="fullname">
  <variable>usertable9.fullname</variable>
  </at>
  <at name="lastname">
  <variable>usertable9.lastname</variable>
  </at>
  <at name="cn">
  <variable>usertable9.fullname</variable>
  </at>
  <at name="sn">
  <variable>usertable9.lastname</variable>
  </at>
  <source name="usertable9">
  <source-name>usertable9</source-name>
  <field name="Position_">
  <variable>Position_</variable>
  </field>
  <field name="id_pk">
  <variable>id_pk</variable>
  </field>
  <field name="fullname">
  <variable>cn</variable>
  </field>
  <field name="lastname">
  <variable>sn</variable>
  </field>
  </source>
  </entry>
  </mapping>
  Thanks.

  The complete name (Distinguished Name) of the user you're searching is 'cn=Vinny Luigi,ou=people,o=somedn'.
  Regards,
  Ludovic.

• Call to ldap server fails ORA-06521: PL/SQL: Error mapping function

  I am getting this error(s)
  ORA-06521: PL/SQL: Error mapping function
  ORA-06512: at "SYS.DBMS_LDAP_API_FFI", line 0
  ORA-06512: at "SYS.DBMS_LDAP", line 1338
  ORA-06512: at "SYS.DBMS_LDAP", line 1273
  ORA-06512: at "SYS.DBMS_LDAP", line 529
  ORA-06512: at line 127
  after binding and searching an ldap directory.
  Line 127 is:
  my_dn := DBMS_LDAP.get_dn(my_session, my_entry);
  Both of the 'my_xx' parameters have been successfully set earlier in the script I believe as they produce no errors and DBMS_LDAP.count_entries(my_session, my_message) returns = 1.
  I am following the example at:
  http://download-west.oracle.com/docs/cd/B10501_01/network.920/a96577/smplcode.htm#636994
  In fact any of the functions used in the 'while loop' in the above example give a similar error.
  Apparently SYS.DBMS_LDAP_API_FFI is a call to an external C program, but this would be a standard Oracle one, not one I have written.
  I am connecting to a non-Oracle ldap server, and have tried several (OpenLDAP 2.X, & Windows 2000 AD), with same results.
  Any suggestions gratefully received.
  Cheers
  KIM

  Fixed by running the catldap.sql script (ORACLE_HOME/rdbms/admin/catldap.sql) as SYS user and recreated the dbms_ldap packages. I am not sure why some of the functions worked OK and others did not.
  KIM