Adding Another LDAP Search Attribute

Hi,
Can you please point me to any document for adding another ldap search attribute apart from uid.
Regards,
Edited by: IDM1312 on Jun 9, 2008 4:28 PM

Yes, here is what happens when your user tries to login:
They enter some username & password. The username can be any attribute you wish it to be (email, UID, cn, etc). The actual authentication is not done using the value the user enters. This is because you need to authenticate with the user's DN. To get the DN, access manager does a lookup on the directory server to see if what the user entered exists in any of the attributes in the search alias list. If the search is successful, it returns the user's DN. Access Manager then uses the DN and password to authenticate the user.
So, if you expect your users to enter their email address, you will want your email attribute in this list. You can have multiple values in the list, if for example you want to allow users to enter uid OR email address. I would be careful about allowing this flexibility if you are in a large organization because this will bring increased overhead to both AM & DS.
Also, be sure that whatever attribute you use is indexed!!
I hope this helps,
Eric

Similar Messages

  • Changing LDAP "Search Attribute"

    Hello:
    I am authenticating against LDAP as such:
    Hashtable authEnv = new Hashtable();
    String dn =
    "CN=" + userAuth.getFirstName() + " " + userAuth.getLastName() +
    ",OU=zzzzzzzz,DC=yyyyy,DC=xxx";
    authEnv.put(Context.INITIAL_CONTEXT_FACTORY,
    "com.sun.jndi.ldap.LdapCtxFactory");
    authEnv.put(Context.PROVIDER_URL, "ldap://999.999.199.999:389");
    authEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
    authEnv.put(Context.SECURITY_PRINCIPAL, dn);
    authEnv.put(Context.SECURITY_CREDENTIALS, password);
    I am using the user's first and last name to authenticate. Now, I want to use their login id to authenticate. I was told "to change the Search Attribute from 'uid' to 'sAMAccountName'". I don't know what this refers to. Does anybody have any ideas?
    Thanks
    Eric

    A call to Apple support helped solve this problem, especially to deal with a typo in the Apple Snow Leopard Server documentation:
    1. Export all of your users, groups, etc. to files. Passwords will be reset but everything else will work.
    2. In OD, change the server to be "stand alone" (basically turning off OD).
    3. From the command line run the following command, noting that you literally put the string "HostName" in the position specified, not the old host name specified in the documentation:
    sudo scutil --set HostName <fully qualified domain name>
    4. Reboot
    5. Restart Server Admin and recreate the OD master using the fully qualified name.
    6. Go to KeyChain and look for the entries for system -> com.apple.opendirectory. One should point to your server and one should be blank. Delete the bank entry.
    Done!

  • Ldap search attribut result "cn=Klaus", I want this only "Klaus"

    Hello,
    of course i could remove the position 0-2 from the String "cn=Klaus" to get a substring like "Klaus" but i don`t wanna use an extra "for loop" if there maybe exists another possibility to get a clean output like "Klaus"
    someone knows an ldap method to get ONLY the pure value of the cn attribute?

    A picture says more then 1000 words ;-)
    http://666kb.com/i/aq0uxeznt366h8z2b.jpg
    check out my both JList filled with return attribut "cn"
    The full string always has the "cn:" included which i have to remove with the following code:
    String realCN = attrb.toString().substring(4);
    well this line of code doesnt matter much but well its additional work :D

  • Is it possible to change ldap search attribute telephonenumber to an other

    Hello, I have a directory that holds the users phones number in an alternate ldap attribute "numeroCourt".
    The default Directory search asp files are displaying the content of the telephonenumber attribute in the LDAP Directory.
    What do I need to edit to change "telephonenumber" with "numeroCourt"?
    Thanks in advance.

    Since telephone number is not populated the logical thing for the CorpDir application to do would be to see that the
    "ciscoatUserProfileString" has a value and go retrieve the extension information from there.
    http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a0080094493.shtml

  • Using LDAP to search attribute bit flags using attribute OID values

    Hello everyone,
    My question stems from trying to understand the OID and syntax behind this classic LDAP search to find disabled users:
    "(useraccountcontrol:1.2.840.113556.1.4.803:=2)"
    What I am interested in is the value 1.2.840.113556.1.4.803, specifically how it differentiates from the value 1.2.840.113556.1.4.8, which is the OID of the useraccountcontrol attribute:
    http://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx
    Now, this website below says that the 03 and 04 are designators of the AND and OR operations, respectively, and are added on to the end of the OID:
    https://www.appliedtrust.com/blog/2011/04/keeping-your-active-directory-pantry-order
    However, using this logic, I can't get these 03 and 04 operators to work with other attribute OID's that use flags as values, such as the "searchflags" attribute, e.g. a LDAP search of "(searchflags:=1.2.840.113556.1.2.33404:=0)
    returns nothing, using the OR (04) operation at the end of the "searchflags" OID of 1.2.840.113556.1.2.334.
    So back to my original question, for the useraccountcontrol OID of 1.2.840.113556.1.4.8, is this OID at all related to the bitwise AND extensible match of 1.2.840.113556.1.4.803 (like just adding a 03 to designate an AND operation), or is this
    extensible match
    value of 1.2.840.113556.1.4.803 completely separate from the useraccountcontrol OID of 1.2.840.113556.1.4.8?
    If I have my terms mixed up, please feel free to correct me on what the proper terms are.
    Thanks!

    Hmm yeah I posted that link above in my OP as well, and I was hoping that the OID values of these bitwise filters were somehow related to the shorter OID of the "useraccountcontrol" attribute, but it looks like it's just a coincidence.
    So I wonder if the "useraccountcontrol" section of
    this article from my OP is a little misleading when it says:
    To make a comparison, we either need to use the LDAP_MATCHING_RULE_BIT_AND rule (1.2.840.113556.1.4.803), or the LDAP_MATCHING_RULE_BIT_OR rule (1.2.840.113556.1.4.804) for our attribute OID (the AND rule adds a 03 suffix to denote the AND operation,
    and the OR rule adds a 04 suffix).
    Following this logic, I should be able to use the "03" and "04" in other bitwise operations with different OID's to search "AND" or "OR", but as I pointed out in my OP above, I can't seem to make this work with adding the 
    "03" and "04" onto the end of other OID's. So I will go with Christoffer that these bitwise OID's (1.2.840.113556.1.4.803 and 1.2.840.113556.1.4.804) are unique in themselves, and the fact that they are 2 characters away from the OID of the "useraccountcontrol"
    attribute (1.2.840.113556.1.4.8) is just coincidence.
    This does seem strange however, and it seems like there should be some correlation here....
    If anyone has any more info, I would love to hear it!

  • Powershell script assistance - adding another property to existing script

    This is not my script but was written by Richard L. Mueller. It works perfectly for us but I would like to know if the account is enabled or disabled when the output is created. Basically it would output the name, lastlogon and then either enabled or disabled.
    I've attempted to add a new property by adding another " $Searcher.PropertiesToLoad.Add" and "$Result.Properties.Item ".
    It works fine if I add something like "givenName" but I can't find the property name to show if the account is enabled or disabled.
    The entire script is shown below:
    # PSLastLogon.ps1
    # PowerShell script to determine when each user in the domain last
    # logged on.
    # Copyright (c) 2011 Richard L. Mueller
    # Hilltop Lab web site - http://www.rlmueller.net
    # Version 1.0 - March 16, 2011
    # This program queries every Domain Controller in the domain to find the
    # largest (latest) value of the lastLogon attribute for each user. The
    # last logon dates for each user are converted into local time. The
    # times are adjusted for daylight savings time, as presently configured.
    # You have a royalty-free right to use, modify, reproduce, and
    # distribute this script file in any way you find useful, provided that
    # you agree that the copyright owner above has no warranty, obligations,
    # or liability for such use.
    Trap {"Error: $_"; Break;}
    $D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
    $Domain = [ADSI]"LDAP://$D"
    $Searcher = New-Object System.DirectoryServices.DirectorySearcher
    $Searcher.PageSize = 200
    $Searcher.SearchScope = "subtree"
    $Searcher.Filter = "(&(objectCategory=person)(objectClass=user))"
    $Searcher.PropertiesToLoad.Add("distinguishedName") > $Null
    $Searcher.PropertiesToLoad.Add("lastLogon") > $Null
    # Create hash table of users and their last logon dates.
    $arrUsers = @{}
    # Enumerate all Domain Controllers.
    ForEach ($DC In $D.DomainControllers)
    $Server = $DC.Name
    $Searcher.SearchRoot = "LDAP://$Server/" + $Domain.distinguishedName
    $Results = $Searcher.FindAll()
    ForEach ($Result In $Results)
    $DN = $Result.Properties.Item("distinguishedName")
    $LL = $Result.Properties.Item("lastLogon")
    If ($LL.Count -eq 0)
    $Last = [DateTime]0
    Else
    $Last = [DateTime]$LL.Item(0)
    If ($Last -eq 0)
    $LastLogon = $Last.AddYears(1600)
    Else
    $LastLogon = $Last.AddYears(1600).ToLocalTime()
    If ($arrUsers.ContainsKey("$DN"))
    If ($LastLogon -gt $arrUsers["$DN"])
    $arrUsers["$DN"] = $LastLogon
    Else
    $arrUsers.Add("$DN", $LastLogon)
    # Output latest last logon date for each user.
    $Users = $arrUsers.Keys
    ForEach ($DN In $Users)
    $Date = $arrUsers["$DN"]
    "$DN;$Date"

    It is part of the userAccountControl attribute. Retrieve that attribute for each user and test if the ADS_UF_ACCOUNTDISABLE bit (2) is set.
    -- Bill Stewart [Bill_Stewart]

  • Open Directory, third party LDAP search path problem on Snow Leopard

    Happy new year folks,
    I ran into an interesting problem this past week in regards to a third party LDAP directory in the Search path (which used to work on previous versions). The issue brings the server to its knees eventually. I'm still digging through the logs, but here's the general breakdown...
    1. Add third-party LDAP to the OD node list. This has always worked on previous versions, and appears to still work at the most basic level. I can navigate the node with DSCL, read records, etc.
    1. Add third-party LDAP to the OD search path.
    2. Wait a few minutes....
    3. The server begins to slow down. Apache, SSH, ServerAdmin service stop responding. I'm able to run "top" briefly, which shows an increase of threads.
    4. Restart the server and quickly remove the directory from the OD search path
    5. Server goes back to being rock solid with very nice response times for Apache, SSH, ServerAdmin, etc.
    If anyone has any debugging suggestions, or has seen this before, let me know.
    Jaime
    --- Below is some console output leading up to the chaos. Before adding to search path, everything looks good --------------------
    bash-3.2# dscl
    Entering interactive mode... (type "help" for commands)
    read /LDAPv3/ldap.itd.umich.edu/Users/jaimelm cn
    dsAttrTypeNative:cn:
    Jaime Magiera
    Jaime L Magiera 1
    Jaime L Magiera
    --- Add to Search Path, which hangs ------------------------------------------------------------------------------
    bash-3.2# dscl /Search -append / CSPSearchPath /LDAPv3/ldap.itd.umich.edu
    --- DSCL in debug mode contains the following ----------------------------------------------
    2010-01-01 19:26:25 EST - T[0x00000001037A5000] - Client: ipfw, PID: 1097, API: libinfo, Server Used : libinfomig DAR : Procedure = getprotobynumber (13) : Result code = 0
    2010-01-01 19:26:25 EST - T[0x00000001037A5000] - Client: sso_util, PID: 1103, API: dsFindDirNodes(), Server Used : DAR : 1 : Dir Ref = 16779669 : Requested nodename = /Search
    2010-01-01 19:26:25 EST - T[0x00000001037A5000] - Plug-in call "dsDoPlugInCustomCall()" failed with error = -14292.
    2010-01-01 19:26:25 EST - T[0x00000001037A5000] - Port: 27151 Call: dsDoPlugInCustomCall() == -14292
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAR : 1 : Dir Ref = 16779
    707 : Requested nodename = /LDAPv3/ldap.itd.umich.edu
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAR : 2 : Dir Ref = 16779707 : Result code = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 167797072010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16779707
    : Result code = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAC : Dir Ref 16779707 :
    Data buffer size = 1282010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAR : 1 : Dir Ref = 16779
    707 : Requested nodename = ConfigNode2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAR : 2 : Dir Ref = 16779
    707 : Result code = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: Requesting dsOpenDirNode with PID = 1114, UID = 0, and EUID = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsOpenDirNode(), Configure Used : DAC : Dir Ref = 16779707 : Node Name = /Configure
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsOpenDirNode(), Configure Used : DAR : Dir Ref = 1677970
    7 : Node Ref = 33556926 : Result code = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 16779707
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16779707 : Result code = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsGetDirNodeInfo(), Configure Used : DAC : Node Ref = 33556926 : Requested Attrs = dsAttrTypeStandard:OperatingSystemVersion : Attr Type Only Flag = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsGetDirNodeInfo(), Configure Used : DAR : Node Ref = 33556926 : Result code = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsGetDirNodeInfo(), Search Used : DAC : Node Ref = 33556924 : Requested Attrs = dsAttrTypeStandard:LSPSearchPath : Attr Type Only Flag = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsGetDirNodeInfo(), Search Used : DAR : Node Ref = 33556924 : Result code = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsDoPlugInCustomCall(), Search Used : DAC : Node Ref = 33556924 : Request Code = 444
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Checking for Search Node XML config file:
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - /Library/Preferences/DirectoryService/SearchNodeConfig.plist
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Have written the Search Node XML config file:
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - /Library/Preferences/DirectoryService/SearchNodeConfigBackup.plist
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Setting search policy to Custom search
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - CSearchPlugin::SwitchSearchPolicy: switch - reachability of node </LDAPv3/127.0.0.1> retained as <true>
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - CSearchPlugin::CheckNodes: checking network node reachability on search policy 0x0000000000002201
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - CCachePlugin::EmptyCacheEntryType - Request to empty all types - Flushing the cache
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - Client: Requesting dsOpenDirNode with PID = 0, UID = 0, and EUID = 0
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsOpenDirNode(), LDAPv3 Used : DAC : Dir Ref = 16777216 : Node Name = /LDAPv3/127.0.0.1
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsOpenDirNode(), LDAPv3 Used : DAR : Dir Ref = 16777216 : Node Ref = 33556929 : Result code = 0
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - CSearchPlugin::CheckNodes: calling dsOpenDirNode succeeded on node </LDAPv3/127.0.0.1>
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsCloseDirNode(), LDAPv3 Used : DAC : Node Ref = 33556929
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsCloseDirNode(), LDAPv3 Used : DAR : Node Ref = 33556929 : Result code = 0
    2010-01-01 19:26:36 EST - T[0x0000000103181000] - mbr_mig - dsFlushMembershipCache - force cache flush (internally initiated)
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - Client: Requesting dsOpenDirNode with PID = 0, UID = 0, and EUID = 0
    2010-01-01 19:26:36 EST - T[0x0000000103181000] - Membership - dsNodeStateChangeOccurred - flagging all entries as expired
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsOpenDirNode(), LDAPv3 Used : DAC : Dir Ref = 16777216 : Node Name = /LDAPv3/ldap.itd.umich.edu
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - CLDAPNodeConfig::InternalEstablishConnection - Node ldap.itd.umich.edu - Connection requested for read
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - CLDAPNodeConfig::FindSuitableReplica - Node ldap.itd.umich.edu - Attempting Replica connect to 141.211.93.133 for read
    2010-01-01 19:26:36 EST - T[0x0000000102481000] - CCachePlugin::SearchPolicyChange - search policy change notification, looking for NIS
    2010-01-01 19:26:36 EST - T[0x0000000102481000] - Internal Dispatch, API: dsGetDirNodeInfo(), Search Used : DAC : Node Ref = 33554436 : Requested Attrs = dsAttrTypeStandard:SearchPath : Attr Type Only Flag = 0
    ------- From another screen, I do "id jaimelm", which hangs ------------------------------------------------------------------------
    : Requested Rec Names = jaimelm : Rec Name Pattern Match:8449 = eDSiExact : Requested Rec Types = dsRecTypeStandard:Users
    2010-01-01 19:36:55 EST - T[0x00000001082A2000] - Internal Dispatch, API: dsGetRecordList(), Search Used : DAC : 2 : Node Ref = 33554436 : Requested Attrs = dsAttrTypeStandard:AppleMetaNodeLocation;dsAttrTypeStandard:RecordName;dsAttrTy peStandard:Password;dsAttrTypeStandard:UniqueID;dsAttrTypeStandard:GeneratedUID; dsAttrTypeStandard:PrimaryGroupID;dsAttrTypeStandard:NFSHomeDirectory;dsAttrType Standard:UserShell;dsAttrTypeStandard:RealName;dsAttrTypeStandard:Keywords : Attr Type Only Flag = 0 : Record Count Limit = 1 : Continue Data = 0
    2010-01-01 19:37:03 EST - T[0x0000000108325000] - Client: httpd, PID: 157, API: mbr_syscall, Server Used : process kauth result 0x0000000102022B30
    2010-01-01 19:37:03 EST - T[0x00000001083A8000] - Client: httpd, PID: 151, API: mbr_syscall, Server Used : process kauth result 0x0000000102022C50
    2010-01-01 19:37:05 EST - T[0x000000010842B000] - Client: httpd, PID: 203, API: mbr_syscall, Server Used : process kauth result 0x0000000102022D70
    2010-01-01 19:37:15 EST - T[0x00000001084AE000] - Client: httpd, PID: 994, API: mbr_syscall, Server Used : process kauth result 0x0000000102023890
    2010-01-01 19:37:26 EST - T[0x0000000108531000] - Client: httpd, PID: 198, API: mbr_syscall, Server Used : process kauth result 0x0000000102023980
    2010-01-01 19:37:31 EST - T[0x00000001085B4000] - Client: httpd, PID: 161, API: mbr_syscall, Server Used : process kauth result 0x0000000~

    Hi
    I'm in agreement with harry here but what I'm struggling to understand is why you are seeing this as a problem? I'm also struggling to see this as being a possibility in a single server environment if I understand your post correctly?
    Promotion to OD Master with all that entails absolutely rests on a properly configured and tested internal DNS Service. The Kerberos Realm's foundation (and with that the ability of the server to perform its function as KDC and offer LDAP services) entirely depends on what is configured in the DNS Service. This will include the server name, domain name and tld. The Kerberos Realm automatically configures itself using that information. Likewise the searchbase.
    Its more than possible to change the Realm name and with it the LDAP search base (in certain circumstances) and have an OD Master, however Kerberos won't start it won't need to as the KDC will be elsewhere. You generally see this when augmenting Windows AD with MCX. In that situation Realm name and search base will reflect what is set on the Active Directory. Client computers will use what is set there for contact and authentication information before looking at the OD Master for anything else.
    Does this help? Tony

  • Ldap search query takes more than 10 seconds

    LDAP query takes more than 10 seconds to execute.
    For validating the policy configured, the Acess Manager(Sun Java System Access Manager) contacts the LDAP (Sun Java System Directory Server 6.2) to get the users in a dynamic group. The time out value configured in Access Manager for LDAP searches is 10 seconds.
    Issue : The ldap query takes more than 10 seconds to execute at some times .
    The query is executing with less than 10 seconds in most of the cases, but it takes more than 10 seconds in some cases. The total number of users available in the ldap is less than 1500.
    7 etime =1
    6 etime =1
    102 etime=4
    51 etime=5
    26 etime=6
    5 etime=7
    4 etime=8
    From the ldap access logs we can see the following entry,some times the query takes more than 10 seconds,
    [28/May/2012:14:21:26 +0200] conn=281 op=41433 msgId=853995 - SRCH base="dc=****,dc=****,dc=com" scope=2 filter="(&(&(***=true)(**=true))(objectClass=vfperson))" attrs=ALL
    [28/May/2012:14:21:36 +0200] conn=281 op=41434 msgId=854001 - ABANDON targetop=41433 msgid=853995 nentries=884 etime=10
    The query was aborted by the access manger after 10 seconds.
    Please post your suggestions to resolve this issue .
    1.How we can find out , why the query is taking more than 10 seconds ?
    2.Next steps to resolve this issue .

    Hi Marco,
    Thanks for your suggestions.
    Sorry for replying late. I was out of office for few weeks.
    1) Have you already tuned the caches? (entry cache, db cache, filesystem cache?)
    We are using db cache and we have not done any turning for cache. The application was working fine and there was no much changes in the number of users .
    2) Unfortunately we don't have direct access to the environment and we have contacted the responsible team to verify the server health during the issue .
    Regarding the IO operations we can see that, load balancer is pinging the ldap sever every 15 seconds to check the status of ldap servers which yields a new connection on every hit. (on average per minute 8 connections - )
    3) We using cn=dsameuser to bind the directory server. Other configuration details for ldap
    LDAP Connection Pool Minimum Size: 1
    LDAP Connection Pool Maximum Size:10
    Maximum Results Returned from Search: 1700
    Search Timeout: 10
    Is the Search Timeout value configured is proper ? ( We have less than 1500 user in the ldap server).
    Also is there any impact if the value Maximum Results Returned from Search = set to 1700. ( The Sun document for AM says that the ideal value for this is 1000 and if its higher than this it will impact performance.
    The application was running without time out issue for last 2 years and there was no much increase in the number of users in the system. ( at the max 200 users added to the system in last 2 years.)
    Thanks,
    Jay

  • LDAP search from an Express Rule

    Hi,
    I need to do a simple search in a LDAP directory from inside a Rule. I�m trying to do this from Express code but i�m not able and dont find any info about it in the forum.
    I�m trying to do it with a code like:
    <block>
    <setvar name='context'>
    <new class='javax.naming.ldap.InitialLdapContext'/>
    </setvar>
    <invoke name='search'>
    <ref>context</ref>
    <s>c=es</s>
    <s>(cn=*)</s>
    <s>null</s>
    </invoke>
    </block>
    I dont know if i have to use javax.naming.ldap.InitialLdapContext or maybe the com.sun.jndi.ldap that comes with idM.
    Any clue? Any sample code to do it?
    Regards,

    Here is a simple example of calling a custom Java Class to retrieve a users phone number from LDAP. Hope someone can return the favor by answering some of my posts.
                  <invoke class="JNDIutility" name="getUsersPhoneNumber">
                  <ref>:variables.employeeID</ref>
                  <s>ou=NonEmployees,ou=People,dc=xxx,dc=xxx</s>
                  </invoke>Here is the simple Java class:
    * @(#)JNDIutility.java     1.0   07/16/2007
    * Author: Larry L. Viars
    * Perform an Enterprise Directory search by specifying a set of
    * search attributes to be matched.
    import javax.naming.*;
    import javax.naming.directory.*;
    import java.util.Hashtable;
    import java.util.ArrayList;
    import java.util.StringTokenizer;
    import java.util.*;
    public class JNDIutility {
        static public DirContext context;
        static private Hashtable env;
              public JNDIutility ()
         public static DirContext connect()
             // Set up the environment for creating the initial context
             env = new Hashtable(11);
             env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
                     env.put(Context.SECURITY_AUTHENTICATION, "simple");
             env.put(Context.SECURITY_PRINCIPAL, "cn=Directory Manager");
             env.put(Context.SECURITY_CREDENTIALS, "Y0urP@ssw0rd");
             env.put(Context.PROVIDER_URL, "ldap://yourservername.xxx.xxx:389");
             try
                 context = new InitialDirContext(env);
             catch(NamingException e)
                 System.out.println("Directory server binding error");
                 e.printStackTrace();
                 // logging code goes here
          return context;
    * Perform an Enterprise Directory search by specifying a set of
    * search attributes to be matched.
    * Search Attributes: (userID)
    * Returns a Users Phone Number from LDAP.
    public static String getUsersPhoneNumber(String userID, String contextToSearch) {
         List InitList = new ArrayList();
            String searchType;
            String rc = "false";
              try {
                    // Create initial context
                    context = connect();
                       // Specify the ids of the attributes to return
                       String[] attrIDs = {"TelephoneNumber"};
                    // Specify the attributes to match
                    // Ask for objects that have the attribute
                          Attributes matchAttrs = new BasicAttributes(true); // ignore case
                       matchAttrs.put(new BasicAttribute("enterpriseid", userID));
                       // Search for objects that have those matching attributes
                       NamingEnumeration answer = context.search(contextToSearch, matchAttrs, attrIDs);
                          while (answer != null && answer.hasMore())
                   SearchResult sr = (SearchResult) answer.next();
                   String TelephoneNumber = sr.getName();
                   Attributes attrs = sr.getAttributes();
                              for (NamingEnumeration ne = attrs.getAll(); ne.hasMoreElements();) {
                                   Attribute attr = (Attribute) ne.next();
                                   String attrID = attr.getID();
                                   for (Enumeration vals = attr.getAll(); vals.hasMoreElements();) {
                                   InitList.add(vals.nextElement());
                    } // End while loop displaying list of attributes
                     // Close the context when we're done
                     context.close();
                     } catch (Exception e) {
                       e.printStackTrace();
         String UsersPhoneNumberToString = (InitList.toString());
         String UsersPhoneNumberWithLeftBracketRemoved  = UsersPhoneNumberToString.replaceAll("(?:\\[)+", "");
         String UsersPhoneNumberWithBothBracketsRemoved = UsersPhoneNumberWithLeftBracketRemoved.replaceAll("(?:])+", "");
         return UsersPhoneNumberWithBothBracketsRemoved;
    }

  • LDAP Operational Attribute Names

    Hey,
    I have been searching extensively for certain LDAP operational attributes.
    I need to know the uniqueId , modifiyTimeStamp and an attribute to signify if a user is active or for the following servers
    1. Netscape
    2. Novell
    3. IBM Tivoli.
    For Netscape if it has the same as attributes as its free version Fedora then I hope the attributes are nsuniqueid , modifyTimeStamp , nsaccountlock respectively.
    For Novell it seemed more on the line for Active Directory for uniqueid and modifytimestamp still looking for active users.
    For IBM I obtained that the unique id is ibm-entryUuid.
    Help on this would be greatly appreciated.

    Hi,
    Actually I was also looking for deleting the operation attributes.
    As in case of user Account Lock, pwdAccountLockedTime & pwdFailureTime will be set. But, Again to unlock the account I need to delete these entries. Now the problem is, these operational attributes are being maintained by server itself. and not visible to client program until and unless specified explictly. I was usinf modificationItem with REMOVE_ATTRIBUTE, but it doesn't work as its not be able to identify the attribute in the directory.
    I am using IBM Tivoli directory server. I can unlock the user account(delete these entry thru the command line) but I need to delete it thru Java program.
    Please help !
    Any suggestion will be welcome.
    Archit

  • Authenticating IMS 5.2 user passwords against another LDAP

    hi,
    Am currently authenticating IMS 5.2 against IDS 5.1.
    Is it possible to authencticate IMS 5.2 users passwords agains another LDAP server just for logins?
    The rest of the user mail attributes still remains on IDS5.1 for mail delivery...etc
    What would be the requirements from the other LDAP server to return to the user in order to log in to messenger express/pop/imap/smtp?
    how would the http session id be returned to the user via the IMS?
    thank you

    Thanks Jay...
    I did the following:
    $ ./configutil -o store.defaultmailboxquota -v 10485760
    Now, I think I read somewhere you have said it is required to restart...
    Would it suffice to just refresh the cache with the following command?
    ./imsimta restart dispatcher
    Thanks as always for your support.

  • LDAP Search filter Jabber for Android

    Hi,
    I have this LDAP Filter which only shows me active users:
    <BaseFilter>(&amp;(objectclass=user)(objectcategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2))</BaseFilter>
    I have the same line for Jabber for Android, but it doesn't work.
    <BDIBaseFilter>(&amp;(objectclass=user)(objectcategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2))</BDIBaseFilter>
    I get 0 results for any search on Jabber Andorid. When I delete the "BDI" Line for the filter all together, then I get correct results - with photos and everything.
    I also tried a simple filter e.g:
    <BDIBaseFilter>(!UserAccountControl:1.2.840.113556.1.4.803:=2))</BDIBaseFilter>
    No search results either.
    Any ideas how to get Filter for Android working?
    Versions:
    Jabber for Android: 10.6
    CUCM: 9.1.2

    I think I found the coresponding messages in the log:
    csf.person.ldap: [LdapSearchQueryHandler.cpp(51)] [start] - reqId = 2
    02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1482)] [sendSearchQuery] -
    02-26 09:18:59.851 15477 15477 I csf.person.xmpp: [XMPPPersonRecordSource.cpp(268)] [fetchContacts] - Entering.
    02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1531)] [sendSearchQuery] -  filter  = (&(objectclass=user)(objectcategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2)(|(sAMAccountName=at1sath))), baseDN=OU=Organization,DC=at,DC=customer,DC=net
    02-26 09:18:59.851 15477 15477 D services-dispatcher: [ServicesDispatcher.cpp(147)] [pumpNext] -  pumpNext.executed (ContactsAdapter::LoadContactsFromSource)
    02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1576)] [sendSearchQuery] - ldap search error. rc= -7 ,msg=Bad search filter
    02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1675)] [notifyListenersSearchRequestCompleted] - errorCode=-7
    02-26 09:18:59.851 15477 15477 D services-dispatcher: [ServicesDispatcher.cpp(145)] [pumpNext] -  pumpNext.executing (ContactsAdapter::LoadContactsFromSource)
    02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1258)] [mapErrorNo] - Code = -7, Msg=Bad search filter
    02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapSearchQueryHandler.cpp(84)] [onSearchRequestCompleted] - reqId = 1, errcode = 9
    02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1531)] [sendSearchQuery] -  filter  = (&(objectclass=user)(objectcategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2)(|(sAMAccountName=at1hafr))), baseDN=OU=Organization,DC=at,DC=customer,DC=net
    02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1576)] [sendSearchQuery] - ldap search error. rc= -7 ,msg=Bad search filter
    02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1675)] [notifyListenersSearchRequestCompleted] - errorCode=-7
    02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1258)] [mapErrorNo] - Code = -7, Msg=Bad search filter
    02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapSearchQueryHandler.cpp(84)] [onSearchRequestCompleted] - reqId = 2, errcode = 9
    The next question is now: Why is it a bad search filter? And what is the correct one? The same filter works on jabber for windows...
    BR, Dave

  • When I open a new tab it does not bring up my homepage. It brings up another sites search engine page.

    When I click on the new tab button, a small cross, it opens the new tab, but displays another sites search page, not my homepage. I cannot find where to tell it to open my homepage on all new tabs that are opened from the tab bar.

    The basic Firefox build has always opened a blank page when you open a new tab.
    Maybe some add-on you installed modified that feature of Firefox which now opens all tabs in a different page. Here's what you will need to do.
    Open Firefox -> go to Help Menu -> select "Restart with Add-ons Disabled"
    Firefox will close then it will open up with just basic Firefox. The tabs will now be opening in a blank page. You can Enable the add-ons again and check if its working properly.

  • How do I delete a credit card from my iTunes account without adding another one? My friend bought an app with her credit card and I no longer have the info but every time I try to download a free app (ex: Instagram, Twitter, vine etc.)it ask for the info

    How do I delete a credit card from my iTunes account without adding another one? My friend bought an app with her credit card and I no longer have the info but every time I try to download a free app (ex: Instagram, Twitter, vine etc.) it ask for the credit cards security code. I can not find a way to delete that cards info without adding another cards info.

    http://support.apple.com/kb/ht1918
    http://support.apple.com/kb/ts5366

  • How can I use LDAP searching from OSX Lion Server to Mozilla Thunderbird?

    How can I use LDAP searching from OSX Lion Server to Mozilla Thunderbird?  We have a super awesome contacts server that works great for our Mac users.  About 30% of our company are on PCs, and I would like to use the Mozilla Thunderbird mail client for them.  I see that in Thunderbird I can set up LDAP searching, and would like to have this feature point to our contacts server.  I've tried several different settings, and looked all over the web, but could not find the proper way to configure this.  Does anyone know if this can be done, or if not, would have a better suggestion?  Thank you for your time!!

    try double clicking keychain acces should launch and ask if you want to install login, system, System roots
    A dialog box will launch asking where to install the cert since your configuring a vpn I would put the certificate it in system.

Maybe you are looking for