Changing LDAP "Search Attribute"

Similar Messages

• Is it possible to change ldap search attribute telephonenumber to an other

  Hello, I have a directory that holds the users phones number in an alternate ldap attribute "numeroCourt".
  The default Directory search asp files are displaying the content of the telephonenumber attribute in the LDAP Directory.
  What do I need to edit to change "telephonenumber" with "numeroCourt"?
  Thanks in advance.

  Since telephone number is not populated the logical thing for the CorpDir application to do would be to see that the
  "ciscoatUserProfileString" has a value and go retrieve the extension information from there.
  http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a0080094493.shtml

• Adding Another LDAP Search Attribute

  Hi,
  Can you please point me to any document for adding another ldap search attribute apart from uid.
  Regards,
  Edited by: IDM1312 on Jun 9, 2008 4:28 PM

  Yes, here is what happens when your user tries to login:
  They enter some username & password. The username can be any attribute you wish it to be (email, UID, cn, etc). The actual authentication is not done using the value the user enters. This is because you need to authenticate with the user's DN. To get the DN, access manager does a lookup on the directory server to see if what the user entered exists in any of the attributes in the search alias list. If the search is successful, it returns the user's DN. Access Manager then uses the DN and password to authenticate the user.
  So, if you expect your users to enter their email address, you will want your email attribute in this list. You can have multiple values in the list, if for example you want to allow users to enter uid OR email address. I would be careful about allowing this flexibility if you are in a large organization because this will bring increased overhead to both AM & DS.
  Also, be sure that whatever attribute you use is indexed!!
  I hope this helps,
  Eric

• Change LDAP search path

  When I built our CallManager 8.6 enviornment, I mirroed the way our 7.3 was set up.  We had set up our LDAP search space at the root of our domain.  The problem is that includes all kinds of sub directories we dont want.  I want to now change our LDAP to look deeper in our hiarchy.  What I dont know though is will it then see every person as a new user.  If so, it would break UCCX and Presence.

  Yep they do stay the same.  And the way I know it worked is if I look up a user I wanted to keep it shows "Ldap Active".  For the users I wanted gone they now show "delete pending".

• Change LDAP Search Base:  Is archive/recreate required?

  This is the gist of the message that I'm getting while searching for an answer, but I wanted to ask it here just in case.
  I have a MacOS X server (10.4.9) that I need to join to an Active Directory... it was originally on it's own domain (xserve.mydomain.ca) and will now be on the corporate domain (xserve.myorg.ca).
  I've run changeip to change the IP address and switch over all the domain information. The forward and reverse lookups are happy and working and while I had to recreate home directories for some users, in the end, everything worked fairly well.
  Now I need to take the next step in the integration and get LDAP changed over to reflect the new FQDN. It is current dc=xserve, dc=mydomain, dc=ca ... so it needs to be dc=xserve, dc=myorg, dc=ca
  Is archiving the LDAP database... switching to Standalone... and recreating the OD Master with new LDAP search base the only way to make the change?
  And if so... does it actually work? (Home Directories don't matter too much.. but recereating 200 users, obviously would suck).
  Thank you very much.
  Chris Alemany
  Computer Technician
  Malaspina U-C
  Nanaimo, BC

  I'm hoping for a little detail here.
  The LDAP archive that is created through Server Admin
  is... comprehensive... ie. there are a LOT of
  different files in there.
  Of course as it isn't only a LDAP archive but contains the PasswordServer database, the kerberos database, server settings ...
  Where do I start in terms of "mangling" the data
  (which I assume means redoing all references to the
  old LDAP domain?
  You would need to export only the LDAP database via the appropiate ldapsearch command.
  As you begin to see this task is quite complex and without some decent knowledge about Mac OS X Server in general and specifically LDAP this task is doomed to fail. :o/
  You can start your way with this book:
  http://www.amazon.com/Apple-Training-System-Administration-Reference/dp/03213698 4X/ref=pdbbs_sr1/103-1936572-6371849?ie=UTF8&s=books&qid=1177352316&sr=8-1
  Sorry for the bad news,
  -Ralph

• Ldap search attribut result "cn=Klaus", I want this only "Klaus"

  Hello,
  of course i could remove the position 0-2 from the String "cn=Klaus" to get a substring like "Klaus" but i don`t wanna use an extra "for loop" if there maybe exists another possibility to get a clean output like "Klaus"
  someone knows an ldap method to get ONLY the pure value of the cn attribute?

  A picture says more then 1000 words ;-)
  http://666kb.com/i/aq0uxeznt366h8z2b.jpg
  check out my both JList filled with return attribut "cn"
  The full string always has the "cn:" included which i have to remove with the following code:
  String realCN = attrb.toString().substring(4);
  well this line of code doesnt matter much but well its additional work :D

• LDAP search cannot find entry by user "defined attribute"  or  "sounds like

  Hi, I have an JSP program that searches an LDAP Sun One Directory Server.
  All of my search filters ( by givenname,sn,mail and phone #) work fine with the search base set at the very top (root ) of my DIT tree.
  However with the same search base, searching by an "User Defined Attribute" fails to return anything (and note that my search filter includes the objectclass that goes with this user defined attribute)?
  Yet, if I change the search base so it points all the way down the DIT tree (maybe near RDN?), the "User Defined Attribute" search works fine ?
  Additionally, "sounds like" search filter (givenname~=) fails to find anything at
  the upper root search base of DIT. If I change the search base to point down in the DIT tree as I did above, the "sounds like" filter will work?
  I've tried everything I know?

  Hi Dora9,
  Thanks for your reply.
  I am glad that you have solved the problem and thanks for your share us the solution
  here, so it would be helpful for other members who get the same issue
  and we will close this case.
  In addition, I suggest you could try to get
  the issue confirmed and diagnose by product team. Would you please create connect report for it? You will get email notification for update from the product team experts:
  http://connect.microsoft.com/VisualStudio/feedback/CreateFeedback.aspx,
  if you submit it, you could share us the link here, so we could know the latest information from the Product team expert. And I will help you to vote it.
  Thanks for your understanding.
  Best Regards,
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Using LDAP to search attribute bit flags using attribute OID values

  Hello everyone,
  My question stems from trying to understand the OID and syntax behind this classic LDAP search to find disabled users:
  "(useraccountcontrol:1.2.840.113556.1.4.803:=2)"
  What I am interested in is the value 1.2.840.113556.1.4.803, specifically how it differentiates from the value 1.2.840.113556.1.4.8, which is the OID of the useraccountcontrol attribute:
  http://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx
  Now, this website below says that the 03 and 04 are designators of the AND and OR operations, respectively, and are added on to the end of the OID:
  https://www.appliedtrust.com/blog/2011/04/keeping-your-active-directory-pantry-order
  However, using this logic, I can't get these 03 and 04 operators to work with other attribute OID's that use flags as values, such as the "searchflags" attribute, e.g. a LDAP search of "(searchflags:=1.2.840.113556.1.2.33404:=0)
  returns nothing, using the OR (04) operation at the end of the "searchflags" OID of 1.2.840.113556.1.2.334.
  So back to my original question, for the useraccountcontrol OID of 1.2.840.113556.1.4.8, is this OID at all related to the bitwise AND extensible match of 1.2.840.113556.1.4.803 (like just adding a 03 to designate an AND operation), or is this
  extensible match
  value of 1.2.840.113556.1.4.803 completely separate from the useraccountcontrol OID of 1.2.840.113556.1.4.8?
  If I have my terms mixed up, please feel free to correct me on what the proper terms are.
  Thanks!

  Hmm yeah I posted that link above in my OP as well, and I was hoping that the OID values of these bitwise filters were somehow related to the shorter OID of the "useraccountcontrol" attribute, but it looks like it's just a coincidence.
  So I wonder if the "useraccountcontrol" section of
  this article from my OP is a little misleading when it says:
  To make a comparison, we either need to use the LDAP_MATCHING_RULE_BIT_AND rule (1.2.840.113556.1.4.803), or the LDAP_MATCHING_RULE_BIT_OR rule (1.2.840.113556.1.4.804) for our attribute OID (the AND rule adds a 03 suffix to denote the AND operation,
  and the OR rule adds a 04 suffix).
  Following this logic, I should be able to use the "03" and "04" in other bitwise operations with different OID's to search "AND" or "OR", but as I pointed out in my OP above, I can't seem to make this work with adding the 
  "03" and "04" onto the end of other OID's. So I will go with Christoffer that these bitwise OID's (1.2.840.113556.1.4.803 and 1.2.840.113556.1.4.804) are unique in themselves, and the fact that they are 2 characters away from the OID of the "useraccountcontrol"
  attribute (1.2.840.113556.1.4.8) is just coincidence.
  This does seem strange however, and it seems like there should be some correlation here....
  If anyone has any more info, I would love to hear it!

• Ldif import change the userPassword attribute

  Hi all,
  I post a message here because i am facing an obstacle.
  I made an migration from Sun directory server 6 on sun sparc server to an linux server with directory server 7.
  I have got an issue about the ldif import.
  When i export ldap data from my old server, i have got ldif-export.ldif file and when i import it i have no error :
  Started initialization of "xxx.xxx.xxx.xxx:389"; Apr 29, 2013 10:14:12 AM
  Sent 1314 entries...
  Sent 3794 entries...
  Sent 3795 entries.
  Completed initialization of "xxx.xxx.xxx.xxx:389"; Apr 29, 2013 10:14:16 AM
  But when i do an ldap search i can see that my new dsee server does not contain the same password than my old server for the users password attribute .
  and this in spite of the ldif-export file contain exacly the same password than the old server in production.
  I think when i do an import the new server change the pasword or something like this.
  for example on my old server my user teo
  userPassword:: teo
  cn: neo
  uid: neo
  objectClass: top
  objectClass: neoDevice1
  and on my new server i have got :
  userPassword:: bmVv
  cn: neo
  uid: neo
  objectClass: top
  objectClass: neoDevice1
  i took the precaution to change the server propertie with this command to be sure to respect the same config than the old server
  ./dsconf set-server-prop pwd-storage-scheme:CLEAR
  I can't find where the issue is or what propertie to change for fix it.
  Otherwise there is no other problem in my ldif import all seems to be correct except userPassword attibute.
  Thanks for your help

  Hello,
  sorry for this late reply...
  as far as I understand, you would like to use the export/import mechanism to turn in clear all the passwords, is that correct?
  Unfortunately I'm afraid that what you're asking is not possible...
  If the userPassword attribute is "encrypted" in the original Directory Server instance database, then regardless of what you set in the 'encryption-scheme', in the export.ldif file you will still have the attribute encrypted.
  The same thing happens when you try to import from an ldif file: regardless of what you have set in the 'encryption-scheme' in the Directory Server, if the attribute in the ldif file is 'encrypted', it will stay 'encrypted' also in the database.
  The only way to have the userPassword attribute in clear is change the encryption-scheme and update the userPassword field of every entry.
  HTH,
  Marco

• Ldap search query takes more than 10 seconds

  LDAP query takes more than 10 seconds to execute.
  For validating the policy configured, the Acess Manager(Sun Java System Access Manager) contacts the LDAP (Sun Java System Directory Server 6.2) to get the users in a dynamic group. The time out value configured in Access Manager for LDAP searches is 10 seconds.
  Issue : The ldap query takes more than 10 seconds to execute at some times .
  The query is executing with less than 10 seconds in most of the cases, but it takes more than 10 seconds in some cases. The total number of users available in the ldap is less than 1500.
  7 etime =1
  6 etime =1
  102 etime=4
  51 etime=5
  26 etime=6
  5 etime=7
  4 etime=8
  From the ldap access logs we can see the following entry,some times the query takes more than 10 seconds,
  [28/May/2012:14:21:26 +0200] conn=281 op=41433 msgId=853995 - SRCH base="dc=****,dc=****,dc=com" scope=2 filter="(&(&(***=true)(**=true))(objectClass=vfperson))" attrs=ALL
  [28/May/2012:14:21:36 +0200] conn=281 op=41434 msgId=854001 - ABANDON targetop=41433 msgid=853995 nentries=884 etime=10
  The query was aborted by the access manger after 10 seconds.
  Please post your suggestions to resolve this issue .
  1.How we can find out , why the query is taking more than 10 seconds ?
  2.Next steps to resolve this issue .

  Hi Marco,
  Thanks for your suggestions.
  Sorry for replying late. I was out of office for few weeks.
  1) Have you already tuned the caches? (entry cache, db cache, filesystem cache?)
  We are using db cache and we have not done any turning for cache. The application was working fine and there was no much changes in the number of users .
  2) Unfortunately we don't have direct access to the environment and we have contacted the responsible team to verify the server health during the issue .
  Regarding the IO operations we can see that, load balancer is pinging the ldap sever every 15 seconds to check the status of ldap servers which yields a new connection on every hit. (on average per minute 8 connections - )
  3) We using cn=dsameuser to bind the directory server. Other configuration details for ldap
  LDAP Connection Pool Minimum Size: 1
  LDAP Connection Pool Maximum Size:10
  Maximum Results Returned from Search: 1700
  Search Timeout: 10
  Is the Search Timeout value configured is proper ? ( We have less than 1500 user in the ldap server).
  Also is there any impact if the value Maximum Results Returned from Search = set to 1700. ( The Sun document for AM says that the ideal value for this is 1000 and if its higher than this it will impact performance.
  The application was running without time out issue for last 2 years and there was no much increase in the number of users in the system. ( at the max 200 users added to the system in last 2 years.)
  Thanks,
  Jay

• LDAP search from an Express Rule

  Hi,
  I need to do a simple search in a LDAP directory from inside a Rule. I�m trying to do this from Express code but i�m not able and dont find any info about it in the forum.
  I�m trying to do it with a code like:
  <block>
  <setvar name='context'>
  <new class='javax.naming.ldap.InitialLdapContext'/>
  </setvar>
  <invoke name='search'>
  <ref>context</ref>
  <s>c=es</s>
  <s>(cn=*)</s>
  <s>null</s>
  </invoke>
  </block>
  I dont know if i have to use javax.naming.ldap.InitialLdapContext or maybe the com.sun.jndi.ldap that comes with idM.
  Any clue? Any sample code to do it?
  Regards,

  Here is a simple example of calling a custom Java Class to retrieve a users phone number from LDAP. Hope someone can return the favor by answering some of my posts.
                <invoke class="JNDIutility" name="getUsersPhoneNumber">
                <ref>:variables.employeeID</ref>
                <s>ou=NonEmployees,ou=People,dc=xxx,dc=xxx</s>
                </invoke>Here is the simple Java class:
  * @(#)JNDIutility.java     1.0   07/16/2007
  * Author: Larry L. Viars
  * Perform an Enterprise Directory search by specifying a set of
  * search attributes to be matched.
  import javax.naming.*;
  import javax.naming.directory.*;
  import java.util.Hashtable;
  import java.util.ArrayList;
  import java.util.StringTokenizer;
  import java.util.*;
  public class JNDIutility {
      static public DirContext context;
      static private Hashtable env;
            public JNDIutility ()
       public static DirContext connect()
           // Set up the environment for creating the initial context
           env = new Hashtable(11);
           env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
                   env.put(Context.SECURITY_AUTHENTICATION, "simple");
           env.put(Context.SECURITY_PRINCIPAL, "cn=Directory Manager");
           env.put(Context.SECURITY_CREDENTIALS, "Y0urP@ssw0rd");
           env.put(Context.PROVIDER_URL, "ldap://yourservername.xxx.xxx:389");
           try
               context = new InitialDirContext(env);
           catch(NamingException e)
               System.out.println("Directory server binding error");
               e.printStackTrace();
               // logging code goes here
        return context;
  * Perform an Enterprise Directory search by specifying a set of
  * search attributes to be matched.
  * Search Attributes: (userID)
  * Returns a Users Phone Number from LDAP.
  public static String getUsersPhoneNumber(String userID, String contextToSearch) {
       List InitList = new ArrayList();
          String searchType;
          String rc = "false";
            try {
                  // Create initial context
                  context = connect();
                     // Specify the ids of the attributes to return
                     String[] attrIDs = {"TelephoneNumber"};
                  // Specify the attributes to match
                  // Ask for objects that have the attribute
                        Attributes matchAttrs = new BasicAttributes(true); // ignore case
                     matchAttrs.put(new BasicAttribute("enterpriseid", userID));
                     // Search for objects that have those matching attributes
                     NamingEnumeration answer = context.search(contextToSearch, matchAttrs, attrIDs);
                        while (answer != null && answer.hasMore())
                 SearchResult sr = (SearchResult) answer.next();
                 String TelephoneNumber = sr.getName();
                 Attributes attrs = sr.getAttributes();
                            for (NamingEnumeration ne = attrs.getAll(); ne.hasMoreElements();) {
                                 Attribute attr = (Attribute) ne.next();
                                 String attrID = attr.getID();
                                 for (Enumeration vals = attr.getAll(); vals.hasMoreElements();) {
                                 InitList.add(vals.nextElement());
                  } // End while loop displaying list of attributes
                   // Close the context when we're done
                   context.close();
                   } catch (Exception e) {
                     e.printStackTrace();
       String UsersPhoneNumberToString = (InitList.toString());
       String UsersPhoneNumberWithLeftBracketRemoved  = UsersPhoneNumberToString.replaceAll("(?:\\[)+", "");
       String UsersPhoneNumberWithBothBracketsRemoved = UsersPhoneNumberWithLeftBracketRemoved.replaceAll("(?:])+", "");
       return UsersPhoneNumberWithBothBracketsRemoved;
  }

• LDAP Operational Attribute Names

  Hey,
  I have been searching extensively for certain LDAP operational attributes.
  I need to know the uniqueId , modifiyTimeStamp and an attribute to signify if a user is active or for the following servers
  1. Netscape
  2. Novell
  3. IBM Tivoli.
  For Netscape if it has the same as attributes as its free version Fedora then I hope the attributes are nsuniqueid , modifyTimeStamp , nsaccountlock respectively.
  For Novell it seemed more on the line for Active Directory for uniqueid and modifytimestamp still looking for active users.
  For IBM I obtained that the unique id is ibm-entryUuid.
  Help on this would be greatly appreciated.

  Hi,
  Actually I was also looking for deleting the operation attributes.
  As in case of user Account Lock, pwdAccountLockedTime & pwdFailureTime will be set. But, Again to unlock the account I need to delete these entries. Now the problem is, these operational attributes are being maintained by server itself. and not visible to client program until and unless specified explictly. I was usinf modificationItem with REMOVE_ATTRIBUTE, but it doesn't work as its not be able to identify the attribute in the directory.
  I am using IBM Tivoli directory server. I can unlock the user account(delete these entry thru the command line) but I need to delete it thru Java program.
  Please help !
  Any suggestion will be welcome.
  Archit

• Problem with Search Attributes iView in MDM Business package

  Hello Everybody,
  I am configuring MDM Search Attributes iView in Portal.
  This iView should show data based on selected record in Search Hierarchy iView. But it is not showing any attribute data on Search Attributes iView.
  Any idea what could be the problem.
  I have MDM 5.5. SP01
  Appreciate your help.
  Thanks,
  Bhavik Devisha

  Hi,
  I tried the scenario on MDM 5.5 SP06 and its working fine.
  Following are the steps:
  1. Create the MDM System.
  2. Create the Search Hierarchy iView
  3. Create the Search Attributes iView
  4. Create the page and place both the iViews into that page.
  Now when i am changing the hierarchy,its corresponding attributes appear in the Search Attributes iView as expected.
  Try the same on some different version.Then only we can conclude that it might be because of version.
  Regards,
  Jitesh Talreja

• Editing LDAP User attributes from UME interface

  Hi Gurus,
  We want to develop a solution with user management screens in WD. These screens will provide password reset and unlock functionality for users. Our users are stored in LDAP. Current connection to LDAP is in Read Only manner.
  I want to know
  1. How to enable the connection from UME to LDAP in read/write manner?
  2. What certificates need to be exchanged for write access? if any?
  3. What changes needs to be done in config file of UME?
  4. Which permissions should be granted for communication user to edit LDAP user attributes?
  Even after performing the change to read LDAP in read/write manner, will it be sure: If we lock user from UME, it will lock LDAP user? please comment.
  regards
  Kedar Kulkarni

  Hi,
  We are half way into our application between UME and LDAP. We have developed screens and tested in our internal server. In internal landscape, UME is connected to LDAP in read only fashion. So when we try to create User, it gets created in UME.
  But when we deploy same application into client landscape, we receive error as below:
  No data source feels responsible for principal. Please check the data source configuration
  Now we are not sure why this error is getting displayed.
  In client landscape there are 2 LDAPs connected to UME, with only one LDAP in read/ write access.
  Is there any way we can check which LDAP is being accessed by our code? Is there any concept of Default LDAP?
  Any code to access LDAP details will help us lot.
  regards
  Kedar Kulkarni

• Open Directory, third party LDAP search path problem on Snow Leopard

  Happy new year folks,
  I ran into an interesting problem this past week in regards to a third party LDAP directory in the Search path (which used to work on previous versions). The issue brings the server to its knees eventually. I'm still digging through the logs, but here's the general breakdown...
  1. Add third-party LDAP to the OD node list. This has always worked on previous versions, and appears to still work at the most basic level. I can navigate the node with DSCL, read records, etc.
  1. Add third-party LDAP to the OD search path.
  2. Wait a few minutes....
  3. The server begins to slow down. Apache, SSH, ServerAdmin service stop responding. I'm able to run "top" briefly, which shows an increase of threads.
  4. Restart the server and quickly remove the directory from the OD search path
  5. Server goes back to being rock solid with very nice response times for Apache, SSH, ServerAdmin, etc.
  If anyone has any debugging suggestions, or has seen this before, let me know.
  Jaime
  --- Below is some console output leading up to the chaos. Before adding to search path, everything looks good --------------------
  bash-3.2# dscl
  Entering interactive mode... (type "help" for commands)
  read /LDAPv3/ldap.itd.umich.edu/Users/jaimelm cn
  dsAttrTypeNative:cn:
  Jaime Magiera
  Jaime L Magiera 1
  Jaime L Magiera
  --- Add to Search Path, which hangs ------------------------------------------------------------------------------
  bash-3.2# dscl /Search -append / CSPSearchPath /LDAPv3/ldap.itd.umich.edu
  --- DSCL in debug mode contains the following ----------------------------------------------
  2010-01-01 19:26:25 EST - T[0x00000001037A5000] - Client: ipfw, PID: 1097, API: libinfo, Server Used : libinfomig DAR : Procedure = getprotobynumber (13) : Result code = 0
  2010-01-01 19:26:25 EST - T[0x00000001037A5000] - Client: sso_util, PID: 1103, API: dsFindDirNodes(), Server Used : DAR : 1 : Dir Ref = 16779669 : Requested nodename = /Search
  2010-01-01 19:26:25 EST - T[0x00000001037A5000] - Plug-in call "dsDoPlugInCustomCall()" failed with error = -14292.
  2010-01-01 19:26:25 EST - T[0x00000001037A5000] - Port: 27151 Call: dsDoPlugInCustomCall() == -14292
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAR : 1 : Dir Ref = 16779
  707 : Requested nodename = /LDAPv3/ldap.itd.umich.edu
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAR : 2 : Dir Ref = 16779707 : Result code = 0
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 167797072010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16779707
  : Result code = 0
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAC : Dir Ref 16779707 :
  Data buffer size = 1282010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAR : 1 : Dir Ref = 16779
  707 : Requested nodename = ConfigNode2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAR : 2 : Dir Ref = 16779
  707 : Result code = 0
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: Requesting dsOpenDirNode with PID = 1114, UID = 0, and EUID = 0
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsOpenDirNode(), Configure Used : DAC : Dir Ref = 16779707 : Node Name = /Configure
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsOpenDirNode(), Configure Used : DAR : Dir Ref = 1677970
  7 : Node Ref = 33556926 : Result code = 0
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 16779707
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16779707 : Result code = 0
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsGetDirNodeInfo(), Configure Used : DAC : Node Ref = 33556926 : Requested Attrs = dsAttrTypeStandard:OperatingSystemVersion : Attr Type Only Flag = 0
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsGetDirNodeInfo(), Configure Used : DAR : Node Ref = 33556926 : Result code = 0
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsGetDirNodeInfo(), Search Used : DAC : Node Ref = 33556924 : Requested Attrs = dsAttrTypeStandard:LSPSearchPath : Attr Type Only Flag = 0
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsGetDirNodeInfo(), Search Used : DAR : Node Ref = 33556924 : Result code = 0
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsDoPlugInCustomCall(), Search Used : DAC : Node Ref = 33556924 : Request Code = 444
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Checking for Search Node XML config file:
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - /Library/Preferences/DirectoryService/SearchNodeConfig.plist
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Have written the Search Node XML config file:
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - /Library/Preferences/DirectoryService/SearchNodeConfigBackup.plist
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Setting search policy to Custom search
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - CSearchPlugin::SwitchSearchPolicy: switch - reachability of node </LDAPv3/127.0.0.1> retained as <true>
  2010-01-01 19:26:36 EST - T[0x000000010070A000] - CSearchPlugin::CheckNodes: checking network node reachability on search policy 0x0000000000002201
  2010-01-01 19:26:36 EST - T[0x00000001037A5000] - CCachePlugin::EmptyCacheEntryType - Request to empty all types - Flushing the cache
  2010-01-01 19:26:36 EST - T[0x000000010070A000] - Client: Requesting dsOpenDirNode with PID = 0, UID = 0, and EUID = 0
  2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsOpenDirNode(), LDAPv3 Used : DAC : Dir Ref = 16777216 : Node Name = /LDAPv3/127.0.0.1
  2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsOpenDirNode(), LDAPv3 Used : DAR : Dir Ref = 16777216 : Node Ref = 33556929 : Result code = 0
  2010-01-01 19:26:36 EST - T[0x000000010070A000] - CSearchPlugin::CheckNodes: calling dsOpenDirNode succeeded on node </LDAPv3/127.0.0.1>
  2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsCloseDirNode(), LDAPv3 Used : DAC : Node Ref = 33556929
  2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsCloseDirNode(), LDAPv3 Used : DAR : Node Ref = 33556929 : Result code = 0
  2010-01-01 19:26:36 EST - T[0x0000000103181000] - mbr_mig - dsFlushMembershipCache - force cache flush (internally initiated)
  2010-01-01 19:26:36 EST - T[0x000000010070A000] - Client: Requesting dsOpenDirNode with PID = 0, UID = 0, and EUID = 0
  2010-01-01 19:26:36 EST - T[0x0000000103181000] - Membership - dsNodeStateChangeOccurred - flagging all entries as expired
  2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsOpenDirNode(), LDAPv3 Used : DAC : Dir Ref = 16777216 : Node Name = /LDAPv3/ldap.itd.umich.edu
  2010-01-01 19:26:36 EST - T[0x000000010070A000] - CLDAPNodeConfig::InternalEstablishConnection - Node ldap.itd.umich.edu - Connection requested for read
  2010-01-01 19:26:36 EST - T[0x000000010070A000] - CLDAPNodeConfig::FindSuitableReplica - Node ldap.itd.umich.edu - Attempting Replica connect to 141.211.93.133 for read
  2010-01-01 19:26:36 EST - T[0x0000000102481000] - CCachePlugin::SearchPolicyChange - search policy change notification, looking for NIS
  2010-01-01 19:26:36 EST - T[0x0000000102481000] - Internal Dispatch, API: dsGetDirNodeInfo(), Search Used : DAC : Node Ref = 33554436 : Requested Attrs = dsAttrTypeStandard:SearchPath : Attr Type Only Flag = 0
  ------- From another screen, I do "id jaimelm", which hangs ------------------------------------------------------------------------
  : Requested Rec Names = jaimelm : Rec Name Pattern Match:8449 = eDSiExact : Requested Rec Types = dsRecTypeStandard:Users
  2010-01-01 19:36:55 EST - T[0x00000001082A2000] - Internal Dispatch, API: dsGetRecordList(), Search Used : DAC : 2 : Node Ref = 33554436 : Requested Attrs = dsAttrTypeStandard:AppleMetaNodeLocation;dsAttrTypeStandard:RecordName;dsAttrTy peStandard:Password;dsAttrTypeStandard:UniqueID;dsAttrTypeStandard:GeneratedUID; dsAttrTypeStandard:PrimaryGroupID;dsAttrTypeStandard:NFSHomeDirectory;dsAttrType Standard:UserShell;dsAttrTypeStandard:RealName;dsAttrTypeStandard:Keywords : Attr Type Only Flag = 0 : Record Count Limit = 1 : Continue Data = 0
  2010-01-01 19:37:03 EST - T[0x0000000108325000] - Client: httpd, PID: 157, API: mbr_syscall, Server Used : process kauth result 0x0000000102022B30
  2010-01-01 19:37:03 EST - T[0x00000001083A8000] - Client: httpd, PID: 151, API: mbr_syscall, Server Used : process kauth result 0x0000000102022C50
  2010-01-01 19:37:05 EST - T[0x000000010842B000] - Client: httpd, PID: 203, API: mbr_syscall, Server Used : process kauth result 0x0000000102022D70
  2010-01-01 19:37:15 EST - T[0x00000001084AE000] - Client: httpd, PID: 994, API: mbr_syscall, Server Used : process kauth result 0x0000000102023890
  2010-01-01 19:37:26 EST - T[0x0000000108531000] - Client: httpd, PID: 198, API: mbr_syscall, Server Used : process kauth result 0x0000000102023980
  2010-01-01 19:37:31 EST - T[0x00000001085B4000] - Client: httpd, PID: 161, API: mbr_syscall, Server Used : process kauth result 0x0000000~

  Hi
  I'm in agreement with harry here but what I'm struggling to understand is why you are seeing this as a problem? I'm also struggling to see this as being a possibility in a single server environment if I understand your post correctly?
  Promotion to OD Master with all that entails absolutely rests on a properly configured and tested internal DNS Service. The Kerberos Realm's foundation (and with that the ability of the server to perform its function as KDC and offer LDAP services) entirely depends on what is configured in the DNS Service. This will include the server name, domain name and tld. The Kerberos Realm automatically configures itself using that information. Likewise the searchbase.
  Its more than possible to change the Realm name and with it the LDAP search base (in certain circumstances) and have an OD Master, however Kerberos won't start it won't need to as the KDC will be elsewhere. You generally see this when augmenting Windows AD with MCX. In that situation Realm name and search base will reflect what is set on the Active Directory. Client computers will use what is set there for contact and authentication information before looking at the OD Master for anything else.
  Does this help? Tony