CRL and Directory server

We are running Web Proxy server (Iplanet) with reverse proxy option on Solaris 8.This will give our staff access to applications inside.
Access is based on certificates.
Certificates are under own control using Windows 2000 certificate server.
We want to be able to use either the CRL or issued certificates with ACL on Proxy server.Therefore installed Directory server 5.1 (Solaris 8) to act as LDAP.
Any ideas how I can use the CRL info for this?
Downloading and installing CRL is possible and working.
Main question is : How can I use of the CRL info in combination with ACL on Proxy or Directory server ?
Thanks.

Anybody??? I really need help with this....

Similar Messages

  • OAM and Directory Server Interaction

    I am in the middle of continued fact finding for implementing OAM. One question that has come up is how does OAM use the directory server it is configured to connect to. We would like to use AD as our authentication source but the word is Hell No if OAM is going to try to write data back into the directory server or store data in the directory server as our AD Admins are mandating that OAM will only be given read only, normal user level rights even if it requires write privileges and directory admin rights to function. I have search the manuals and have yet to find a really good explanation of how it works and uses the Database Schema and Directory Server. I suspect it is read only but I need to know ahead of time so I can make everyone aware that were going to have to run multiple directory systems due to the imposed limitation on AD access.

    Anybody??? I really need help with this....

  • Installing Iplanet web server and directory server behind a firewall

    When installing iplanet web server and directory server behind a firewall - should the interal ip address be used or the external ip address?

    Hello,
    When you are installing iplanet web server behind a firewall,you should use the internal ip address in the firewall.
    1. The external ip address connection to the Internet. The type of IP address used?dynamic (commonly used for standard
    modems) or static (commonly used for cable modems) is dictated by the ISP to which you connect and the type of service it provides.
    2. The internal ip adress connection. This connection must be a static IP assignment, and it must be assigned by you.
    obviously it depends on the type of firewall setup you have.
    Thanks
    Selva

  • Directory Server 6.3.1 and Directory Server 7.0 agent module

    Hello Folks-
    I am having a strange issue with my directory servers. I had three directory server replicas and they were all on 6.3.1 installed with the zip distribution. One of the directory server was a vmware virtual machine running on Solaris Update 8 and after a power failure I could not start or recover the Virtual Machine itself. Long story short, I ended up installing a new DS with 7.0 version (with zip distribution). The installation went very smoothly, had no problems starting the server and creating an initial instance, top level baseDN, etc.
    I somehow unregistered the older non-working Directory Server from first server's DSCC and wanted to include this new one. So in my Directory Servers tab in DSCC, I have all three listed like this: notice the third one
    Server
    ldap1:389
    ldap2:389
    ldap3:389 (server not registered)
    So having the same host name and same instance, when I try to register an "existing server", I get the following error:
    " The DSCC agent module is not registered on host ldap3. Verify that the agent module is installed using the command dsccsetup status on host ldap3. If the agent module is installed register it using the command dsccsetup cacao-reg"
    So I went to the third host and did the following:
    # dsccsetup status
    DSCC Agent is registered in Cacao
    Cacao uses a custom port number 21162
    DSCC Registry has been created
    Path of DSCC registry is /jes/ds/dsee7/var/dscc/ads
    Port of DSCC registry is 3998
    # dsccsetup cacao-reg
    DSCC Agent is already registered.
    So what is the problem? Why cant I register my new server and create replication agreements with the others?
    Please let me know if you have more information
    Thanks.
    Deniz.

    Anybody??? I really need help with this....

  • Unable to use SSL between Access Manager and Directory Server

    I am trying to set up Access Manager to use SSL when communicating with Directory Server. Access Manager 7 is running under Sun Web Server 6.1. I have configured Directory Server to use SSL using a Self-Signed CA and have imported the CA certificate into the certificate database for Web Server. When I change the Access Manager configuration as specified in the Admin Guide to use SSL and restart the Web Server, Access Manager fails with the message
    (among many others)
    netscape.ldap.LDAPException: SSL connection to
    eauth1.arc.nasa.gov:636, SSL_ForceHandshake failed: (-8157) Certificate extension not found. (91); Cannot
    connect to the LDAP server
    I am able to connect to the Directory Server instanc with JXplorer using SSL (with a complaint about an unknown CA). Can someone explain the error message so that I can fix the problem or work around it?
    Thanks

    in the initial part of AMConfig.properties, you'll find an entry similar to trustSSLCerts . This, by default, is set to false. Trying setting it to true (AM web server instance will need a restart). This lets AM continue with SSL handshaking inspite of errors. Am not sure if this affects AM to DS connectivity as well. It sure affects AM to AM communication (in a multiple server configuration).
    Naturally, it is not recommended that you use this feature when you are ready for production, but atleast it'll let you be sure that apart from the cert issue, everything else is okay.
    Hope this helps.

  • PORTAL SERVER 6.0 and Directory Server 5.1 existing

    I have one istance on sunone directory server 5.1 . I want install secure portal server 6.0 and i want use this directory server? . In the installation manual there are't this procedure.
    When I install the portal I select the installation with existing ldap and the portal server is installed . When I started the portal server this don't work.
    Thank's

    Go to Identity Server v5.1 documentation. It's well documented there. In two words, after you installed it this way, you have to apply 'existing.ldif' file to create ACIs and roles, then to create all services.
    Please check existing.ldif before you will apply it. Depending on your DIT, it may be quite broken. Don't forget to change ums.xml to match your schema.

  • Java and Directory server

    Dear members,
    I am recently going to start a project that will require a browser to authenticate with a directory server (Radius server). I am doing research about feasibility.
    I would like suggestions from you guys about the protocol to be used and the resources to be utilized. Please let me know any online resources if you have created or you know.
    Thanks,
    Di Ke.

    Hi,
    could you please explain, what you expect from authenticate against Sun Java Directory Server?
    IYou do not need openldap libraries, you can link with libldap Solaris implementation, libinconv and openssl.
    Stefan

  • Installing Access Manager and Directory Server

    Can I install the Access Manager 2005Q4 without installing the directory server?
    The products selected for installation have dependency requirements or installation options as indicated below.
    Sun Java(TM) System Directory Server 5 2005Q4
    ------------------------------------------------------------------------

    Everytime I click the Access Manager in the JES 2005Q4installer the directory server would click itself. Unchecking this prompted me for a remote repository which worked.
    I wasn't able to get the install to complete with the state file, it stopped before configuring access manager.

  • Using iws4.1 and Directory Server 5.0 for authentication, is  there a way to force a log off ?

     

    Hi,
    You can set this in "iPlanet Diretory Server", to force the user to log off after particular time. For more info. check iPlanet Directory server guide.
    Regards,
    Dakshin.

  • Setting up Access Manager and Directory Server for Failover.

    I'm setting up 2 Access Managers AM1,AM2 and 2 Directory Servers DS1 and DS2 for failover. I've connected AM1 and AM2 to DS1. Suffixes of DS1 is replicated to DS2. Any change made to AM1 is replicated to AM2 as expected. I just patched AM1 with Access Manager patch 1 and the version information for AM1 shows 7.1 126359-01. I followed the same procedure to patch AM2 but AM2 still shows ver 7.1.
    How do I make sure both Access Managers are patched to the same version?
    I'm able to authenticate to one IIS6 site and authentication is passed on to Outlook Web Access on AM1 but when I shut down AM1 to test failover to AM2 OWA prompts me again for password. How do I resolve this?
    On AM1 http://host.domain/amserver/UI/Login?realm=sso successfully logs in but the same on AM2 gives Warning that "You have already logged in. Do you want to log out and then login to a different organization?"
    Please help !!!

    I'll answer what bits I can:
    Q: AM showing the same version?
    A: No idea on this one. I would have expected the operation you described to have produced the right answer. Check that neither your application server nor your web browser are caching old pages (ctrl-F5 in my browser)
    Q: How do I resolve re-authentication on failover?
    A: The AM documentation includes a deployment example that covers pretty closely what it is you are trying to achieve:
    http://docs.sun.com/app/docs/doc/820-2278
    Specifically, the problem you are describing is related to session failover. The sessions are stored in a local DB so when you failover the backup server does not store the same information and hence requires a reauthentication. The section of the above doc that deals with this is here:
    http://docs.sun.com/app/docs/doc/820-2278/gdsre?l=en&a=view
    Q: "You have already logged in" warning
    A: No idea. Sorry.
    R

  • ISW and Directory Server 6.3. unable to sync passwords

    I thought I try to move on to DS6.3 and Windows Sync.
    I have already have 5.3 running on another machine and all works fine.
    But, I am having problem with the new version.
    I am getting the following error in the log files when a password change happens (AD->LDAP)
    LDAP modify operation of entry uid=andrew..failed at null. Error code: 65, reason: null"
    {code}
    FINE 55 CNN100 ldap2 "LDAP operation on entry uid=andrew,ou=people,dc=dcs,dc=bbk,dc=ac,dc=uk failed at ldap://ldap2:389, error(65): Object class violation." (Action ID=CNN101-11DFDD5663D-32, SN=9)
    SEVERE 55 CNN100 ldap2 "LDAP modify operation of entry uid=andrew,ou=people,dc=dcs,dc=bbk,dc=ac,dc=uk failed at null. Error code: 65, reason: null" (Action ID=CNN101-11DFDD5663D-32, SN=10)
    SEVERE 55 CNN100 ldap2 "LDAP modify operation of entry uid=andrew,ou=people,dc=dcs,dc=bbk,dc=ac,dc=uk failed at null. Error code: 65, reason: null" (Action ID=CNN101-11DFDD5663D-32, SN=10)
    {code}
    The users already exist in AD and LDAP.
    # idsync resync -f sul1_sg.cfg -k
    # idsync resync -o Sun
    # idsync resync -f sul1_sg.cfg -i NEW_LINKED_USERS
    Any pointers...
    Andrew

    Thanks it gave me the version
    [dsadm]
    dsadm               : 6.3                  B2008.0311.0212 NAT
    [slapd 64-bit]
    Sun Microsystems, Inc.
    Sun-Java(tm)-System-Directory/6.3 B2008.0311.0212 64-bit
    ns-slapd            : 6.3                  B2008.0311.0212 NAT
    Slapd Library       : 6.3                  B2008.0311.0212
    Front-End Library   : 6.3                  B2008.0311.0212Also, the hot fix from Sun fixed my problem. All is looking good.
    Cheers
    Andrew

  • Ilash and Directory Server Resource Kit 5.2

    I can't seem to find the 'ilash: the LDAP Administrative Shell' utility within the latest download of the Directory Resource Kit 5.2...
    http://docs.sun.com/app/docs/doc/816-6400-10/
    http://docs.sun.com/app/docs/doc/816-6400-10/ilash.html
    Has it been removed!?
    Cheers,
    Rob Chevalier

    Yes ilash has been removed from the DSRK for licensing issues.
    Ludovic.

  • Directory Server 5.1 and CMS 4.2 SP2

    There's a similar question on 16 January that didn't get answered.
    I realise I can configure CMS to publish certificates to an "external" DS 5.1 LDAP directory. However, I'd like to know whether there is a realistic method to make CMS use DS 5.1 for it's internal database (port 38900). I don't want to build a complex mixed-version environment unless there will be no alternative for (say) the next 6-9 months.
    I have a production user directory that is being upgraded from DS 4.12 to 5.1. Our CMS system is also in production, and was upgraded to 4.2 SP2 about 6 months ago.
    Does anyone have any experiences in this area that can help me decide on an optimal way forward?

    I recommened that you read the Release Notes of DS5.2, there are some notes on Replication between 5.1 and 5.2.
    ===
    In Directory Server 5.2, the schema file 11rfc2307.ldif has been altered to conform to rfc2307. If replication is enabled between 5.2 servers and 5.1 servers, the rfc2307 schema MUST be corrected on the 5.1 servers, or replication will not work correctly.
    Workaround
    To ensure correct replication between Directory Server 5.2 and Directory Server 5.1, perform the following tasks:
    * For zip installations, remove the 10rfc2307.ldif file from the 5.1 schema directory and copy the 5.2 11rfc2307.ldif file to the 5.1 schema directory. (5.1 Directory Server Solaris packages already include this change.)
    * Copy the following files from the 5.2 schema directory into the 5.1 schema directory, overwriting the 5.1 copies of these files:
    11rfc2307.ldif, 50ns-msg.ldif, 30ns-common.ldif, 50ns-directory.ldif, 50ns-mail.ldif, 50ns-mlm.ldif, 50ns-admin.ldif, 50ns-certificate.ldif, 50ns-netshare.ldif, 50ns-legacy.ldif, and 20subscriber.ldif.
    * Restart the Directory Server 5.1 server.
    * In the Directory Server 5.2 server, set the nsslapd-schema-repl-useronly attribute under cn=config to on.
    * Configure replication on both servers.
    * Initialize the replicas.
    ===
    Also search for "migrate" or "repl" or "5.1" in Release Notes and read the relevant information.
    http://docs.sun.com/source/817-7611/index.html
    Another guide is "Installation and Migration Guide"
    http://docs.sun.com/app/docs/doc/817-7608
    HTH.
    Gary

  • Configure replication between directory server 5.1 and 5.2

    we have two directory servers running on different machine 5.1 and new 5.2. All database have been successfully backup and restore from 5.1 to new 5.2. In this scenario, we would like to setup 5.1 and new 5.2 D.S as multi-master replication.
    As described in the sun Documentation, we have copy few ldif file from new 5.2 to 5.1 so that both schema are up to date.
    The new instance of 5.2 is running fine. However, on the other hand, 5.1 has a problem to start the server as show in the following below.
    # ./start-slapd
    [31/May/2005:14:07:43 +0800] dse - The entry cn=schema in file /usr/iplanet/servers/slapd-ifpdev02/config/schema/50ns-admin.ldif is invalid, error code 21 (Invalid syntax) - object class nsAdminServer: Unknown required attribute type "nsServerID"
    [31/May/2005:14:07:43 +0800] dse - Please edit the file to correct the reported problems and then restart the server.
    Any help from you guys are greatly appreciated.

    I recommened that you read the Release Notes of DS5.2, there are some notes on Replication between 5.1 and 5.2.
    ===
    In Directory Server 5.2, the schema file 11rfc2307.ldif has been altered to conform to rfc2307. If replication is enabled between 5.2 servers and 5.1 servers, the rfc2307 schema MUST be corrected on the 5.1 servers, or replication will not work correctly.
    Workaround
    To ensure correct replication between Directory Server 5.2 and Directory Server 5.1, perform the following tasks:
    * For zip installations, remove the 10rfc2307.ldif file from the 5.1 schema directory and copy the 5.2 11rfc2307.ldif file to the 5.1 schema directory. (5.1 Directory Server Solaris packages already include this change.)
    * Copy the following files from the 5.2 schema directory into the 5.1 schema directory, overwriting the 5.1 copies of these files:
    11rfc2307.ldif, 50ns-msg.ldif, 30ns-common.ldif, 50ns-directory.ldif, 50ns-mail.ldif, 50ns-mlm.ldif, 50ns-admin.ldif, 50ns-certificate.ldif, 50ns-netshare.ldif, 50ns-legacy.ldif, and 20subscriber.ldif.
    * Restart the Directory Server 5.1 server.
    * In the Directory Server 5.2 server, set the nsslapd-schema-repl-useronly attribute under cn=config to on.
    * Configure replication on both servers.
    * Initialize the replicas.
    ===
    Also search for "migrate" or "repl" or "5.1" in Release Notes and read the relevant information.
    http://docs.sun.com/source/817-7611/index.html
    Another guide is "Installation and Migration Guide"
    http://docs.sun.com/app/docs/doc/817-7608
    HTH.
    Gary

  • Change Directory server for Portal Server 6.2

    Hi there,
    I have the following problem with Portal Server 6.2 configuration which hopefully someone here will be able to help me with.
    Basically our current setup is the Sun Portal Server 6.2, ID server 6.1 and Directory server all sitting on one (Solaris 9) box. We now wish to separate the Portal / ID server components and the Directory Server component to separate boxes. In portal server 6.0 i think there was a pssetup tool which allowed configuration of a directory server which populated it with the necessary data for portal and ID server. The directory server we will be installing to will not necessarily be a clean install, i.e. it may already be populated with data.
    Is there some way therefore to re-configure the existing directory server to allow us to point our portal / ID server at it?
    Thanks in advance for any help
    Laurence.

    This can be done. You need to import the portal/identity server's schema into your new directory server and then export your existing directory server's content and import it into the new one.

Maybe you are looking for

  • Non-cumulative Values not showing in Inventory Management Queries

    Hi: Has anyone had a problem with the new version and Non-cumulative key figures not showing up in Bex for Inventory Managemet reports? Specifically, they showed and validated back to ECC for our Development and QA boxes but now in our Regression box

  • What column pertains to payment document number(AP)

    Hi, what column pertains to payment document number or Payment Voucher Number as well as Related AP Voucher Number (This is the pre-defined voucher number generated by Oracle). Please include the table_name (ex test.pdn). Thanks Edited by: 796711 on

  • Uploading iweb layout/site to personal domain

    I'm using FireFTP through Firefox to upload my site designed on iWeb. However, once uploaded and I visit my site images don't show up, fonts are wrong and some text doesn't show. I'm getting really frustrated, I've tried the other free FTP's and they

  • Page error problem

    Hi all, We have an OA application which home page has Endeca component. Then I make a hyperlink in the Endeca component to navigate to another OA page. The hyperlink's syntax is like http://wenzyang-lap.st-users.us.oracle.com:8990/OA_HTML/OA.jsp?page

  • Beginner -- how to do dissolving slides into action load .flv

    Hi there, Rather than try to teach myself the details of Flash from scratch (like I really should), can someone show me this? Here's what I need and I'm looking for something idiotically simple; I don't know code and really don't want to spend lots o