DHCP : ldap config

Similar Messages

• LDAP Config File - data source not initialized

  Hi,
  We have altered our LDAP config xml file to deal with an LDAP with multiple branches. This was done previously and was working fine. We have just changed again as another branch was added. Now if some enters the wrong password on the login screen they get this error message
  Unknown message (ID = data source CORP_LDAP_CONSULTANTS not initialized
  rather then the usual try again message. Looking in the ume logs there are also lots of warnings about the new data sourse id (CORP_LDAP_CONSULTANTS)not being initialized. And we also can no longer add new groups or users.
  Any thoughts?
  <b>Think we may have fixed that problem. Wrong authorizations? But now we get a whole new problem. During startup of portal our error_logs get a whole series of messages about NameNotFoundException around groups and users. Looking closely some of the user domains don't even exist in the LDAP any more.
  Also when we try and add a user we get an error saying "PersistanceException: No Data Source feels Repsonsible for principal!"</b>
  ANY PEARLS OF WISDOM
  We are on EP6 SP2
  Message was edited by: Luke Collier
  Message was edited by: Luke Collier

  Hi guys,
  I'm running into exactly the same issue. The problem seems to occur only when the report being accessed by guest is a file data source. The only other option I could think of is setting up SSO for BIP and the application issuing the URL to the report.
  Could'nt find anything else in the documentation or known issues list that might fix this without having to setup Single Sign On. Any further luck with your investigation? I'd appreciate any feedback.
  Thanks
  Jonathan Cruz

• IPLANET LDAP config

  I'm trying to connect to an Iplanet 4.1 from wls7, i configured it everything, but
  I couldn't see groups or users...I read in older posts here that talk about the config.xml,
  but there´s nothing in there, where wls save the info about ldap config?
  besides..is necesary to setup below Providers all the items..or just the Authentication
  providers?
  I'm using Directory manager by principal.
  people -> base dn=o=sunat.gob.pe, ou=People
  groups -> base dn=o=sunat.gob.pe, ou=Groups
  thanks by any help...

  Hi Amitabha,
  I have faced the same problem some time back. Weblogic keeps it security information
  under
  "%BEA_HOME%\user_projects\zionsbank\userConfig\Security" directory. You must must
  have known the time you created the new realm, remove all the folders under security/
  created at that time. You configuration will be restored back to the one you had
  before creating the new realm.
  Hope it will work.
  Amir
  "Amitabha Mitra" <[email protected]> wrote:
  >
  Hi,
  We have created a new realm with the provider as the iplanet LDAP. There
  was no
  problem creating the realm. We have set this realm as the default realm
  for the
  domain. But when we start up the server(with userid and password as weblogic
  the default administrator uid/pwd with which it was working fine before
  changing
  the default realm) is now giving the following error :
  java.lang.SecurityException: Authentication for user weblogic denied
  at weblogic.security.service.SecurityServiceManager.doBootAuthorization(SecurityServiceManager.java:978)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1116)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  The server is thus not starting up.
  We tried with creating a user called 'weblogic' under a group called
  'Administrators'
  in the iPlanet LDAP but it is giving the same error.
  Is there any other configuration that needs to be done ?
  Is the Administrator,developer and application level security controlled
  from
  the same place.
  Rgds,
  Amitabha

• AUto-binding via DHCP LDAP info

  In OSX 10.5 (client) there was an option in Directory Utility called "Add DHCP-supplied LDAP servers to automatic search policies". 10.6 (client) doesn't appear to have this option.
  Can anyone tell me if I can set 10.6 clients to auto-bind to an OD domain based on DHCP info or do I need to manually join from each client (and then re-join if the server name changes)?

  Looks like this feature has been discontinued.
  http://support.apple.com/kb/HT3844
  I've very disappointed as I've come to rely on this feature at many of the school districts that I manage.
  There are ways to script binding to a server, but I loved the DHCP feature as I could change out an LDAP server during a school year and just update DHCP in one place to switch all of my clients to the new server.
  -Henry

• AIR-CT2504-50-K9 with out DHCP Static config

  We have AIR-CT2504-50-K9 and AIR-CAP1602I-TK910 30 devices we want config trough controller to AP with out DHCP

  #Yes, you can use internal dhcp server on WLC-2500 to lease IPs to the connected APs using L2/Broadcast, once AP gets an ip then you can make those IPs as static on those APs via check box from AP's general tab after it joins the WLC.
  #Remeber, WLC dhcp doesn't support option 43, if the AP and WLC management are L3, be sure to use ip-helper at L3 for wlc discovery. Also, don't think AP may receive ip from WLC dhcp server when it is L3 and dhcp proxy is used instead of broadcast.

• DHCP LDAP search base

  Hi,
  What setting should be put in the search base box in the LDAP tab of DHCP? I would like users to be able to access the OD database in tools such as the Address Book.
  (I currently have the dc=<name>,dc=<suffix> where these are the name.suffix of my domain). In this configuration, the users can not see the LDAP database.
  Thanks,
  Dave

  Hi Hiya,
  Thank you for taking the time to look at my question. Here's my problem. We're setting up a VOIP phone system and one of the questionnaire is to provide LDAP Search Base String of my AD. I'm not sure if I need
  to provide all this search base (DC, CN and OU) all I want to know is which of the element I should provide.
  I think my LDAP search base string is "OU=xxx,DC=mydomain,DC=local. (I'm still not sure but if you have an idea please help).
  Thank you.
  Jay
  aja

• Making DHCP LDAP-fault-tolerant

  Hi all!
  We have a standalone OES2 server doing DHCP. Inside the dhcpd.conf one ldap-server is addressed (which is aour replica server).
  Is it possible to make this LDAP connection redundant, means, is it possible to add more LDAP servers in the configuration file? And with what kind of syntax...?
  Please note that we do not want to make the DHCP service itself redudant - only the LDAP connection.
  Many thanks for hints.

  chobbes,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• DHCP and LDAP at Login... possible?

  Hi..
  All my users use network homes and are working fine via static IPs and manual LDAP settings. (So why fix it, right?)
  I want to try moving my clients to DHCP to simplify setups. I enabled DHCP and configured the options for IPs as well as the LDAP settings. On the clients I set to DHCP in network settings, and Auto assign DHCP LDAP in Directory Access.
  Problem is, when clients boot up, they dont seem to get their DHCP assignment until after a user logs in, which prevents them from reading the LDAP unless a local user logs in to register DHCP.
  Is there a way to force the client to register DHCP at the login window, rather than after logging in a [local] user?
  Or am I misdiagnosing the problem?

  Hi,
  supplying LDAP information via DHCP works. The only issue is that it will take a while (up to 10 seconds or even longer) until a network user can login. So patience is the key!
  Try this: in the loginwindow, click several times on the Bonjourname of you client. The displayed infomation (SN, ip address, etc) will change. There is a new info displayed about availability of network-accounts. It's bullet should be red right after loginwindow is launched, but turn green after a while if you use DHCP.
  If it stays red, you have another issue, probably related to DHCP and the provided LDAP-info.
  Oliver

• Deleting the dhcp (or other) config from server admin

  i'm trying to fully wipe a dhcp service config in server admin, yet the leases and other config lines show up when i disable/re-enable the service. i tried moving /etc/bootpd.plist, and it doesn't seem to matter.
  what do i need to do to get it to a clean slate?
  i originally imported a dhcp.plist pulled from a 10.4 server before the clean install.
  thanks for any help.

  i'll answer my own question.
  re/moving the following files worked fine after stopping dhcp:
  /etc/bootpd.plist
  /var/db/dhcpd_leases
  there's also /var/db/dhcpclient/ and /var/db/dhcp_leases, which didn't seem to contain anything.

• DHCP - Cannot add text option for VOIP phones in OES Linux

  While working through this, I solved the issue, but decided to post this anyway as it may help others to find these sorts of errors.
  I'm working on migrating from NetWare 6.5sp8 to OES11sp2. Client has Shoretel VOIP phones. Existing NetWare-based DHCP has no problem. Option 156 has been configured to give out the required text information that Shoretel phones require.
  Problem is that I could not get the OES11 DHCP to run with that option. Nor could I migrate the existing option over - the Migration Tool (in OES11) says it successfully migrates DHCP, but I cannot start the dhcpd daemon. Error is that it failed, and in the rc.dhcpd.log file I see an error:
  LDAP Line 26: unknown option dhcp.Shoretel_Boot.
  LDAP Line 26: unexpected end of file
  LDAP: cannot parse dhcpService entry 'cn=newdhcpservice,o=LIBRARY'
  Configuration file errors encountered -- exiting
  If I look in the file (created when LDAP reads DHCP config from eDirectory apparently) dhcp-ldap-startup.log I can see the problem entry at line 26:
  option Shoretel_Boot "FTPSERVERS=172.30.43.8,COUNTRY=1,LANGUAGE=1,L AYER default-lease-time 259200 ;
  This option does NOT show up in the newdhcpservice option when I look at it in ConsoleOne, or DSBROWSE, or DNS/DHCP Management Console.
  This option DOES show up in the DNS/DHCPManagement Console if I look at the DHCP (NetWare) tab and look at Other DHCP Options for some of the configured subnets, but it actually has different text from the above, specifically:
  FTPSERVERS=172.30.43.8,COUNTRY=1,LANGUAGE=1,LAYER2 TAGGING=1,VLANID=9
  Note that it does not have a " character anywhere in the entry. This option is configured as a Global DHCP text option.
  Novell TID 7009464 mentions the issue, though not for Option 156. In that TID there is this:
  "Situation #2
  Migrate a working DHCP server with DHCP options that are of type "Text" to an OES server.
  Load the DHCP server service... it fails to load and gives similar errors to the ones listed above."
  Under resolution the TID says to delete and recreate the dhcp service object without the text option and it will load. That doesn't work for me as I still get an LDAP error pointing to the Shoretel_Boot unknown option. (I dare not try deleting it from the NetWare DHCP config and risk breaking the client's phone system).
  One of the options in the TID to fix this is to re-enter the data using the DNS/DHCP Management Console - but that didn't work.
  Here is the answer:
  First, the log files are misleading. The error message points to not being able to read the newdhcpservice object entry - but the problem was elsewhere. In fact the problem showed up in the logs even when there were no option 156 entries at all in any object inside the newdhcpservice or the newdhcpservice object itself. The problem existed in the NetWare configuration of the object for one of the dhcp subnets.
  Specifically, there was an illegal character in the text entry for option 156 - the # character was in there, like this:
  FTPSERVERS=172.30.43.8,COUNTRY=1,LANGUAGE=1,LAYER# 2TAGGING=1,VLANID=9
  If you look at the error log entry for syntax error you can see that the option 156 text stopped at the # symbol, and then default-lease-time was appended to the end.
  Removing the # symbol got things working.
  Craig Johnson
  (former Novell partner / sysop)

  On 30/08/2014 21:16, phxazcraig wrote:
  > While working through this, I solved the issue, but decided to post this
  > anyway as it may help others to find these sorts of errors.
  >
  > I'm working on migrating from NetWare 6.5sp8 to OES11sp2. Client has
  > Shoretel VOIP phones. Existing NetWare-based DHCP has no problem.
  > Option 156 has been configured to give out the required text information
  > that Shoretel phones require.
  >
  > Problem is that I could not get the OES11 DHCP to run with that option.
  > Nor could I migrate the existing option over - the Migration Tool (in
  > OES11) says it successfully migrates DHCP, but I cannot start the dhcpd
  > daemon. Error is that it failed, and in the rc.dhcpd.log file I see
  > an error:
  >
  > LDAP Line 26: unknown option dhcp.Shoretel_Boot.
  > LDAP Line 26: unexpected end of file
  > LDAP: cannot parse dhcpService entry 'cn=newdhcpservice,o=LIBRARY'
  > Configuration file errors encountered -- exiting
  >
  >
  > If I look in the file (created when LDAP reads DHCP config from
  > eDirectory apparently) dhcp-ldap-startup.log I can see the problem entry
  > at line 26:
  >
  > option Shoretel_Boot
  > "FTPSERVERS=172.30.43.8,COUNTRY=1,LANGUAGE=1,L AYER default-lease-time
  > 259200 ;
  >
  >
  > This option does NOT show up in the newdhcpservice option when I look at
  > it in ConsoleOne, or DSBROWSE, or DNS/DHCP Management Console.
  >
  > This option DOES show up in the DNS/DHCPManagement Console if I look at
  > the DHCP (NetWare) tab and look at Other DHCP Options for some of the
  > configured subnets, but it actually has different text from the above,
  > specifically:
  >
  > FTPSERVERS=172.30.43.8,COUNTRY=1,LANGUAGE=1,LAYER2 TAGGING=1,VLANID=9
  >
  > Note that it does not have a " character anywhere in the entry. This
  > option is configured as a Global DHCP text option.
  >
  > Novell TID 7009464 mentions the issue, though not for Option 156. In
  > that TID there is this:
  > "Situation #2
  > Migrate a working DHCP server with DHCP options that are of type
  > "Text" to an OES server.
  > Load the DHCP server service... it fails to load and gives similar
  > errors to the ones listed above."
  >
  > Under resolution the TID says to delete and recreate the dhcp service
  > object without the text option and it will load. That doesn't work for
  > me as I still get an LDAP error pointing to the Shoretel_Boot unknown
  > option. (I dare not try deleting it from the NetWare DHCP config and
  > risk breaking the client's phone system).
  >
  > One of the options in the TID to fix this is to re-enter the data using
  > the DNS/DHCP Management Console - but that didn't work.
  >
  > Here is the answer:
  > First, the log files are misleading. The error message points to not
  > being able to read the newdhcpservice object entry - but the problem was
  > elsewhere. In fact the problem showed up in the logs even when there
  > were no option 156 entries at all in any object inside the
  > newdhcpservice or the newdhcpservice object itself. The problem
  > existed in the NetWare configuration of the object for one of the dhcp
  > subnets.
  >
  > Specifically, there was an illegal character in the text entry for
  > option 156 - the # character was in there, like this:
  >
  > FTPSERVERS=172.30.43.8,COUNTRY=1,LANGUAGE=1,LAYER# 2TAGGING=1,VLANID=9
  >
  > If you look at the error log entry for syntax error you can see that the
  > option 156 text stopped at the # symbol, and then default-lease-time was
  > appended to the end.
  >
  > Removing the # symbol got things working.
  >
  > Craig Johnson
  > (former Novell partner / sysop)
  Thanks for taking the time to post the above as I'm sure it will help
  someone else in the future.
  Simon
  Novell Knowledge Partner
  If you find this post helpful and are logged into the web interface,
  please show your appreciation and click on the star below. Thanks.

• Rc.local script to bind and add ldap server

  Greetings All,
  For the past few years, I've used the script below to bind and add authentication servers to my client machines. The process is simple enough, copy the rc.local script (ref'd below) to /etc/ as root and reboot the client. The problem now, is I don't know if this will work in 10.6. As I read this script, I realized there have been enough changes in location of files and file names between 10.5 and 10.6 that this script isn't going to work.
  My question to you guys is this: Is anyone else taking care of their binding/auth services in a similar manner? If so, would you mind sharing the script you're using?
  Thanks,
  -dave
  Here's mine:
  #!/bin/sh
  # WARNING -- REMEMBER TO UNCOMMENT THE SELF-DELETING LINE!
  #Site and/or District-specific Variables
  #Local Admin in Image
  LOCADMIN="tech" # Local admin user in your image
  LOCPASSWD="techpwd" # Local admin password in your image
  #Open Directory
  ODSITESERVER="odr1.mydomain.edu" # FQDN of the Open Directory Server
  ODADMIN="diradmin" # Directory Admin for Open Directory
  ODPASSWD="diradminpwd" #Password for OD Directory Admin
  ### DO NOT EDIT BELOW THIS LINE!
  OSMAJORVER=`sw_vers | grep ProductVersion | awk '{print $2}' | cut -c 1-4`
  ENETADDRESS=`ifconfig en0 | grep ether | awk '{print $2}'`
  #Give the network time to come online
  logger "Sleeping 30 seconds"
  sleep 30
  #Set Date and Time
  case $OSMAJORVER in
  10.3) date > /Library/Logs/binder.log 2>&1
  /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/sys temsetup-panther -setusingnetworktime off >> /Library/Logs/binder.log 2>&1
  /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/sys temsetup-panther -setusingnetworktime on >> /Library/Logs/binder.log 2>&1
  date >> /Library/Logs/binder.log 2>&1 ;;
  10.4) date > /Library/Logs/binder.log 2>&1
  /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/sys temsetup-tiger -setusingnetworktime off >> /Library/Logs/binder.log 2>&1
  /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/sys temsetup-tiger -setusingnetworktime on >> /Library/Logs/binder.log 2>&1
  date >> /Library/Logs/binder.log 2>&1 ;;
  10.5) date > /Library/Logs/binder.log 2>&1
  /usr/sbin/systemsetup -setusingnetworktime off >> /Library/Logs/binder.log 2>&1
  /usr/sbin/systemsetup -setusingnetworktime on >> /Library/Logs/binder.log 2>&1
  date >> /Library/Logs/binder.log 2>&1 ;;
  esac
  #Set Bonjour and Computer Names
  # logger "Setting Bonjour and Computer Names"
  # SERIALNUMBER=`ioreg -l |grep IOPlatformSerialNumber | awk '{print $4}' | cut -d \" -f 2`
  # SECONDOCTET=`ifconfig -a | grep inet | grep -v inet6 | awk '{print $2}' | grep ^10\. | head -n 1 | awk 'BEGIN {FS="."}; { printf "%03d", $2 }'`
  # COMPUTERID="A""$SECONDOCTET""$SERIALNUMBER"
  # logger "Computer name is $COMPUTERID"
  # scutil --set LocalHostName "$COMPUTERID"
  # scutil --set ComputerName "$COMPUTERID"
  # sleep 3
  #Set the Open Directory Server we are binding to based on the second octet of the IP address received from the DHCP lease
  # case $SECONDOCTET in
  # 002|005|047|110|112|115|119|121|123|128|133|153|241|247|250|251|253) ODSITESERVER="a941wgm.austinisd.org" ; RING="A1N";;
  # 009|045|046|052|053|107|109|117|131|132|138|144|151|154|155|179) ODSITESERVER="a117wgm.austinisd.org" ; RING="B1N";;
  # 004|006|010|048|055|056|102|106|118|129|141|149|152|157|159|161|163|164|165|178 |189|244|249) ODSITESERVER="a006wgm.austinisd.org" ; RING="C1N";;
  # 003|012|015|044|051|105|108|111|116|122|124|125|126|127|139|142|145|150|245) ODSITESERVER="a044wgm.austinisd.org" ; RING="D1N";;
  # 007|043|049|058|103|104|114|140|146|160|162|168|171|174|175|176|185|190|246|101 ) ODSITESERVER="a007wgm.austinisd.org" ; RING="B1S";;
  # 101) ODSITESERVER="a007wgm.austinisd.org" ; RING="B2S";;
  # 008|013|017|054|059|061|120|130|136|147|156|166|172|173|182|184) ODSITESERVER="a008wgm.austinisd.org" ; RING="C1S";;
  # 057|060|113|143|148|158|170|180|181|183|248) ODSITESERVER="a008wgm.austinisd.org" ; RING="C2S";;
  # *) ODSITESERVER="a000wgm.austinisd.org" ; RING="A0N";;
  # esac
  #Remove Existing Directory Services Config
  logger "Removing existing DS Config"
  rm -R /Library/Preferences/DirectoryService/ActiveDirectory*
  rm -R /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig*
  rm -R /Library/Preferences/DirectoryService/SearchNode*
  rm -R /Library/Preferences/DirectoryService/ContactsNode*
  rm -R /Library/Preferences/edu.mit.*
  rm -R /etc/krb5.keytab
  #Enable and disable appropriate plugins
  case $OSMAJORVER in
  10.3) defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "LDAPv3" "Active" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "AppleTalk" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "SLP" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "BSD" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "SMB" "Inactive" >> /Library/Logs/binder.log 2>&1
  plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist >> /Library/Logs/binder.log 2>&1 ;;
  10.4) defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "LDAPv3" "Active" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "AppleTalk" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "SLP" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "BSD" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "SMB" "Inactive" >> /Library/Logs/binder.log 2>&1
  plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist >> /Library/Logs/binder.log 2>&1 ;;
  10.5) defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "LDAPv3" "Active" >> /Library/Logs/binder.log 2>&1 ;;
  esac
  #Copy in updated ldap.conf file for Leopard machines, which disables the verification of SSL certs used for LDAP Authentication
  case $OSMAJORVER in
  10.5) cp /etc/ldap.conf-leopard /etc/openldap/ldap.conf ;;
  esac
  #Kill Directory Services and respawn to return to DS Defaults
  logger "Respawning DS"
  killall -9 DirectoryService
  #Running "id" triggers a DS Respawn
  id "$LOCADMIN" >> /Library/Logs/binder.log 2>&1
  sleep 3
  #Fix SearchNode plist
  case $OSMAJORVER in
  10.3) logger "Disabling LDAP via DHCP"
  defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "DHCP LDAP" -dict "/Sets/0" -bool FALSE >> /Library/Logs/binder.log 2>&1
  plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist >> /Library/Logs/binder.log 2>&1
  killall -9 DirectoryService >> /Library/Logs/binder.log 2>&1
  sleep 3 ;;
  10.4) logger "Disabling LDAP via DHCP"
  defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "DHCP LDAP" -dict "/Sets/0" -bool FALSE >> /Library/Logs/binder.log 2>&1
  plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist >> /Library/Logs/binder.log 2>&1
  killall -9 DirectoryService >> /Library/Logs/binder.log 2>&1
  sleep 3 ;;
  esac
  #Configure LDAPv3 Plugin -- fix with site-specific data
  logger "Configuring LDAPv3 Plugin"
  case $OSMAJORVER in
  10.4) dsconfigldap -v -l "$LOCADMIN" -q "$LOCPASSWD" -a "$ODSITESERVER" -n "Open Directory" >> /Library/Logs/binder.log 2>&1 ;;
  10.5) dsconfigldap -v -l "$LOCADMIN" -q "$LOCPASSWD" -a "$ODSITESERVER" -n "Open Directory" >> /Library/Logs/binder.log 2>&1 ;;
  esac
  sleep 3
  #Make sure we init DS and confirm connectivity to each LDAP directory
  logger "Checking OD Node Connectivity"
  date >> /Library/Logs/binder.log
  echo "Checking OD Node Connectivity" >> /Library/Logs/binder.log
  dscl localhost -list /LDAPv3/$ODSITESERVER/Groups >> /Library/Logs/binder.log 2>&1
  #Configure Search Path
  logger "Configuring Search Nodes"
  date >> /Library/Logs/binder.log
  echo "Configuring Search Nodes" >> /Library/Logs/binder.log
  dscl localhost -read /Search >> /Library/Logs/binder.log 2>&1
  case $OSMAJORVER in
  10.3) defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
  defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/LDAPv3/$ODSITESERVER"
  killall -9 DirectoryService ;;
  10.4) dscl /Search -append / CSPSearchPath "/LDAPv3/$ODSITESERVER" >> /Library/Logs/binder.log 2>&1
  dscl /Search -create / SearchPolicy CSPSearchPath >> /Library/Logs/binder.log 2>&1 ;;
  10.5) dscl /Search -append / CSPSearchPath "/LDAPv3/$ODSITESERVER" >> /Library/Logs/binder.log 2>&1
  dscl /Search -create / SearchPolicy CSPSearchPath >> /Library/Logs/binder.log 2>&1 ;;
  esac
  date >> /Library/Logs/binder.log
  echo "Confirming Search Nodes" >> /Library/Logs/binder.log
  dscl localhost -read /Search >> /Library/Logs/binder.log 2>&1
  #Remove any stale computer records from Open Directory
  logger "Removing stale computer records from OD"
  dscl /LDAPv3/"$ODSITESERVER" -search Computers ENetAddress "$ENETADDRESS" | awk 'BEGIN {FS="\t\t"}; { print $1 }' | while read COMPNAME
  do
  dscl -u "$ODADMIN" -P "$ODPASSWD" /LDAPv3/"$ODSITESERVER" -delete Computers/"$COMPNAME" >> /Library/Logs/binder.log 2>&1
  done
  #Add computer record to Open Directory
  logger "Adding new Computer Record to OD"
  dscl -u "$ODADMIN" -P "$ODPASSWD" /LDAPv3/"$ODSITESERVER" -create Computers/`scutil --get LocalHostName` ENetAddress "$ENETADDRESS" >> /Library/Logs/binder.log 2>&1
  #Add to designated computer list - this is ONLY for 10.4 server. This will need to be replaced for 10.5 server.
  COMPUTERGROUP="Unprovisioned" # Computer List
  logger "Adding to Computer List: $COMPUTERLIST"
  dscl -u "$ODADMIN" -P "$ODPASSWD" /LDAPv3/"$ODSITESERVER" -create Computers/"$COMPUTERID" ENetAddress "$ENETADDRESS"
  dscl -u "$ODADMIN" -P "$ODPASSWD" /LDAPv3/"$ODSITESERVER" -append ComputerLists/"$COMPUTERGROUP" Computers "$COMPUTERID"
  #Refresh the MCX Cache
  logger "Refeshing the MCX Cache"
  case $OSMAJORVER in
  10.3) /System/Library/LoginPlugins/MCX.loginPlugin/Contents/MacOS/MCXCacher -f >> /Library/Logs/binder.log 2>&1
  /System/Library/LoginPlugins/MCX.loginPlugin/Contents/MacOS/MCXCacher >> /Library/Logs/binder.log 2>&1 ;;
  10.4) /System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher -f >> /Library/Logs/binder.log 2>&1
  /System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher >> /Library/Logs/binder.log 2>&1 ;;
  esac
  #Disable automatic login on the client
  defaults write /Library/Preferences/.GlobalPreferences com.apple.userspref.DisableAutoLogin -bool TRUE
  #Enable login hooks on the client
  case $OSMAJORVER in
  10.4|10.5) defaults write /var/root/Library/Preferences/com.apple.loginwindow EnableMCXLoginScripts -bool true
  defaults write /var/root/Library/Preferences/com.apple.loginwindow MCXScriptTrust Anonymous ;;
  esac
  #Enable Directory Services Status by default on loginwindow
  # case $OSMAJORVER in
  # 10.4|10.5) defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus ;;
  #esac
  #Modify the binder log so that only admin viewers may access the file
  chmod u=rw,go= /Library/Logs/binder.log
  sleep 5
  #killall loginwindow
  sleep 5
  #Comment the lines below, until shutdown if you do not want the script to replace itself with a 30 second delay on startup to ensure the client receives a DHCP lease before loginwindow appears
  case $OSMAJORVER in
  10.3|10.4) echo sleep 30 > /etc/rc.local ;;
  *) srm /etc/rc.local ;;
  esac
  shutdown -r now
  #Exit
  exit 0

  The first thing I would verify is if you can connect and traverse your Active Directory/Domain Controller using Softerra's free ldap browser.
  1. Softerra ldap browser link
  http://download.softerra.com/files/ldapbrowser26.msi
  Put in the IP/hostname of the domain controller, use the same BASE DN, and user credentials that you used on the IronPort appliance.
  I would highly recommend that you create a separate account for the IronPort. (i.e. ironportldap). Do this so that you don't have to worry about accidentially resetting the password and then forgetting to update the IronPort appliance.
  2. Once you've verified that you can connect and see your tree, use the same settings from Softerra ldap browser and put them in the IronPort ldap interface.
  Try this for your Accept query string
  (|(mail={a})(proxyAddresses=smtp:{a}))
  3. If it still fails, enable the ldap debug log if you haven't already and paste in the error.
  We are trying to add an LDAP Server Profile but everytime we try to test the Accept Query we get an
  "Error - Error: configuration error" message.
  We are using AD, top of the tree for base DN. dc=domain, dc=local.
  We tried communicating with 2 different servers via telnet on ports 389, 3268, both are open.
  Tried port 389 and 3268, no SSL, Anynomous and User Password authentication methods.
  The error left us clueless since we followed the instructions on the user manual.
  For the accept query we tried this query string: (proxyAddresses=smtp:{a})
  Any ideas or pointers to what could be causing this are very appriciated.
  Thanks.
  Ed.

• Single sign-on using Kerberos and Ldap

  I am currently setting up single sign-on using Kerberos for authentication and Ldap for authorization and information store.
  The setup includes several Solaris 8 & 9 workstations, a couple of SGI's, as well as a M$ terminal server farm, several WinXP desktops and their associated Active Directory.
  I am required to authenticate etc against the AD. (which has M$ SFU3.5 installed)
  I have the Kerberos authentication and part of the Ldap service working via pam & nss.
  ie. I can logon to the solaris worksatations using the AD username and password, mount the home directory from a M$ NFS server.
  BUT...
  id gives:- userID, groupID (primary group only)
  groups :- primary group only. (no secondary groups are listed)
  Question: what additional configuration information do I need in the pam, nss &/or ldap config files, so that I can list the secondary groups.
  Thanks in advance for any help.

  After evaluating (giving up on, and finally throwing out) the Sun Directory server it looks like we are going to endup with a similar solution..
  Sadly enough, the MS AD seems much more stable and easier to handle than Suns DS, kerberos and associated services.
  Anyway, currently we are evaluating a product called vintela ( www.vintela.com ), and it seems very promising; its easy, robust, stable and does what we require it to do, as well as more :) It comes with an additional nss module called 'vas', so you easily can retrieve data like hosts/groups from your AD.
  //M.

• LDAP External Authentication Multiple Search Base DNs question

  hi,
  im trying two add two LDAP search DNs to a portal 6.2 organisation.
  with one search base dn it works fine.
  when i add another, all ldap auth for that org stops working.
  the docs confusingly state that if you have multiple search dns (not talking about multiple ldap servers here - just the search base dns) that you should prefix each entry with the local server name. the docs however provide no examples of the syntax.
  can anyone provide an example for multiple search dns? e.g. is it <server:port>:o=<etc> (doesn't seem to work).
  thanks

  hi,
  yes i have.. but when you enter more than one it stop working... with only one entry in the gui it will work for that entry but when you add another it stops working...
  i had to use a manual workaround like this to get the second going... :(
  External ldap authentication
  register the LDAP authentication service in the gui and setup the first DN as normal.
  create the first set of entries for the ldap host and the base dn in the gui as normal etc.
  the gui in the admin console is not working (depending on your point of view), so you need to add the second ldap config manually -
  All commands are run from the /apps/jes/SUNWam/bin directory
  1. Get an encrypted value for the bind dns (cn=Directory Manager) password you want to bind to the ldap directory as by using the ampassword utility shipped with Identity Server.
  ./ampassword -e directory_manager password
  More information on this utility can be found in the Sun ONE Identity Server Administration Guide.
  2. Copy the encrypted password as the value for the iplanet-am-auth-ldap-bind-passwd in the XML file (serviceAddMultipleLDAPConfigurationRequests.xml) created in Step 1. The XML file contains a template for creating the second LDAP DN.
  3. Modify the data XML file accordingly so that the relevant details are provided for the 2nd ldap server (bind dn search base etc) and load this into the portal directory using the amadmin command line tool as follows from the /opt/SUNWam/bin directory
  ./amadmin -u amadmin -w administrator_password -v -t serviceAddMultipleLDAPConfigurationRequests.xml
  If the imported xml values are incorrect delete and reload the imported xml data using amadmin command tool. Alternatively you can modify the ldap data directly on the primary identity server (ldap server) using a client browser though this method is not supported .
  You should be able to see new imported values for the second ldap server at dn:ou=subconfig1,ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthLDAP
  Service,ou=services,ou=ORG,o=lgaq.qld.gov.au on the primary ldap server (where ORG is the organisation you wanted to add the second DN).

• Role creation in OIM 11.1.1.5.0 fails with LDAP Sync Enabled

  I am in the process of configuring LDAP sync for OIM 11.1.1.5.0 with ODSEE.
  At this time, when I add a user in OIM, I can see that the user gets created in LDAP under the LDAP dn that I supplied when configuring OIM (Configuration process screen name = "LDAP Server Continued", field name = "LDAP User Container")
  However when I try to add a role in OIM, the call fails. OIM server logs have the following exception message:
  <Jul 14, 2011 1:21:52 PM EDT> <Warning> <oracle.iam.callbacks.common> <IAM-2030146> <[CALLBACKMSG] Are applicable policies present for this async eventhandler ? : false>
  <Jul 14, 2011 1:21:53 PM EDT> <Error> <oracle.iam.platform.entitymgr.provider.ldap> <IAM-0042002> <An error occurred while creating the entity in LDAP, and the corresponding error is - {0}
  javax.naming.NameNotFoundException: Error: NO_SUCH_OBJECT
  null [Root exception is oracle.ods.virtualization.service.VirtualizationException]
  at oracle.ods.virtualization.jndi.OVDUtil.mapErrorCode(OVDUtil.java:151)
  at oracle.ods.virtualization.jndi.OVDContext.createSubcontext(OVDContext.java:512)
  at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:183)
  at oracle.iam.platform.entitymgr.provider.ldap.LDAPUtil.createSubcontext(LDAPUtil.java:1045)
  at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.create(LDAPDataProvider.java:487)
  at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.createEntity(EntityManagerImpl.java:291)
  at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.createEntity(EntityManagerImpl.java:239)
  at oracle.iam.ldapsync.impl.eventhandlers.role.RoleCreateLDAPHandler.create(RoleCreateLDAPHandler.java:128)
  at oracle.iam.ldapsync.impl.eventhandlers.role.RoleCreateLDAPHandler.execute(RoleCreateLDAPHandler.java:46)
  at oracle.iam.platform.kernel.impl.OrchProcessData.runPreProcessEvents(OrchProcessData.java:898)
  at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:634)
  at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
  at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:664)
  at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.process(OrchestrationEngineImpl.java:435)
  at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrate(OrchestrationEngineImpl.java:381)
  at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrate(OrchestrationEngineImpl.java:334)
  at oracle.iam.identity.rolemgmt.impl.RoleManagerImpl.create(RoleManagerImpl.java:188)
  at oracle.iam.identity.rolemgmt.api.RoleManagerEJB.createx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
  Any idea whats going on?
  When configuring OIM, I provided a value for the "LDAP Role Container" as "ou=Groups,dc=mycompany,dc=com". The docs shown an example of "cn=groups, dc=mycountry, dc=com" (see http://download.oracle.com/docs/cd/E21764_01/install.1111/e12002/oidonly.htm#CDDDIAIC, step 18). Could this difference in container type be causing this problem?
  Any idea where OIM stores this container information if I wanted to test ldap sync with the different roles container?
  Thanks
  Aspi Engineer
  Putnam Investments

  Aspi,
  OIM keeps its ldap config under "$IDM_HOME/server/ldap_config_util" as "ldapconfig.props"
  Thanks,
  Sandeep Gupta

• How do I configure a basic LDAP to work with OPS Center?

  I have Solaris 11 and have configured it a few ways with LDAP. The last setup I used Directory server with a proxy then added LDAP configs. I am having problem getting the clients working correctly but first I need to know if I can just configure LDAP without DSEE and allow OPS Center to control the users?
  Chapter 9 of the Oracle Solaris Administration guide says DSEE is recommended but not required and points you to chapter 14. But I have been unable to figure out how to create the DN and Bind PW prior to configuring LDAP with IDSCONFIG. The OPS Center server is already in play so if configured correctly I should be able to talk to the LDAP server.
  Does anyone know what set I am missing or whether it can be done without DSEE?

  After contacting Oracle I was informed that there Documentation is misleading and that DSEE is required.
  From Oracle
  "The statement "However, while using the Oracle Directory Server Enterprise Edition is recommended, it is not required", does not mean you can configure the Solaris native ldap client without a Directory Server. What the statement means is the Solaris native ldap client is not required to use the Oracle Directory Server, it is recommended, but the Solaris native ldap client can be setup to work with third party Directory Servers. The term "not required" is a reference to the use of the Oracle Directory Server vs a third party Directory Server."
  The documentation does not state that Directory Server of any kind is required.