DHCP LDAP search base

Hi,
What setting should be put in the search base box in the LDAP tab of DHCP? I would like users to be able to access the OD database in tools such as the Address Book.
(I currently have the dc=<name>,dc=<suffix> where these are the name.suffix of my domain). In this configuration, the users can not see the LDAP database.
Thanks,
Dave

Hi Hiya,
Thank you for taking the time to look at my question. Here's my problem. We're setting up a VOIP phone system and one of the questionnaire is to provide LDAP Search Base String of my AD. I'm not sure if I need
to provide all this search base (DC, CN and OU) all I want to know is which of the element I should provide.
I think my LDAP search base string is "OU=xxx,DC=mydomain,DC=local. (I'm still not sure but if you have an idea please help).
Thank you.
Jay
aja

Similar Messages

Cant Edit Ldap Search Base in Open Directory

Greetings ,
My ldap search base wrong in my open directory . I have tried converting the server to standalone and back to a directory master and it still retains the old search base. How do i get rid of this, as it is causing problems.
Thanks In Advance

Any resolution to this? I am trying to configure OD and it's NOT using our FQDN for the server as the search base... instead of server.domain.NET it is putting in server.domain.COM - pretty sure that will cause problems.
I ran host <ip address> and checked our DNS settings on the server and everything is configured as .NET - cannot find this .COM anywhere. Am NOT in a position to do an uninstall and re-install as many folks have seemed to have done.
Mike

Change LDAP Search Base: Is archive/recreate required?

This is the gist of the message that I'm getting while searching for an answer, but I wanted to ask it here just in case.
I have a MacOS X server (10.4.9) that I need to join to an Active Directory... it was originally on it's own domain (xserve.mydomain.ca) and will now be on the corporate domain (xserve.myorg.ca).
I've run changeip to change the IP address and switch over all the domain information. The forward and reverse lookups are happy and working and while I had to recreate home directories for some users, in the end, everything worked fairly well.
Now I need to take the next step in the integration and get LDAP changed over to reflect the new FQDN. It is current dc=xserve, dc=mydomain, dc=ca ... so it needs to be dc=xserve, dc=myorg, dc=ca
Is archiving the LDAP database... switching to Standalone... and recreating the OD Master with new LDAP search base the only way to make the change?
And if so... does it actually work? (Home Directories don't matter too much.. but recereating 200 users, obviously would suck).
Thank you very much.
Chris Alemany
Computer Technician
Malaspina U-C
Nanaimo, BC

I'm hoping for a little detail here.
The LDAP archive that is created through Server Admin
is... comprehensive... ie. there are a LOT of
different files in there.
Of course as it isn't only a LDAP archive but contains the PasswordServer database, the kerberos database, server settings ...
Where do I start in terms of "mangling" the data
(which I assume means redoing all references to the
old LDAP domain?
You would need to export only the LDAP database via the appropiate ldapsearch command.
As you begin to see this task is quite complex and without some decent knowledge about Mac OS X Server in general and specifically LDAP this task is doomed to fail. :o/
You can start your way with this book:
http://www.amazon.com/Apple-Training-System-Administration-Reference/dp/03213698 4X/ref=pdbbs_sr1/103-1936572-6371849?ie=UTF8&s=books&qid=1177352316&sr=8-1
Sorry for the bad news,
-Ralph

Open Directory, third party LDAP search path problem on Snow Leopard

Happy new year folks,
I ran into an interesting problem this past week in regards to a third party LDAP directory in the Search path (which used to work on previous versions). The issue brings the server to its knees eventually. I'm still digging through the logs, but here's the general breakdown...
1. Add third-party LDAP to the OD node list. This has always worked on previous versions, and appears to still work at the most basic level. I can navigate the node with DSCL, read records, etc.
1. Add third-party LDAP to the OD search path.
2. Wait a few minutes....
3. The server begins to slow down. Apache, SSH, ServerAdmin service stop responding. I'm able to run "top" briefly, which shows an increase of threads.
4. Restart the server and quickly remove the directory from the OD search path
5. Server goes back to being rock solid with very nice response times for Apache, SSH, ServerAdmin, etc.
If anyone has any debugging suggestions, or has seen this before, let me know.
Jaime
--- Below is some console output leading up to the chaos. Before adding to search path, everything looks good --------------------
bash-3.2# dscl
Entering interactive mode... (type "help" for commands)
read /LDAPv3/ldap.itd.umich.edu/Users/jaimelm cn
dsAttrTypeNative:cn:
Jaime Magiera
Jaime L Magiera 1
Jaime L Magiera
--- Add to Search Path, which hangs ------------------------------------------------------------------------------
bash-3.2# dscl /Search -append / CSPSearchPath /LDAPv3/ldap.itd.umich.edu
--- DSCL in debug mode contains the following ----------------------------------------------
2010-01-01 19:26:25 EST - T[0x00000001037A5000] - Client: ipfw, PID: 1097, API: libinfo, Server Used : libinfomig DAR : Procedure = getprotobynumber (13) : Result code = 0
2010-01-01 19:26:25 EST - T[0x00000001037A5000] - Client: sso_util, PID: 1103, API: dsFindDirNodes(), Server Used : DAR : 1 : Dir Ref = 16779669 : Requested nodename = /Search
2010-01-01 19:26:25 EST - T[0x00000001037A5000] - Plug-in call "dsDoPlugInCustomCall()" failed with error = -14292.
2010-01-01 19:26:25 EST - T[0x00000001037A5000] - Port: 27151 Call: dsDoPlugInCustomCall() == -14292
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAR : 1 : Dir Ref = 16779
707 : Requested nodename = /LDAPv3/ldap.itd.umich.edu
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAR : 2 : Dir Ref = 16779707 : Result code = 0
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 167797072010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16779707
: Result code = 0
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAC : Dir Ref 16779707 :
Data buffer size = 1282010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAR : 1 : Dir Ref = 16779
707 : Requested nodename = ConfigNode2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAR : 2 : Dir Ref = 16779
707 : Result code = 0
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: Requesting dsOpenDirNode with PID = 1114, UID = 0, and EUID = 0
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsOpenDirNode(), Configure Used : DAC : Dir Ref = 16779707 : Node Name = /Configure
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsOpenDirNode(), Configure Used : DAR : Dir Ref = 1677970
7 : Node Ref = 33556926 : Result code = 0
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 16779707
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16779707 : Result code = 0
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsGetDirNodeInfo(), Configure Used : DAC : Node Ref = 33556926 : Requested Attrs = dsAttrTypeStandard:OperatingSystemVersion : Attr Type Only Flag = 0
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsGetDirNodeInfo(), Configure Used : DAR : Node Ref = 33556926 : Result code = 0
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsGetDirNodeInfo(), Search Used : DAC : Node Ref = 33556924 : Requested Attrs = dsAttrTypeStandard:LSPSearchPath : Attr Type Only Flag = 0
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsGetDirNodeInfo(), Search Used : DAR : Node Ref = 33556924 : Result code = 0
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsDoPlugInCustomCall(), Search Used : DAC : Node Ref = 33556924 : Request Code = 444
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Checking for Search Node XML config file:
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - /Library/Preferences/DirectoryService/SearchNodeConfig.plist
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Have written the Search Node XML config file:
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - /Library/Preferences/DirectoryService/SearchNodeConfigBackup.plist
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Setting search policy to Custom search
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - CSearchPlugin::SwitchSearchPolicy: switch - reachability of node </LDAPv3/127.0.0.1> retained as <true>
2010-01-01 19:26:36 EST - T[0x000000010070A000] - CSearchPlugin::CheckNodes: checking network node reachability on search policy 0x0000000000002201
2010-01-01 19:26:36 EST - T[0x00000001037A5000] - CCachePlugin::EmptyCacheEntryType - Request to empty all types - Flushing the cache
2010-01-01 19:26:36 EST - T[0x000000010070A000] - Client: Requesting dsOpenDirNode with PID = 0, UID = 0, and EUID = 0
2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsOpenDirNode(), LDAPv3 Used : DAC : Dir Ref = 16777216 : Node Name = /LDAPv3/127.0.0.1
2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsOpenDirNode(), LDAPv3 Used : DAR : Dir Ref = 16777216 : Node Ref = 33556929 : Result code = 0
2010-01-01 19:26:36 EST - T[0x000000010070A000] - CSearchPlugin::CheckNodes: calling dsOpenDirNode succeeded on node </LDAPv3/127.0.0.1>
2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsCloseDirNode(), LDAPv3 Used : DAC : Node Ref = 33556929
2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsCloseDirNode(), LDAPv3 Used : DAR : Node Ref = 33556929 : Result code = 0
2010-01-01 19:26:36 EST - T[0x0000000103181000] - mbr_mig - dsFlushMembershipCache - force cache flush (internally initiated)
2010-01-01 19:26:36 EST - T[0x000000010070A000] - Client: Requesting dsOpenDirNode with PID = 0, UID = 0, and EUID = 0
2010-01-01 19:26:36 EST - T[0x0000000103181000] - Membership - dsNodeStateChangeOccurred - flagging all entries as expired
2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsOpenDirNode(), LDAPv3 Used : DAC : Dir Ref = 16777216 : Node Name = /LDAPv3/ldap.itd.umich.edu
2010-01-01 19:26:36 EST - T[0x000000010070A000] - CLDAPNodeConfig::InternalEstablishConnection - Node ldap.itd.umich.edu - Connection requested for read
2010-01-01 19:26:36 EST - T[0x000000010070A000] - CLDAPNodeConfig::FindSuitableReplica - Node ldap.itd.umich.edu - Attempting Replica connect to 141.211.93.133 for read
2010-01-01 19:26:36 EST - T[0x0000000102481000] - CCachePlugin::SearchPolicyChange - search policy change notification, looking for NIS
2010-01-01 19:26:36 EST - T[0x0000000102481000] - Internal Dispatch, API: dsGetDirNodeInfo(), Search Used : DAC : Node Ref = 33554436 : Requested Attrs = dsAttrTypeStandard:SearchPath : Attr Type Only Flag = 0
------- From another screen, I do "id jaimelm", which hangs ------------------------------------------------------------------------
: Requested Rec Names = jaimelm : Rec Name Pattern Match:8449 = eDSiExact : Requested Rec Types = dsRecTypeStandard:Users
2010-01-01 19:36:55 EST - T[0x00000001082A2000] - Internal Dispatch, API: dsGetRecordList(), Search Used : DAC : 2 : Node Ref = 33554436 : Requested Attrs = dsAttrTypeStandard:AppleMetaNodeLocation;dsAttrTypeStandard:RecordName;dsAttrTy peStandard:Password;dsAttrTypeStandard:UniqueID;dsAttrTypeStandard:GeneratedUID; dsAttrTypeStandard:PrimaryGroupID;dsAttrTypeStandard:NFSHomeDirectory;dsAttrType Standard:UserShell;dsAttrTypeStandard:RealName;dsAttrTypeStandard:Keywords : Attr Type Only Flag = 0 : Record Count Limit = 1 : Continue Data = 0
2010-01-01 19:37:03 EST - T[0x0000000108325000] - Client: httpd, PID: 157, API: mbr_syscall, Server Used : process kauth result 0x0000000102022B30
2010-01-01 19:37:03 EST - T[0x00000001083A8000] - Client: httpd, PID: 151, API: mbr_syscall, Server Used : process kauth result 0x0000000102022C50
2010-01-01 19:37:05 EST - T[0x000000010842B000] - Client: httpd, PID: 203, API: mbr_syscall, Server Used : process kauth result 0x0000000102022D70
2010-01-01 19:37:15 EST - T[0x00000001084AE000] - Client: httpd, PID: 994, API: mbr_syscall, Server Used : process kauth result 0x0000000102023890
2010-01-01 19:37:26 EST - T[0x0000000108531000] - Client: httpd, PID: 198, API: mbr_syscall, Server Used : process kauth result 0x0000000102023980
2010-01-01 19:37:31 EST - T[0x00000001085B4000] - Client: httpd, PID: 161, API: mbr_syscall, Server Used : process kauth result 0x0000000~

Hi
I'm in agreement with harry here but what I'm struggling to understand is why you are seeing this as a problem? I'm also struggling to see this as being a possibility in a single server environment if I understand your post correctly?
Promotion to OD Master with all that entails absolutely rests on a properly configured and tested internal DNS Service. The Kerberos Realm's foundation (and with that the ability of the server to perform its function as KDC and offer LDAP services) entirely depends on what is configured in the DNS Service. This will include the server name, domain name and tld. The Kerberos Realm automatically configures itself using that information. Likewise the searchbase.
Its more than possible to change the Realm name and with it the LDAP search base (in certain circumstances) and have an OD Master, however Kerberos won't start it won't need to as the KDC will be elsewhere. You generally see this when augmenting Windows AD with MCX. In that situation Realm name and search base will reflect what is set on the Active Directory. Client computers will use what is set there for contact and authentication information before looking at the OD Master for anything else.
Does this help? Tony

LDAP External Authentication Multiple Search Base DNs question

hi,
im trying two add two LDAP search DNs to a portal 6.2 organisation.
with one search base dn it works fine.
when i add another, all ldap auth for that org stops working.
the docs confusingly state that if you have multiple search dns (not talking about multiple ldap servers here - just the search base dns) that you should prefix each entry with the local server name. the docs however provide no examples of the syntax.
can anyone provide an example for multiple search dns? e.g. is it <server:port>:o=<etc> (doesn't seem to work).
thanks

hi,
yes i have.. but when you enter more than one it stop working... with only one entry in the gui it will work for that entry but when you add another it stops working...
i had to use a manual workaround like this to get the second going... :(
External ldap authentication
register the LDAP authentication service in the gui and setup the first DN as normal.
create the first set of entries for the ldap host and the base dn in the gui as normal etc.
the gui in the admin console is not working (depending on your point of view), so you need to add the second ldap config manually -
All commands are run from the /apps/jes/SUNWam/bin directory
1. Get an encrypted value for the bind dns (cn=Directory Manager) password you want to bind to the ldap directory as by using the ampassword utility shipped with Identity Server.
./ampassword -e directory_manager password
More information on this utility can be found in the Sun ONE Identity Server Administration Guide.
2. Copy the encrypted password as the value for the iplanet-am-auth-ldap-bind-passwd in the XML file (serviceAddMultipleLDAPConfigurationRequests.xml) created in Step 1. The XML file contains a template for creating the second LDAP DN.
3. Modify the data XML file accordingly so that the relevant details are provided for the 2nd ldap server (bind dn search base etc) and load this into the portal directory using the amadmin command line tool as follows from the /opt/SUNWam/bin directory
./amadmin -u amadmin -w administrator_password -v -t serviceAddMultipleLDAPConfigurationRequests.xml
If the imported xml values are incorrect delete and reload the imported xml data using amadmin command tool. Alternatively you can modify the ldap data directly on the primary identity server (ldap server) using a client browser though this method is not supported .
You should be able to see new imported values for the second ldap server at dn:ou=subconfig1,ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthLDAP
Service,ou=services,ou=ORG,o=lgaq.qld.gov.au on the primary ldap server (where ORG is the organisation you wanted to add the second DN).

MMP using wrong search base when doing LDAP query.

Hi all,
I installed a new MMP (sun java communication suite v5 on Redhat linux x86).
When an imap user connects to MMP, the MMP does an ldap query for attributes "MailHostAttrs mailHost".
This query fails because the search base is
SRCH base="dc=my,dc=domain,dc=com,o=my.domain.com"
instead of simply "o=my.domain.com"
When I ran 'configure' I specified the Organization DN to be o=my.domain.com
And I've specified the following in the ImapProxyAService.cfg file:
LdapUrl "ldap://ldap1.my.domain.com:389/o=my.domain.com"
UserGroupDN "o=my.domain.com"
DefaultDomain my.domain.com
So why does it use "dc=my,dc=domain,dc=com,o=my.domain.com"?
I must be missing something but I can't find it.

Hi,
kevin_sysadmin wrote:
So why does it use "dc=my,dc=domain,dc=com,o=my.domain.com"?
I must be missing something but I can't find it.The first step the MMP will do to resolve the base DN for a hosted domain is a directory search along the lines of (this is for schema 2 which is the default for a new install):
[26/Oct/2007:16:46:23 +1000] conn=3152 op=1 msgId=2 - SRCH base="dc=aus,dc=sun,dc=com" scope=2 filter="(&(objectClass=sunManagedOrganization)(|(associatedDomain=aus.sun.com)(sunPreferredDomain=aus.sun.com)))" attrs=ALL
So in my case I have default:LdapUrl "ldap://server.aus.sun.com/dc=aus,dc=sun,dc=com" and default:DefaultDomain aus.sun.com
So you will probably find that you have a hosted domain configured under "dc=my,dc=domain,dc=com,o=my.domain.com" which got created during installation but not propagated with users.
Regards,
Shane.

Server 3.1.2: Unable to locate search base: -1 Can't contact LDAP server

Hello all—
I've been getting repeated errors below in my system.log. I'm running OS X 10.9.3 with Server version 3.1.2. I've replaced my actual server name with "my.servername.net" in the log entries. Thanks for any advice! —michael
May 30 17:47:03 leo com.apple.launchd[1] (org.openldap.slapd): Throttling respawn: Will start in 7 seconds
May 30 17:47:04 my.servername.net PasswordService[1345]: int pwsf_GetPublicKey(char *): ldap_search_ext_s cn=authdata for Public Key returned -1
May 30 17:47:04 leo com.apple.launchd[1] (com.apple.PasswordService[1345]): Exited with code: 1
May 30 17:47:04 leo com.apple.launchd[1] (com.apple.PasswordService): Throttling respawn: Will start in 10 seconds
May 30 17:47:06 my.servername.net xscertd-helper[1351]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting
May 30 17:47:06 leo com.apple.launchd[1] (com.apple.xscertd-helper[1351]): Exited with code: 1
May 30 17:47:06 leo com.apple.launchd[1] (com.apple.xscertd-helper): Throttling respawn: Will start in 10 seconds
May 30 17:47:09 my.servername.net xscertd[335]: Failed sending LookupCRLByCARecordName command to com.apple.xscertd.helper: The operation couldn’t be completed. (com.apple.certificateserver error 42005.)
May 30 17:47:14 my.servername.net PasswordService[1363]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
May 30 17:47:14 my.servername.net PasswordService[1363]: -[PasswordServerPrefsObject loadXMLData]: Unable to locate passwordserver config record's plist attribute: -1 Can't contact LDAP server
May 30 17:47:14 my.servername.net PasswordService[1363]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
May 30 17:47:14 my.servername.net PasswordService[1363]: -[PasswordServerPrefsObject saveXMLData]: ldap_modify_ext_s of the passwordserver config record's plist attribute: -1 Can't contact LDAP server
May 30 17:47:14 leo com.apple.launchd[1] (org.openldap.slapd[1359]): Exited with code: 1
May 30 17:47:14 leo com.apple.launchd[1] (org.openldap.slapd): Throttling respawn: Will start in 7 seconds
May 30 17:47:14 my.servername.net PasswordService[1363]: int pwsf_GetPublicKey(char *): ldap_search_ext_s cn=authdata for Public Key returned -1
May 30 17:47:14 leo com.apple.launchd[1] (com.apple.PasswordService[1363]): Exited with code: 1
May 30 17:47:14 leo com.apple.launchd[1] (com.apple.PasswordService): Throttling respawn: Will start in 10 seconds
May 30 17:47:16 my.servername.net xscertd-helper[1365]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting
May 30 17:47:16 leo com.apple.launchd[1] (com.apple.xscertd-helper[1365]): Exited with code: 1
May 30 17:47:16 leo com.apple.launchd[1] (com.apple.xscertd-helper): Throttling respawn: Will start in 10 seconds
May 30 17:47:20 my.servername.net xscertd[335]: Failed sending LookupCRLByCARecordName command to com.apple.xscertd.helper: The operation couldn’t be completed. (com.apple.certificateserver error 42005.)
May 30 17:47:24 my.servername.net PasswordService[1375]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
May 30 17:47:24 my.servername.net PasswordService[1375]: -[PasswordServerPrefsObject loadXMLData]: Unable to locate passwordserver config record's plist attribute: -1 Can't contact LDAP server
May 30 17:47:24 my.servername.net PasswordService[1375]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
May 30 17:47:24 my.servername.net PasswordService[1375]: -[PasswordServerPrefsObject saveXMLData]: ldap_modify_ext_s of the passwordserver config record's plist attribute: -1 Can't contact LDAP server
May 30 17:47:25 leo com.apple.launchd[1] (org.openldap.slapd[1371]): Exited with code: 1
May 30 17:47:25 leo com.apple.launchd[1] (org.openldap.slapd): Throttling respawn: Will start in 7 seconds
May 30 17:47:25 my.servername.net PasswordService[1375]: int pwsf_GetPublicKey(char *): ldap_search_ext_s cn=authdata for Public Key returned -1
May 30 17:47:25 leo com.apple.launchd[1] (com.apple.PasswordService[1375]): Exited with code: 1
May 30 17:47:25 leo com.apple.launchd[1] (com.apple.PasswordService): Throttling respawn: Will start in 10 seconds
May 30 17:47:26 my.servername.net xscertd-helper[1377]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting
May 30 17:47:26 leo com.apple.launchd[1] (com.apple.xscertd-helper[1377]): Exited with code: 1
May 30 17:47:26 leo com.apple.launchd[1] (com.apple.xscertd-helper): Throttling respawn: Will start in 10 seconds
May 30 17:47:30 my.servername.net xscertd[335]: Failed sending LookupCRLByCARecordName command to com.apple.xscertd.helper: The operation couldn’t be completed. (com.apple.certificateserver error 42005.)

Unfortunately this problem wasn't solved this way. After dragging the Server.app to the trash and then retrieving it ("Put Back") and launching it, and re-starting services, my problem still persists.
Here are relevant system.log file entries. (Note the hostname is "leo"—I've changed the FQDN to leo.myservername.net):
Jun 6 22:57:31 leo.myservername.net PasswordService[1011]: int pwsf_GetPublicKey(char *): ldap_search_ext_s cn=authdata for Public Key returned -1
Jun 6 22:57:31 leo com.apple.launchd[1] (com.apple.PasswordService[1011]): Exited with code: 1
Jun 6 22:57:31 leo com.apple.launchd[1] (com.apple.PasswordService): Throttling respawn: Will start in 10 seconds
Jun 6 22:57:32 leo.myservername.net xscertd-helper[1014]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting
Jun 6 22:57:32 leo com.apple.launchd[1] (com.apple.xscertd-helper[1014]): Exited with code: 1
Jun 6 22:57:32 leo com.apple.launchd[1] (com.apple.xscertd-helper): Throttling respawn: Will start in 10 seconds
Jun 6 22:57:34 leo.myservername.net xscertd[333]: Failed sending LookupCRLByCARecordName command to com.apple.xscertd.helper: The operation couldn’t be completed. (com.apple.certificateserver error 42005.)
Jun 6 22:57:40 leo com.apple.launchd[1] (org.openldap.slapd[1016]): Exited with code: 1
Jun 6 22:57:40 leo com.apple.launchd[1] (org.openldap.slapd): Throttling respawn: Will start in 7 seconds
Jun 6 22:57:40 leo.myservername.net com.apple.SecurityServer[22]: Session 100004 created
Jun 6 22:57:41 leo.myservername.net PasswordService[1024]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
Jun 6 22:57:41 leo.myservername.net PasswordService[1024]: -[PasswordServerPrefsObject loadXMLData]: Unable to locate passwordserver config record's plist attribute: -1 Can't contact LDAP server
Jun 6 22:57:41 leo.myservername.net PasswordService[1024]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
Jun 6 22:57:41 leo.myservername.net PasswordService[1024]: -[PasswordServerPrefsObject saveXMLData]: ldap_modify_ext_s of the passwordserver config record's plist attribute: -1 Can't contact LDAP server
Jun 6 22:57:41 leo.myservername.net PasswordService[1024]: int pwsf_GetPublicKey(char *): ldap_search_ext_s cn=authdata for Public Key returned -1
Jun 6 22:57:41 leo com.apple.launchd[1] (com.apple.PasswordService[1024]): Exited with code: 1
Jun 6 22:57:41 leo com.apple.launchd[1] (com.apple.PasswordService): Throttling respawn: Will start in 10 seconds
Jun 6 22:57:42 leo.myservername.net xscertd-helper[1028]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting
Jun 6 22:57:42 leo com.apple.launchd[1] (com.apple.xscertd-helper[1028]): Exited with code: 1
Jun 6 22:57:42 leo com.apple.launchd[1] (com.apple.xscertd-helper): Throttling respawn: Will start in 10 seconds
Jun 6 22:57:45 leo.myservername.net xscertd[333]: Failed sending LookupCRLByCARecordName command to com.apple.xscertd.helper: The operation couldn’t be completed. (com.apple.certificateserver error 42005.)
Also, for what it's worth, "Open Directory" in the Server.app has no settings within it. Nor will it stay "on." I'm not using OD per se, and am happy to leave it off, but it's possible the errors above are preventing it from running.
Thanks for any other solutions. —michael

Registry LDAP - Multiple search bases x single search base

Hi all,
I have a doubt, in my scenario I have two LDAP domains and isn't clear to me if I need to use the Oracle Registry configured to multiple search or single search. In the documentation the explanation is: To use single configuration when you have one single search base and to use multiple configuration when you hava multiple search bases, besides that, the Registry documentation says multiple search bases scenario it will looking for a user in all domains, in case a domain isn't specified by the user. The questions are what the diference between single and multiple configuration and what is a search base?
Any idea,
Afonso

Hi BBCR,
I'm not sure if the use of groups provides a solution to this requirement. One way to do it would be to define attribute access controls using a filter with substitution syntax. For example, you could have a filter for Modify access on a user's attributes defined like:
(&(o=$o$)(admin=true))
which means that anyone who has a value of the "o" attribute the same as the target user AND has a value of "true" for the admin attribute can write to those attributes. You can also add Self as a role so that users can view/modify their own attributes.
The above filter means that instead of defining group membership and group admin membership, you manipulate attribute values in users profiles to say whether or not a user is an admin, and which users they administer (all users which share the same value of the "o" attribute, in the above case).
Would something like this be an option?
Regards,
Colin

Outlook ldap search problem

Hi Sun,
I able to search contact list using Mozilla thunder bird. with search base dn
ou=people,dc=xxx,dc=xxx,dc=xxx
but this doesn`t work in OUTLOOK 2007.
May i know is it required outlook connect ?
Sun Java System Connector for Microsoft Outlook ?
Cheer
Sam

Hello,
Although the lists and memberships are listed in the GAL (generated by the calendar server through LDAP calls to OID), there still aren't any 'hooks' into the email server to allow for DL management. We have plans to expose DL management in the future, but not in the short or middle term. For the time being, you'll have to go through webmail to manage DLs.
Hope that helps,
--Marc

Ldap search query takes more than 10 seconds

LDAP query takes more than 10 seconds to execute.
For validating the policy configured, the Acess Manager(Sun Java System Access Manager) contacts the LDAP (Sun Java System Directory Server 6.2) to get the users in a dynamic group. The time out value configured in Access Manager for LDAP searches is 10 seconds.
Issue : The ldap query takes more than 10 seconds to execute at some times .
The query is executing with less than 10 seconds in most of the cases, but it takes more than 10 seconds in some cases. The total number of users available in the ldap is less than 1500.
7 etime =1
6 etime =1
102 etime=4
51 etime=5
26 etime=6
5 etime=7
4 etime=8
From the ldap access logs we can see the following entry,some times the query takes more than 10 seconds,
[28/May/2012:14:21:26 +0200] conn=281 op=41433 msgId=853995 - SRCH base="dc=****,dc=****,dc=com" scope=2 filter="(&(&(***=true)(**=true))(objectClass=vfperson))" attrs=ALL
[28/May/2012:14:21:36 +0200] conn=281 op=41434 msgId=854001 - ABANDON targetop=41433 msgid=853995 nentries=884 etime=10
The query was aborted by the access manger after 10 seconds.
Please post your suggestions to resolve this issue .
1.How we can find out , why the query is taking more than 10 seconds ?
2.Next steps to resolve this issue .

Hi Marco,
Thanks for your suggestions.
Sorry for replying late. I was out of office for few weeks.
1) Have you already tuned the caches? (entry cache, db cache, filesystem cache?)
We are using db cache and we have not done any turning for cache. The application was working fine and there was no much changes in the number of users .
2) Unfortunately we don't have direct access to the environment and we have contacted the responsible team to verify the server health during the issue .
Regarding the IO operations we can see that, load balancer is pinging the ldap sever every 15 seconds to check the status of ldap servers which yields a new connection on every hit. (on average per minute 8 connections - )
3) We using cn=dsameuser to bind the directory server. Other configuration details for ldap
LDAP Connection Pool Minimum Size: 1
LDAP Connection Pool Maximum Size:10
Maximum Results Returned from Search: 1700
Search Timeout: 10
Is the Search Timeout value configured is proper ? ( We have less than 1500 user in the ldap server).
Also is there any impact if the value Maximum Results Returned from Search = set to 1700. ( The Sun document for AM says that the ideal value for this is 1000 and if its higher than this it will impact performance.
The application was running without time out issue for last 2 years and there was no much increase in the number of users in the system. ( at the max 200 users added to the system in last 2 years.)
Thanks,
Jay

LDAP search cannot find entry by user "defined attribute" or "sounds like

Hi, I have an JSP program that searches an LDAP Sun One Directory Server.
All of my search filters ( by givenname,sn,mail and phone #) work fine with the search base set at the very top (root ) of my DIT tree.
However with the same search base, searching by an "User Defined Attribute" fails to return anything (and note that my search filter includes the objectclass that goes with this user defined attribute)?
Yet, if I change the search base so it points all the way down the DIT tree (maybe near RDN?), the "User Defined Attribute" search works fine ?
Additionally, "sounds like" search filter (givenname~=) fails to find anything at
the upper root search base of DIT. If I change the search base to point down in the DIT tree as I did above, the "sounds like" filter will work?
I've tried everything I know?

Hi Dora9,
Thanks for your reply.
I am glad that you have solved the problem and thanks for your share us the solution
here, so it would be helpful for other members who get the same issue
and we will close this case.
In addition, I suggest you could try to get
the issue confirmed and diagnose by product team. Would you please create connect report for it? You will get email notification for update from the product team experts:
http://connect.microsoft.com/VisualStudio/feedback/CreateFeedback.aspx,
if you submit it, you could share us the link here, so we could know the latest information from the Product team expert. And I will help you to vote it.
Thanks for your understanding.
Best Regards,
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

Modifying the existing search base to a new one

My CoreId is having search base set to "dc=abc, dc=com". For some better architecture reasoning, now I wanted to change the search base to a new Ldap node called "Users,dc=abc,dc=com". I will move all our users and groups from earlier node "dc=abc, dc=com" to the new one "Users,dc=abc,dc=com". So all my users and groups will have different entryDN after the move, but they will carry the same user-id/ group-id.
Here are few questions related to this.
(1) All workflows refer to many users and groups. By changing the search-base will it refer to the new location automatically –OR- I have to manually change all the work flow by reselecting the users and groups.
(2) Do I have to redefine all our static groups again since all users have different entryDN now?
(3) Do I have to do any modifications to all the existing authentication schemes etc.
(4) Any other modification/ tasks ??
Thanks!
Kp

Hello Saggu, Before running this conversion tool I have few specific questions.
What is the meaning of these options for obmigratedn.exe
-c <configDN> : I am assuming this is Oblix configuration dn value (o=Oblix,dc=abc,dc=com) provided during CoreId set up
-o <oblixnode> : ???
-i <installdir> : Is this the CoreId installation Directory ??
-n <native_dn> : ???
-l <logical_dn> :???
Just a note :- I wanted to change only the use DNs (example "cn=kabi,dc=abc,dc=com" to "cn=kabi,o=employee,dc=abc,dc=com"). Oblix configuration remain at old node. Not sure if I should run this tool.

Change search base?

so currently my search base is dc=domain,dc=com i want to change that to cn=users,dc=domain,dc=com . it seems like this should be more simple than it is.
i have no users on LDAP so i can pretty much promote and demote and VIM the **** out of whatever i need to in order to get this to work. i'm a new guy to LDAP and such so whatever information i can give you i will.
i'm running os 10.5 server on an xserve.
thanks for any help you can offer!
nick

Hi
The search base derives itself from the Kerberos Realm Name which in turn derives itself from your DNS zone name and server name or FQDN (fully qualified domain name).
For example:
You have a domain (can be real, can be pretend - depending on what you want) called mydomain.com. You call your server xserve. This yields an FQDN of xserve.mydomain.com. When promotion takes place this in turn will yield a Kerberos Realm of XSERVE.MYDOMAIN.COM this in turn will yield a search base of dc=xserve,dc=mydomain,dc=com.
If you want to change the search base change it at that point, although I don't quite understand why? Surely if you want to search the LDAP database you would start from the top of the hedge?
Tony

LDAP Search filter Jabber for Android

Hi,
I have this LDAP Filter which only shows me active users:
<BaseFilter>(&(objectclass=user)(objectcategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2))</BaseFilter>
I have the same line for Jabber for Android, but it doesn't work.
<BDIBaseFilter>(&(objectclass=user)(objectcategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2))</BDIBaseFilter>
I get 0 results for any search on Jabber Andorid. When I delete the "BDI" Line for the filter all together, then I get correct results - with photos and everything.
I also tried a simple filter e.g:
<BDIBaseFilter>(!UserAccountControl:1.2.840.113556.1.4.803:=2))</BDIBaseFilter>
No search results either.
Any ideas how to get Filter for Android working?
Versions:
Jabber for Android: 10.6
CUCM: 9.1.2

I think I found the coresponding messages in the log:
csf.person.ldap: [LdapSearchQueryHandler.cpp(51)] [start] - reqId = 2
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1482)] [sendSearchQuery] -
02-26 09:18:59.851 15477 15477 I csf.person.xmpp: [XMPPPersonRecordSource.cpp(268)] [fetchContacts] - Entering.
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1531)] [sendSearchQuery] - filter = (&(objectclass=user)(objectcategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2)(|(sAMAccountName=at1sath))), baseDN=OU=Organization,DC=at,DC=customer,DC=net
02-26 09:18:59.851 15477 15477 D services-dispatcher: [ServicesDispatcher.cpp(147)] [pumpNext] - pumpNext.executed (ContactsAdapter::LoadContactsFromSource)
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1576)] [sendSearchQuery] - ldap search error. rc= -7 ,msg=Bad search filter
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1675)] [notifyListenersSearchRequestCompleted] - errorCode=-7
02-26 09:18:59.851 15477 15477 D services-dispatcher: [ServicesDispatcher.cpp(145)] [pumpNext] - pumpNext.executing (ContactsAdapter::LoadContactsFromSource)
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1258)] [mapErrorNo] - Code = -7, Msg=Bad search filter
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapSearchQueryHandler.cpp(84)] [onSearchRequestCompleted] - reqId = 1, errcode = 9
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1531)] [sendSearchQuery] - filter = (&(objectclass=user)(objectcategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2)(|(sAMAccountName=at1hafr))), baseDN=OU=Organization,DC=at,DC=customer,DC=net
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1576)] [sendSearchQuery] - ldap search error. rc= -7 ,msg=Bad search filter
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1675)] [notifyListenersSearchRequestCompleted] - errorCode=-7
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1258)] [mapErrorNo] - Code = -7, Msg=Bad search filter
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapSearchQueryHandler.cpp(84)] [onSearchRequestCompleted] - reqId = 2, errcode = 9
The next question is now: Why is it a bad search filter? And what is the correct one? The same filter works on jabber for windows...
BR, Dave

How can I use LDAP searching from OSX Lion Server to Mozilla Thunderbird?

How can I use LDAP searching from OSX Lion Server to Mozilla Thunderbird? We have a super awesome contacts server that works great for our Mac users. About 30% of our company are on PCs, and I would like to use the Mozilla Thunderbird mail client for them. I see that in Thunderbird I can set up LDAP searching, and would like to have this feature point to our contacts server. I've tried several different settings, and looked all over the web, but could not find the proper way to configure this. Does anyone know if this can be done, or if not, would have a better suggestion? Thank you for your time!!

try double clicking keychain acces should launch and ask if you want to install login, system, System roots
A dialog box will launch asking where to install the cert since your configuring a vpn I would put the certificate it in system.

DHCP LDAP search base

Similar Messages

Maybe you are looking for