DIRECTORY NAMING SERVICE (LDAP)  supported in Oracle 11.5.10

Similar Messages

• Cannot add Active Directory Domain Services role on - DirectoryServices-DomainController . Status: -2147021879 (80070bc9)

  Hi everyone,
  I've been banging my head against this for a while and hope someone can help me.
   Running Windows Server 2008 R2 Standard with Service Pack 1.
  When I try to add the Active Directory Domain Services role to the server it gets to about 90% complete and then dies.
  The ServerManager.log shows the following information, I have run the System Readiness Tool - output below - with no errors found.
  At a loss on what to do next. The only other links I've found suggest rebuilding the server which I would really like to avoid...
  Help appreciated,
  John
  ServerManager.log (extract)
  ==========
  name : Active Directory Domain Services
  state : Changed
  rank : 1
  sync tech: CBS
  guest[1] : Active Directory Domain Controller
  guest[2] : Identity Management for UNIX
  ant. : empty
  pred. : empty
  provider : null
  name : Active Directory Domain Controller
  state : Changed
  rank : 4
  sync tech: CBS
  ant. : .NET Framework 3.5.1
  pred. : Active Directory Domain Services, .NET Framework 3.5.1
  provider : Provider
  8720: 2012-01-18 10:54:41.853 [Sync] Calling sync provider of Active Directory Domain Controller ...
  8720: 2012-01-18 10:54:41.853 [Provider] Sync:: guest: 'Active Directory Domain Controller', guest deleted?: False
  8720: 2012-01-18 10:54:41.853 [Provider] Begin installation of 'Active Directory Domain Controller'...
  8720: 2012-01-18 10:54:41.853 [Provider] Install: Guest: 'Active Directory Domain Controller', updateElement: 'DirectoryServices-DomainController'
  8720: 2012-01-18 10:54:41.853 [Provider] Installation queued for 'Active Directory Domain Controller'.
  8720: 2012-01-18 10:54:41.853 [CBS] installing 'DirectoryServices-DomainController ' ...
  8720: 2012-01-18 10:54:42.399 [CBS] ...parents that will be auto-installed: 'NetFx3 '
  8720: 2012-01-18 10:54:42.399 [CBS] ...default children to turn-off: 'WCF-HTTP-Activation '
  8720: 2012-01-18 10:54:42.415 [CBS] ...current state of 'DirectoryServices-DomainController': p: Staged, a: Staged, s: UninstallRequested
  8720: 2012-01-18 10:54:42.415 [CBS] ...setting state of 'DirectoryServices-DomainController' to 'InstallRequested'
  8720: 2012-01-18 10:54:42.430 [CBS] ...current state of 'NetFx3': p: Installed, a: Installed, s: InstallRequested
  8720: 2012-01-18 10:54:42.430 [CBS] ...skipping 'NetFx3' because it is already in the desired state.
  8720: 2012-01-18 10:54:42.430 [CBS] ...current state of default child 'WCF-HTTP-Activation': p: Installed, a: Installed, s: InstallRequested
  8720: 2012-01-18 10:54:42.430 [CBS] ...skipped child 'WCF-HTTP-Activation' because it is already installed
  8720: 2012-01-18 10:54:42.461 [CBS] ...'DirectoryServices-DomainController' : applicability: Applicable
  8720: 2012-01-18 10:54:42.461 [CBS] ...'NetFx3' : applicability: Applicable
  8720: 2012-01-18 10:54:42.539 [CbsUIHandler] Initiate:
  8720: 2012-01-18 10:54:42.539 [InstallationProgressPage] Installing...
  8720: 2012-01-18 10:54:42.758 [InstallationProgressPage] Verifying installation...
  8720: 2012-01-18 10:54:42.758 [InstallationProgressPage] Installing...
  8720: 2012-01-18 10:55:03.740 [CbsUIHandler] Error: -2147021879 :
  8720: 2012-01-18 10:55:03.740 [CbsUIHandler] Terminate:
  8720: 2012-01-18 10:55:03.787 [InstallationProgressPage] Verifying installation...
  8720: 2012-01-18 10:55:03.802 [CBS] ...done installing 'DirectoryServices-DomainController '. Status: -2147021879 (80070bc9)
  8720: 2012-01-18 10:55:03.818 [Provider] Skipped configuration of 'Active Directory Domain Controller' because install operation failed.
  8720: 2012-01-18 10:55:03.818 [Provider]
  [STAT] ---- CBS Session Consolidation -----
  [STAT] For
  'Active Directory Domain Controller'[STAT] installation(s) took '21.9535541' second(s) total.
  [STAT] Configuration(s) took '0.0007754' second(s) total.
  [STAT] Total time: '21.9543295' second(s).
  8720: 2012-01-18 10:55:03.818 [Provider] Error (Id=0) Sync Result - Success: False, RebootRequired: True, Id: 110
  8720: 2012-01-18 10:55:03.818 [Provider] Error (Id=0) Sync Message - OperationKind: Install, MessageType: Error, MessageCode: -2147021879, Message: <null>, AdditionalMessage: The requested operation failed. A system reboot is required to roll back changes made
  8720: 2012-01-18 10:55:03.818 [InstallationProgressPage] Sync operation completed
  8720: 2012-01-18 10:55:03.818 [InstallationProgressPage] Performing post install/uninstall discovery...
  8720: 2012-01-18 10:55:03.833 [Provider] C:\Windows\system32\ServerManager\Cache\CbsUpdateState.bin does not exist.
  8720: 2012-01-18 10:55:03.833 [CBS] IsCacheStillGood: False.
  8720: 2012-01-18 10:55:04.333 [CBS] >>>GetUpdateInfo--------------------------------------------------
  8720: 2012-01-18 10:55:34.784 [CBS] Error (Id=0) Function: 'ReadUpdateInfo()->Update_GetInstallState' failed: 80070bc9 (-2147021879)
  8720: 2012-01-18 10:55:34.784 [CBS] <<<GetUpdateInfo--------------------------------------------------
  8720: 2012-01-18 10:55:34.815 [DISCOVERY] hr: -2147021879 -> reboot required.
  8720: 2012-01-18 10:55:34.831 [InstallationProgressPage] About to load finish page...
  8720: 2012-01-18 10:55:34.831 [InstallationFinishPage] Loading finish page
  8720: 2012-01-18 10:55:34.831 [InstallationFinishPage] Finish page loaded
  CheckSUR.log
  =================================
  Checking System Update Readiness.
  Binary Version 6.1.7601.21645
  Package Version 13.0
  2012-01-18 10:33
  Checking Windows Servicing Packages
  Checking Package Manifests and Catalogs
  Checking Package Watchlist
  Checking Component Watchlist
  Checking Packages
  Checking Component Store
  Summary:
  Seconds executed: 220
  No errors detected

  Hi John,
  Thanks for posting.
  Performed some research and some results say that this problem can be caused by HD Write Caching.
  To disable Write Caching:
  1. Go to Device Manager.
  2.Click the plus sign (+) next to the Disk Drives branch to expand it.
  3.Right-click the drive on which you want to enable or disable disk write caching, and then click Properties.
  4.Click the Disk Properties tab.
  5.Click to select or clear the Write Cache Enabled check box as appropriate.
  6.Click OK.
  If no luck, Please check if any erros can be found in Event log, Dcpromoui.Log and Dcpromo.log
  The following articles maybe helpful to you:
  Known Issues for Installing and Removing AD DS
  http://technet.microsoft.com/en-us/library/cc754463(v=WS.10).aspx
  You cannot install Active Directory Domain Services
  http://support.microsoft.com/kb/975142
  Thanks
  ZHANG

• Connecting oracle using Directory Naming Method

  Hi,
  I am just checking the possibilities of implementing Directory Naming Method in our organization. currently we are using Local Naming method (using tnsnames.ora).
  I did google to find the pre-requsites to use directory naming method and I couldnt' find the right document.
  could somebody who has implemented and using directory naming method (via centralized LDAP-compliant directory server) could help me in finding the pre-requistes and what kind of infrastucture we should be having to implement the same in our organization.
  Thanks in advace for your help.
  Krishna.

  I'm trying to figure these things out myself.
  I have some questions for you:
  1. What operating systems does your server and workstations use?
  If they're all Windows and you're on a Windows Domain, consider Active Directory as the directory service.
  2. If it is all unix-like operating systems, consider using Oracle Internet Directory as the directory service.
  3. Mixed Windows and Unix-like operating systems - use whatever you are currently using as the directory service.
  At http://tahiti.oracle.com/ you may want to read some of the following books from oracle:
  - Platform Guide for Microsoft Windows (if you're using Windows)
  - Advanced Security Administrator's Guide
  - Enterprise User Security Administrator's Guide
  - Net Services Administrator's Guide
  - Net Services Reference
  - Oracle Internet Directory Administrator's Guide
  - Oracle Database 2 Day DBA
  Options to consider: Kerberos or Active Directory
  If using Windows and you already using Active Directory, consider this:
  Microsoft Environment: Configuring Oracle Advanced Security Option (ASO) Kerberos Adapter with Windows 2003 Active Directory
  See Metalink doc-id: 368321.1

• LDAP support limited. How to configure Address Book / Directory Access?

  I complained to a sysadmin that my LDAP searches were returning very limited information (just surname and e-mail). He replied,
  "...[Address Book] can't be configured to query specific attributes, it can't be configured to show specific attributes except for the small set they have elected to permit, ... it doesn't even show cn/commonName which is a compulsory field in the inetOrgPerson schema or ou/organizationalUnitName which is the standard way of distinguishing components of an organization..."
  Directory Access seems to offer facilities for requesting specific attributes. I tried mapping them to Address Book fields, but with no improvement in the search results. Any tips?

  Here is some info I found on manually configuring and mapping schemas.
  Configuring LDAP Searches and Mappings
  Using Directory Access, you can edit the mappings, search bases, and search scopes that specify how Mac OS X finds specific data items in an LDAP directory. You can edit these settings separately for each LDAP directory configuration listed in Directory Access. Each LDAP directory configuration specifies how Mac OS X accesses data in an LDAPv3 or LDAPv2 directory.
  You can edit the mapping of each Mac OS X record type to one or more LDAP object classes.
  For each record type, you can also edit the mapping of Mac OS X data types, or attributes, to LDAP attributes.
  You can edit the LDAP search base and search scope that determine where Mac OS X looks for a particular Mac OS X record type in an LDAP directory.
  IMPORTANT: When mapping Mac OS X user attributes to a read/write LDAP directory domain (an LDAP domain that is not read-only), the LDAP attribute mapped to RealName must not be the same as the first attribute in a list of LDAP attributes mapped to RecordName. For example, the cn attribute must not be the first attribute mapped to RecordName if cn is also mapped to RealName.
  For detailed specifications of Mac OS X record types and attributes, refer to "Mac OS X Server Open Directory Administration for Version 10.4 or Later" (available at www.apple.com/server/documentation/).
  In Directory Access, click Services.
  If the lock icon is locked, click it and type the name and password of an administrator.
  Select LDAPv3 in the list of services, then click Configure.
  If the list of server configurations is hidden, click Show Options.
  Select a server configuration in the list, then click Edit.
  Click Search & Mappings.
  Select the mappings that you want to use as a starting point, if any.
  Click the "Access this LDAPv3 server using" pop-up menu and choose a mapping template to use its mappings as a starting point or choose Custom to begin with no predefined mappings.
  Add record types and change their search bases as needed.
  To add record types, click the Add button below the Record Types and Attributes list. In the sheet that appears, select Record Types, select one or more record types from the list, and then click OK.
  To change the search base and search scope of a record type, select it in the Record Types and Attributes List. Then edit the "Search base" field. Select "all subtrees" to set the search scope to include the entire LDAP directory's hierarchy from the search base down. Select "first level only" to set the search scope to include only the search base and one level below it in the LDAP directory's hierarchy.
  To remove a record type, select it in the Record Types and Attributes List and click Delete.
  To add a mapping for a record type, select the record type in the Record Types and Attributes List. Then click the Add button below "Map to __ items in list" and enter the name of an object class from the LDAP directory. To add another LDAP object class, you can press Return and enter the name of the object class. Specify whether to use all or any of the listed LDAP object classes by using the pop-up menu above the list.
  To change a mapping for a record type, select the record type in the Record Types and Attributes List. Then double-click the LDAP object class that you want to change in the "Map to __ items in list" and edit it. Specify whether to use all or any of the listed LDAP object classes by using the pop-up menu above the list.
  To remove a mapping for a record type, select the record type in the Record Types and Attributes List. Then click the LDAP object class that you want to remove from the "Map to __ items in list" and click the Delete button below "Map to __ items in list."
  Add attributes and change their mappings as needed.
  To add attributes to a record type, select the record type in the Record Types and Attributes List. Then click the Add button below the Record Types and Attributes list. In the sheet that appears, select Attribute Types, select one or more attribute types, and then click OK.
  To add a mapping for an attribute, select the attribute in the Record Types and Attributes List. Then click the Add button below "Map to __ items in list" and enter the name of an attribute from the LDAP directory. To add another LDAP attribute, you can press Return and enter the name of the attribute.
  To change a mapping for an attribute, select the attribute in the Record Types and Attributes List. Then double-click the item that you want to change in the "Map to __ items in list" and edit the item name.
  To remove a mapping for an attribute, select the attribute in the Record Types and Attributes List. Then click the item that you want to remove from the "Map to __ items in list" and click the Delete button below "Map to __ items in list."
  To change the order of attributes displayed in the list on the right, drag the attributes up or down in the list.
  Click Save Template if you want to save your mappings as a template.
  Templates saved in the default location are listed in pop-up menus of LDAP mapping templates the next time the current user opens Directory Access. The default location for saved templates is in the current user's home folder at this path:
  ~/Library/Application Support/Directory Access/LDAPv3/Templates
  Click Write to Server if you want to store the mappings in the LDAP directory so that it can supply them automatically to its clients.
  You must enter a search base to store the mappings, a distinguished name of an administrator (for example, uid=diradmin,cn=users,dc=ods,dc=example,dc=com), and a password. If you are writing mappings to an Open Directory LDAP server, the correct search base is "cn=config, suffix" (where suffix is the server's search base suffix, such as "dc=ods,dc=example,dc=com").
  The LDAP directory supplies its mappings to Mac OS X clients whose custom search policy includes a connection that's configured to get mappings from the LDAP server. The LDAP directory also supplies its mappings to all Mac OS X clients that have an automatic search policy. For instructions, see Configuring Access to an LDAP Directory and Setting Up Search Policies.

• Problem with Sun Outlook connector Microsoft LDAP Directory MAPI Service Pr

  Dear All
  I have big problem with sun outlook connector and I can find any way to fix the problem,
  I am using sun java system connector deployment to create installation script for my clients.
  in the tool I have specify the location of Microsoft LDAP services, I am using outlook 2003 and sun say this option is not needed for outlook 2003, if I try to create the script and run the script on target client I will receive below error,
  I tried the office CD-ROM as path for LDAP services but the outlook connector says there is no LDAP services on the CD and I receive same error,
  19:02:29 [5365] Outlook version is 11.0.5608.0.
  19:02:29 [5376] Adding MAPI directory 'C:\Program Files\Common Files\System\MAPI\1033' to PATH.
  19:02:29 [5475] TMP directory is 'C:\DOCUME~1\MMESKA~1\LOCALS~1\Temp'.
  19:02:31 [5362] Checking Windows version.
  19:02:31 [5363] Windows version is 5.1.
  19:02:31 [5364] Checking Outlook version.
  19:02:31 [5509] Checking default mail client.
  19:02:31 [5508] Default mail client is 'Microsoft Outlook'.
  19:02:31 [5178] Verifying that Outlook is not running.
  19:02:31 [5179] Trying to login to shared session.
  19:02:31 [5369] Installing Sun Java System MAPI Service Providers using 'C:\DOCUME~1\MMESKA~1\LOCALS~1\Temp\Sun Outlook Connector\sunone-mapi-services.msi'.
  19:02:32 [5502] Upgrading the Sun Java System MAPI Service Providers.
  19:02:40 [5370] Finished installing Sun Java System MAPI Service Providers.
  19:02:40 [5366] Checking whether Sun Java System MAPI Service Providers are installed.
  19:02:40 [5367] Sun Java System MAPI Service Providers are installed.
  19:02:40 [5416] Checking whether Microsoft LDAP Directory MAPI Service Provider is installed.
  19:02:40 [5418] The Microsoft LDAP Directory MAPI Service Provider is not installed:
  19:02:40 File 'C:\Program Files\Common Files\System\MAPI\1033\EMABLT32.DLL' does not exist.
  19:02:40 [5416] Checking whether Microsoft LDAP Directory MAPI Service Provider is installed.
  19:02:40 [5418] The Microsoft LDAP Directory MAPI Service Provider is not installed:
  19:02:40 File 'C:\Program Files\Common Files\System\MAPI\1033\EMABLT32.DLL' does not exist.
  19:02:41 ERROR: Microsoft LDAP Directory MAPI Service Provider must first be installed.
  Best regards
  Mo

  Hi,
  Have a look at:
  http://forum.java.sun.com/thread.jspa?messageID=9320116
  Directions on the installation/configuration and requirements of the outlook connector (for 2005Q4 since you haven't told us what version of the comm suite you are using) are available at docs.sun.com e.g.
  http://docs.sun.com/app/docs/prod/2783#hic
  Outlook connector requires that you have UWC (a.k.a communication express) installed and configured, which has it's own requirements. UWC provides the single web-interface to mail & calendar & address-book. Outlook uses the address-book functionality via UWC, IMAP and SMTP for messaging/email, plus WCAP for calendar.
  Regards,
  Shane.

• Message transformation supported in Oracle Service Bus.

  hi,
  please let me know the types of message transformation supported by OSB.
  i have found that it supports xml to xml message transformation based on XQUERY and XSLT.
  Can anyone please tell me if it supports message transformation from xml to flat, aml to ISO and vice versa.
  Thanks in advance.

  Apart from Xquery and XSLT (XML to XML transformation), you may use MFL in OSB. A Message Format Language (MFL) document is a specialized XML document used to describe the layout of binary data. MFL resources support the following transformations:
  XML to binary—There is one required input (XML) and one output (binary).
  binary to XML—There is one required input (binary) and one output (XML).
  Each transformation accepts only one input and provides a single output.
  http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/consolehelp/mfls.html#wp1090749
  http://biemond.blogspot.com/2008/12/flat-file-to-xml-with-oracle-service.html
  http://download.oracle.com/docs/cd/E14571_01/doc.1111/e15867/mfls.htm#i1100502
  http://download.oracle.com/docs/cd/E14571_01/doc.1111/e15866/intro_fb.htm#CHDCAHHA
  Regards,
  Anuj

• Problem with outlook connector LDAP Directory MAPI Service Provider is not

  Hi,
  I have very basic problem with sun outlook connector client.
  I am using sun java system connector deployment tools to create client installation script, on first page I have to supply the location for web publisher and Microsoft LDAP service, I can find web publisher and I don't have any clue about location of LDAP services and without this my client instaltion script keep failing with following error.
  The Microsoft LDAP Directory MAPI Service Provider is not installed.
  --- 2006/09/25 14:14 ---
  14:14:25 [5365] Outlook version is 11.0.5608.0.
  14:14:25 [5376] Adding MAPI directory 'C:\Program Files\Common Files\System\MAPI\1033' to PATH.
  14:14:25 [5475] TMP directory is 'C:\DOCUME~1\MMESKA~1\LOCALS~1\Temp'.
  14:14:26 [5362] Checking Windows version.
  14:14:26 [5363] Windows version is 5.1.
  14:14:26 [5364] Checking Outlook version.
  14:14:26 [5509] Checking default mail client.
  14:14:26 [5508] Default mail client is 'Microsoft Outlook'.
  14:14:26 [5178] Verifying that Outlook is not running.
  14:14:26 [5179] Trying to login to shared session.
  14:14:26 [5369] Installing Sun Java System MAPI Service Providers using 'C:\DOCUME~1\MMESKA~1\LOCALS~1\Temp\Sun Outlook Connector\sunone-mapi-services.msi'.
  14:14:28 [5502] Upgrading the Sun Java System MAPI Service Providers.
  14:14:38 [5370] Finished installing Sun Java System MAPI Service Providers.
  14:14:38 [5366] Checking whether Sun Java System MAPI Service Providers are installed.
  14:14:38 [5367] Sun Java System MAPI Service Providers are installed.
  14:14:38 [5416] Checking whether Microsoft LDAP Directory MAPI Service Provider is installed.
  14:14:38 [5418] The Microsoft LDAP Directory MAPI Service Provider is not installed:
  14:14:38 File 'C:\Program Files\Common Files\System\MAPI\1033\EMABLT32.DLL' does not exist.
  14:14:38 [5416] Checking whether Microsoft LDAP Directory MAPI Service Provider is installed.
  14:14:38 [5418] The Microsoft LDAP Directory MAPI Service Provider is not installed:
  14:14:38 File 'C:\Program Files\Common Files\System\MAPI\1033\EMABLT32.DLL' does not exist.
  14:14:38 ERROR: Microsoft LDAP Directory MAPI Service Provider must first be installed.
  Thank you for your help.
  Best regards
  Mo

  Hi,
  If memory serves, Outlook XP offered the ability to set what address-book connectors were installed, one of which was LDAP (by default enabled). It may be a similar situation with Outlook 2003 (which I assume you are using based on the version number in the debug logs). Try using the Office '03 install CD and see if you can find the LDAP addressbook option and install it.
  Regards,
  Shane.

• "Your browser is not supported by Oracle BI Presentation Services"

  Hi,
  I have installed obiee11.1.1.5 on windows 7 and i am using Firefox 12.0 latest version.When I am trying to open analytics through firefox12.0 i am getting warning like “Your browser is not supported by Oracle BI Presentation Services” and it is opening in IE but charts are not displayed. Can any one tell me the solution for this?
  Edited by: Uma on Apr 26, 2012 5:24 AM

  Hi Uma,
  good that your issue is resolved. we are generally modifying/adding the header to override the existing version to previous version, so instead of using the FF10+ header we are just modifying it to FF9 inorder to make it work
  The UA string of Firefox itself is broken down into four components:
  Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefoxversion
  Mozilla/5.0 is the general token that says the browser is Mozilla compatible, and is common to almost every browser today.
  platform describes the native platform the browser is running on (e.g. Windows, Mac, or Linux). Note that platform can consist of multiple "; "-separated tokens. See below for further details and examples.
  rv:geckoversion indicates the release version of Gecko (such as "10.0"). From Firefox 5.0 and Gecko 5.0 onwards, geckoversion is the same as firefoxversion (described below).
  Gecko/geckotrail indicates that the browser is based on Gecko. geckotrail is "20100101" in desktop release builds and does not represent the actual build date of the browser. For desktop development builds, geckotrail presently indicates the build date of the browser, but this is likely to change in the future. Starting February 1st 2012, geckotrail is the same as geckoversion and firefoxversion in Firefox for Android with a native front end (aka. Fennec Native).
  Firefox/firefoxversion indicates the browser is Firefox, and provides the version (such as "11.0").
  Thanks,
  RM

• Naming Service in separate LDAP

  Hi All,
  Can any body pls tell me if it is possible to use a LDAP server as a naming service
  rather than the using weblogic's naming service ? If yes, then pls tell me how
  it can be done.
  TIA,
  Sudarson

  I click on the '+' sign or use the menu 'create' option but I do not get a screen to enter any information.
  I hard coded my tnsnames connection in my application and it work fine.
  Thanks for getting back to me with the information and link. I've tried all possible combination without successfully being able to use the 'Naming Service' function.
  Fred

• Unable to view Oracle Internet Directory Self Service Console

  I am trying to access Oracle Internet Directory Self Service Console via following URL http://x.x.x.x:7777/oiddas.
  i found the welcome page, but not able to access other tabs like
  my profile,directory,configuration.
  Error: Error encountered while connecting to Directory Server
  Please help!

  Thanks for your reply.
  As per your suggestion i checked with EM..and find directory server instances is running.
  whenever i clicked on <Oracle Internet Directory Self Service Console> link, i found said error.

• Naming Service in Oracle Net Manager

  Hello,
  I've downloaded ODTwithODAC1020221.exe and did the install ODP.NET sucessfully and when I try to create a Naming Service by Clicking on the + icon nothing happens.
  I have a working TNSNAMES.ORA in the ADMIN/NETWORK folder where I installed the ODP.NET. In the same folder I have SQLNET.ORA and a LISTENER.ORA files.
  I am using Visual Basic 2005 for my GUI.
  Thank you,
  Fred

  I click on the '+' sign or use the menu 'create' option but I do not get a screen to enter any information.
  I hard coded my tnsnames connection in my application and it work fine.
  Thanks for getting back to me with the information and link. I've tried all possible combination without successfully being able to use the 'Naming Service' function.
  Fred

• NET "Directory Naming" OK now using Sun Directory Server?

  Directory Server Enterprise Edition is much more light-weight than OID, and I'm wondering now it is under the Oracle umbrella, if it can be used instead of OID for Directory naming?
  Can't find anything online. Can anyone provide information?
  Thanks
  Kirk

  Thanks Salman. However I think any LDAP V3 server should work. I've seen people set it up with other Vendors LDAP servers. When directory naming was first introduced, there wasn't the restriction of OID only, Novell Directory Services was also supported. You can still use Microsoft Active Directory. I THINK it was limited to OID more for support purposes.
  Introduced in 8.1.6
  http://download.oracle.com/docs/cd/A81042_01/DOC/network.816/a76933/concepts.htm#1016403

• Naming Services cannot work well!!!

  Hi,
  I have configured the AM2005Q4 and Policy agent with apache, apache http.conf file is like
  ProxyRequests Off
  <Proxy *>
  Order deny,allow
  Allow from all
  </Proxy>
  ProxyPass /hzycportal http://exchange.hzliqun.com:8013/hzycportal
  ProxyPassReverse /hzycportal http://exchange.hzliqun.com:8013/hzycportal
  When I type http://exchange.hzliqun.com:8080/hzycportal in IE, and type the user/password, but it cannot reach at the application system. The agent debug log is like
  2005-11-21 10:23:07.578 Debug 460:82f3d8 NamingService: HTTP Status = 200 (OK)
  2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Http::Response::readAndParse(): Reading headers.
  2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Server: Sun-Java-System-Web-Server/6.1
  2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Date: Mon, 21 Nov 2005 02:22:18 GMT
  2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Content-type: text/html
  2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Connection: close
  2005-11-21 10:23:07.578 Debug 460:82f3d8 NamingService: Http::Response::readAndParse(): No content length in response.
  2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 all: Connection::waitForReply(): returns with status success.
  2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Http::Response::readAndParse(): Completed processing the response with status: success
  2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ResponseSet vers="1.0" svcid="com.iplanet.am.naming" reqid="2922">
  <Response><![CDATA[<NamingResponse vers="1.0" reqid="2916">
  <GetNamingProfile>
  <Exception>SessionID ---AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%3D%40AAJTSQACMDE%3D%23---is Invalid</Exception>
  </GetNamingProfile>
  </NamingResponse>]]></Response>
  </ResponseSet>
  2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: NamingService()::parseNamingResponse(): Buffer to be parsed: <NamingResponse vers="1.0" reqid="2916">
  <GetNamingProfile>
  <Exception>SessionID ---AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%3D%40AAJTSQACMDE%3D%23---is Invalid</Exception>
  </GetNamingProfile>
  </NamingResponse>
  2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: NamingService::parseNamingResponse(): Got Exception in XML.
  2005-11-21 10:23:07.578 Debug 460:82f3d8 NamingService: NamingService::parseNamingResponse() returning with status invalid session.
  2005-11-21 10:23:07.578 Debug 460:82f3d8 NamingService: NamingService()::getProfile() returning with error code invalid session.
  2005-11-21 10:23:07.578 Info 460:82f3d8 PolicyEngine: am_policy_evaluate: InternalException in Service::update_policy with error message:Naming query failed. and code:18
  2005-11-21 10:23:07.578 Warning 460:82f3d8 PolicyAgent: am_web_is_access_allowed()(http://exchange.hzliqun.com:8080/hzycportal, GET) denying access: status = invalid session
  2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_is_access_allowed(): Successfully logged to remote server for GET action by user unknown user to resource http://exchange.hzliqun.com:8080/hzycportal.
  2005-11-21 10:23:07.578 Info 460:82f3d8 PolicyAgent: am_web_is_access_allowed()(http://exchange.hzliqun.com:8080/hzycportal, GET) returning status: invalid session.
  2005-11-21 10:23:07.578 Info 460:82f3d8 PolicyAgent: process_request(): Access check for URL http://exchange.hzliqun.com:8080/hzycportal returned invalid session.
  2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 PolicyAgent: am_web_get_url_to_redirect(): goto URL is http://exchange.hzliqun.com:8080/hzycportal
  2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_get_url_to_redirect: Before invoking find_active_login_server()
  2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: is_server_alive(): Connection timeout set to 2
  2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_get_url_to_redirect: After invoking find_active_login_server()
  2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: process_access_redirect(): get redirect url returned AM_SUCCESS, redirect url [http://sunam1.hzliqun.com:80/amserver/UI/Login?goto=http%3A%2F%2Fexchange.hzliqun.com%3A8080%2Fhzycportal].
  2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: process_access_redirect(): returning web result AM_WEB_RESULT_REDIRECT.
  2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: process_request(): returning web result AM_WEB_RESULT_REDIRECT, data [http://sunam1.hzliqun.com:80/amserver/UI/Login?goto=http%3A%2F%2Fexchange.hzliqun.com%3A8080%2Fhzycportal]
  2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_process_request(): Rendering web result AM_WEB_RESULT_REDIRECT
  2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_process_request(): render result function returned AM_SUCCESS.
  2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: get_request_url(): Host: exchange.hzliqun.com:8080
  2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: get_request_url(): Port is 8080.
  2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: get_request_url(): Returning request URL http://exchange.hzliqun.com:8080/hzycportal.
  2005-11-21 10:23:07.593 Warning 460:82f3d8 PolicyAgent: get_method_num(): Apache request method number did not match method string. Setting method number to match method string GET.
  2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: am_web_is_notification(), http://exchange.hzliqun.com:8080/hzycportal is not notification url http://exchange.hzliqun.com:8080/amagent/UpdateAgentCacheServlet?shortcircuit=false.
  2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: find_cookie(): cookie found: header [JSESSIONID=D835480D9BBF3902D562A596CC05E953; iPlanetDirectoryPro=AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%253D%2540AAJTSQACMDE%253D%2523] name [iPlanetDirectoryPro=AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%253D%2540AAJTSQACMDE%253D%2523] val [AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%253D%2540AAJTSQACMDE%253D%2523] val_len [78] next_cookie [NULL]
  2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: am_web_is_access_allowed(): processing url http://exchange.hzliqun.com:8080/hzycportal.
  2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: FqdnHandler::isValidFqdnResource() Resource => http://exchange.hzliqun.com:8080/hzycportal, is valid => true
  2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: am_web_is_access_allowed(): client_ip 10.44.202.218 not found in client ip not enforced list
  2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 AM_POLICY_SERVICE_NAME: am_policy_compare_urls(): compare usePatterns=true returned 3
  2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: in_not_enforced_list: enforcing access control for http://exchange.hzliqun.com:8080/hzycportal
  2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: set_host_ip_in_env_map: map_insert: client_ip=10.44.202.218
  2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 ServiceEngine: Executing update_policy(AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%3D%40AAJTSQACMDE%3D%23, http://exchange.hzliqun.com:8080/hzycportal, GET, 2)
  2005-11-21 10:23:07.593 Debug 460:82f3d8 all: cookieList is not empty
  2005-11-21 10:23:07.593 Debug 460:82f3d8 all: Exit from buildCookieHeader
  2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 NamingService: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="2923">
  <Request><![CDATA[
  <NamingRequest vers="1.0" reqid="2917" sessid="AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%3D%40AAJTSQACMDE%3D%23">
  <GetNamingProfile>
  </GetNamingProfile>
  </NamingRequest>]]>
  </Request>
  </RequestSet>
  2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 NamingService: BaseService::sendRequest Request line: POST /amserver/namingservice HTTP/1.0
  2005-11-21 10:23:07.593 Debug 460:82f3d8 NamingService: BaseService::sendRequest Cookie and Headers =Host: sunam1.hzliqun.com
  2005-11-21 10:23:07.593 Debug 460:82f3d8 NamingService: BaseService::sendRequest Content-Length =Content-Length: 346
  2005-11-21 10:23:07.593 Debug 460:82f3d8 NamingService: BaseService::sendRequest Header Suffix =Accept: text/xml
  Content-Type: text/xml; charset=UTF-8
  2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 NamingService: BaseService::sendRequest(): Total chunks: 7.
  2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 NamingService: BaseService::sendRequest(): Sent 7 chunks.
  And it will recycle these processes. From the logs, it seems that cannot get correct namingservices. But the agent configuration is correct, and likes these
  # $Id: AMAgent.properties,v 1.86.2.6 2005/10/25 18:14:11 dknab Exp $
  # Copyright ?2002 Sun Microsystems, Inc. All rights reserved.
  # U.S. Government Rights - Commercial software. Government users are
  # subject to the Sun Microsystems, Inc. standard license agreement and
  # applicable provisions of the FAR and its supplements. Use is subject to
  # license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
  # trademarks or registered trademarks of Sun Microsystems, Inc. in the
  # U.S. and other countries.
  # Copyright ?2002 Sun Microsystems, Inc. Tous droits r�serv�s.
  # Droits du gouvernement am�ricain, utlisateurs gouvernmentaux - logiciel
  # commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
  # licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
  # vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl�ments
  # ?celles-ci.
  # Distribu?par des licences qui en restreignent l'utilisation. Sun, Sun
  # Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
  # marques d�pos�es de Sun Microsystems, Inc. aux Etats-Unis et dans
  # d'autres pays.
  # The syntax of this file is that of a standard Java properties file,
  # see the documentation for the java.util.Properties.load method for a
  # complete description. (CAVEAT: The SDK in the parser does not currently
  # support any backslash escapes except for wrapping long lines.)
  # All property names in this file are case-sensitive.
  # NOTE: The value of a property that is specified multiple times is not
  # defined.
  # WARNING: The contents of this file are classified as an UNSTABLE
  # interface by Sun Microsystems, Inc. As such, they are subject to
  # significant, incompatible changes in any future release of the
  # software.
  # The name of the cookie passed between the Sun [TM] ONE Identity Server
  # and the SDK.
  # WARNING: Changing this property without making the corresponding change
  # to the Sun [TM] ONE Identity Server will disable the SDK.
  com.sun.am.cookieName = iPlanetDirectoryPro
  # The URL for the Sun [TM] ONE Identity Server Naming service.
  com.sun.am.namingURL = http://sunam1.hzliqun.com:80/amserver/namingservice http://sunim1.hzliqun.com:80/amserver/namingservice
  # The URL of the login page on the Sun [TM] ONE Identity Server.
  com.sun.am.policy.am.loginURL = http://sunam1.hzliqun.com:80/amserver/UI/Login http://sunim1.hzliqun.com:80/amserver/UI/Login
  #com.sun.am.policy.am.loginURL = http://sunam1.hzliqun.com:80/amserver/gateway http://sunim1.hzliqun.com:80/amserver/gateway
  # By default the agent checks if the Access Manager AUTH server is
  # active before performing the login.
  # This check can be ignored by setting the following property to true.
  # In this case the first server indicated in the loginURL property will
  # be selected, wether it is active or not.
  com.sun.am.ignore_server_check = false
  # Name of the file to use for logging messages.
  com.sun.am.logFile = D:/Apache/sun/Identity_Server/Agents/2.1/debug/apache_8080/amAgent
  # Name of the Sun [TM] ONE Identity Server log file to use for
  # logging messages to Sun [TM] ONE Identity Server.
  # Just the name of the file is needed. The directory of the file
  # is determined by settings configured on the Sun [TM] ONE Identity Server.
  com.sun.am.serverLogFile = amAuthLog.exchange.hzliqun.com.8080
  # Set the logging level for the specified logging categories.
  # The format of the values is
  #     <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
  # The currently used module names are: AuthService, NamingService,
  # PolicyService, SessionService, PolicyEngine, ServiceEngine,
  # Notification, PolicyAgent, RemoteLog and all.
  # The all module can be used to set the logging level for all currently
  # none logging modules. This will also establish the default level for
  # all subsequently created modules.
  # The meaning of the 'Level' value is described below:
  #     0     Disable logging from specified module*
  #     1     Log error messages
  #     2     Log warning and error messages
  #     3     Log info, warning, and error messages
  #     4     Log debug, info, warning, and error messages
  #     5     Like level 4, but with even more debugging messages
  # 128     log url access to log file on IS server.
  # 256     log url access to log file on local machine.
  # If level is omitted, then the logging module will be created with
  # the default logging level, which is the logging level associated with
  # the 'all' module.
  # for level of 128 and 256, you must also specify a logAccessType.
  # *Even if the level is set to zero, some messages may be produced for
  # a module if they are logged with the special level value of 'always'.
  com.sun.am.logLevels = all:5
  # The org, username and password for Agent to login to IS.
  #com.sun.am.policy.am.username = UrlAccessAgent
  com.sun.am.policy.am.username = amAdmin
  com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
  # Name of the directory containing the certificate databases for SSL.
  com.sun.am.sslCertDir = D:/Apache/sun/Identity_Server/Agents/2.1/apache/cert
  # Set this property if the certificate databases in the directory specified
  # by the previous property have a prefix.
  com.sun.am.certDbPrefix =
  # Should agent trust all server certificates when Sun [TM] ONE Identity Server
  # is running SSL?
  # Possible values are true or false.
  com.sun.am.trustServerCerts = true
  # Should the policy SDK use the Sun [TM] ONE Identity Server notification
  # mechanism to maintain the consistency of its internal cache? If the value
  # is false, then a polling mechanism is used to maintain cache consistency.
  # Possible values are true or false.
  com.sun.am.notificationEnabled = true
  # URL to which notification messages should be sent if notification is
  # enabled, see previous property.
  com.sun.am.notificationURL = http://exchange.hzliqun.com:8080/amagent/UpdateAgentCacheServlet?shortcircuit=false
  # Time in milliseconds the agent will wait to receive the
  # response from Access Manager. After the timeout, the connection
  # will be drop.
  # A value of 0 means that the agent will wait until receiving the response.
  # WARNING: Invalid value for this property can result in
  # the resources becoming inaccessible.
  com.sun.am.receive_timeout = 0
  # This property determines whether URL string case sensitivity is
  # obeyed during policy evaluation
  com.sun.am.policy.am.urlComparison.caseIgnore = true
  # This property determines the amount of time (in minutes) an entry
  # remains valid after it has been added to the cache. The default
  # value for this property is 3 minutes.
  com.sun.am.policy.am.cacheEntryLifeTime=3
  # This property allows the user to configure the User Id parameter passed
  # by the session information from the identity server. The value of User
  # Id will be used by the agent to set the value of REMOTE_USER server
  # variable. By default this parameter is set to "UserToken"
  com.sun.am.policy.am.userIdParam=UserToken
  # HTTP Header attributes mode
  # String attribute mode to specify if additional policy response attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional policy attributes will be introduced.
  # HEADER - additional policy attributes will be introduced into HTTP header.
  # COOKIE - additional policy attributes will be introduced through cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.am.ldapattribute.mode=NONE
  # The policy attributes to be added to the HTTP header. The specification is
  # of the format ldap_attribute_name|http_header_name[,...]. ldap_attribute_name
  # is the attribute in data store to be fetched and http_header_name
  # is the name of the header to which the value needs to be assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.am.headerAttributes=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
  # The cookie name used in iAS for sticky load balancing
  com.sun.am.policy.am.ias_SLB_cookie_name = GX_jst
  # indicate where a load balancer is used for Sun [TM] ONE Identity Server
  # services.
  # true | false
  com.sun.am.loadBalancer_enable = false
  ####Agent Configuration####
  # this is for product versioning, please do not modify it
  com.sun.am.policy.agents.version=2.1
  # Set the url access logging level. the choices are
  # LOG_NONE - do not log user access to url
  # LOG_DENY - log url access that was denied.
  # LOG_ALLOW - log url access that was allowed.
  # LOG_BOTH - log url access that was allowed or denied.
  com.sun.am.policy.agents.logAccessType = LOG_DENY
  # Agent prefix
  com.sun.am.policy.agents.agenturiprefix = http://exchange.hzliqun.com:8080/amagent
  # Locale setting.
  com.sun.am.policy.agents.locale = en_US
  # The unique identifier for this agent instance.
  com.sun.am.policy.agents.instanceName = unused
  # Do SSO only
  # Boolean attribute to indicate whether the agent will just enforce user
  # authentication (SSO) without enforcing policies (authorization)
  com.sun.am.policy.agents.do_sso_only = false
  # The URL of the access denied page. If no value is specified, then
  # the agent will return an HTTP status of 403 (Forbidden).
  com.sun.am.policy.agents.accessDeniedURL =
  # This property allows the user to configure the URL Redirect parameter
  # for different auth modules. By default this parameter is set to "goto"
  com.sun.am.policy.agents.urlRedirectParam=goto
  # Default FQDN is the fully qualified hostname that the users should use
  # in order to access resources on this web server instance. This is a
  # required configuration value without which the Web server may not
  # startup correctly.
  # The primary purpose of specifying this property is to ensure that if
  # the users try to access protected resources on this web server
  # instance without specifying the FQDN in the browser URL, the Agent
  # can take corrective action and redirect the user to the URL that
  # contains the correct FQDN.
  # This property is set during the agent installation and need not be
  # modified unless absolutely necessary to accommodate deployment
  # requirements.
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  # See also: com.sun.am.policy.agents.fqdnMap
  com.sun.am.policy.agents.fqdnDefault = exchange.hzliqun.com
  # The FQDN Map is a simple map that enables the Agent to take corrective
  # action in the case where the users may have typed in an incorrect URL
  # such as by specifying partial hostname or using an IP address to
  # access protected resources. It redirects the browser to the URL
  # with fully qualified domain name so that cookies related to the domain
  # are received by the agents.
  # The format for this property is:
  # com.sun.am.policy.agents.fqdnMap = [invalid_hostname|valid_hostname][,...]
  # This property can also be used so that the agents use the name specified
  # in this map instead of the web server's actual name. This can be
  # accomplished by doing the following.
  # Say you want your server to be addressed as xyz.hostname.com whereas the
  # actual name of the server is abc.hostname.com. The browsers only knows
  # xyz.hostname.com and you have specified polices using xyz.hostname.com at
  # the Identity Server policy console, in this file set the mapping as
  # com.sun.am.policy.agents.fqdnMap = valid|xyz.hostname.com
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  com.sun.am.policy.agents.fqdnMap =
  # Cookie Reset
  # This property must be set to true, if this agent needs to
  # reset cookies in the response before redirecting to
  # Identity Server for Authentication.
  # By default this is set to false.
  # Example : com.sun.am.policy.agents.cookie_reset_enabled=true
  com.sun.am.policy.agents.cookie_reset_enabled=false
  # This property gives the comma separated list of Cookies, that
  # need to be included in the Redirect Response to Identity Server.
  # This property is used only if the Cookie Reset feature is enabled.
  # The Cookie details need to be specified in the following Format
  # name[=value][;Domain=value]
  # If "Domain" is not specified, then the default agent domain is
  # used to set the Cookie.
  # Example : com.sun.am.policy.agents.cookie_reset_list=LtpaToken,
  # token=value;Domain=subdomain.domain.com
  com.sun.am.policy.agents.cookie_reset_list=
  # This property gives the space separated list of domains in
  # which cookies have to be set in a CDSSO scenario. This property
  # is used only if CDSSO is enabled.
  # If this property is left blank then the fully qualified cookie
  # domain for the agent server will be used for setting the cookie
  # domain. In such case it is a host cookie instead of a domain cookie.
  # Example : com.sun.am.policy.agents.cookieDomainList=.sun.com .iplanet.com
  com.sun.am.policy.agents.cookieDomainList=
  # user id returned if accessing global allow page and not authenticated
  com.sun.am.policy.agents.unauthenticatedUser=anonymous
  # Enable/Disable REMOTE_USER processing for anonymous users
  # true | false
  com.sun.am.policy.agents.anonRemoteUserEnabled=false
  # Not enforced list is the list of URLs for which no authentication is
  # required. Wildcards can be used to define a pattern of URLs.
  # The URLs specified may not contain any query parameters.
  # Each service have their own not enforced list. The service name is suffixed
  # after "# com.sun.am.policy.agents.notenforcedList." to specify a list
  # for a particular service. SPACE is the separator between the URL.
  # com.sun.am.policy.agents.notenforcedList = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
  # Boolean attribute to indicate whether the above list is a not enforced list
  # or an enforced list; When the value is true, the list means enforced list,
  # or in other words, the whole web site is open/accessible without
  # authentication except for those URLs in the list.
  com.sun.am.policy.agents.reverse_the_meaning_of_notenforcedList = false
  # Not enforced client IP address list is a list of client IP addresses.
  # No authentication and authorization are required for the requests coming
  # from these client IP addresses. The IP address must be in the form of
  # eg: 192.168.12.2 1.1.1.1
  com.sun.am.policy.agents.notenforced_client_IP_address_list =
  # Enable POST data preservation; By default it is set to false
  com.sun.am.policy.agents.is_postdatapreserve_enabled = false
  # POST data preservation : POST cache entry lifetime in minutes,
  # After the specified interval, the entry will be dropped
  com.sun.am.policy.agents.postcacheentrylifetime = 10
  # Cross-Domain Single Sign On URL
  # Is CDSSO enabled.
  com.sun.am.policy.agents.cdsso-enabled=false
  # This is the URL the user will be redirected to for authentication
  # in a CDSSO Scenario.
  com.sun.am.policy.agents.cdcservletURL = http://sunam1.hzliqun.com:80/amserver/cdcservlet
  # Enable/Disable client IP address validation. This validate
  # will check if the subsequent browser requests come from the
  # same ip address that the SSO token is initially issued against
  com.sun.am.policy.agents.client_ip_validation_enable = false
  # Whether to decode the session cookie before sending it to IS.
  # Set to true if the cookie value is URL encoded, false otherwise.
  # For example, cookie values from browsers are URL encoded, and
  # some containers always returns the cookie URL encoded.
  com.sun.am.cookieEncoded = false
  # Below properties are used to define cookie prefix and cookie max age
  com.sun.am.policy.am.ldapattribute.cookiePrefix = HTTP_
  com.sun.am.policy.am.ldapattribute.cookieMaxAge = 300
  # Logout URL - application's Logout URL.
  # This URL is not enforced by policy.
  # if set, agent will intercept this URL and destroy the user's session,
  # if any. The application's logout URL will be allowed whether or not
  # the session destroy is successful.
  com.sun.am.policy.agents.logout.url=
  # Any cookies to be reset upon logout in the same format as cookie_reset_list
  com.sun.am.policy.agents.logout.cookie_reset_list =
  # Below property is reserved for future use. Please do not change the value.
  # By default, when a policy decision for a resource is needed,
  # agent gets and caches the policy decision of the resource and
  # all resource from the root of the resource down, from the Identity Server.
  # For example, if the resource is http://host/a/b/c, the the root of the
  # resource is http://host/. This is because more resources from the
  # same path are likely to be accessed subsequently.
  # However this may take a long time the first time if there
  # are many many policies defined under the root resource.
  # To have agent get and cache the policy decision for the resource only,
  # set the following property to false.
  com.sun.am.policy.am.fetchFromRootResource = true
  # Whether to get the client's hostname through DNS reverse lookup for use
  # in policy evaluation.
  # It is true by default, if the property does not exist or if it is
  # any value other than false.
  com.sun.am.policy.agents.getClientHostname = true
  # The following property is to enable native encoding of
  # ldap header attributes forwarded by agents. If set to true
  # agent will encode the ldap header value in the default
  # encoding of OS locale. If set to false ldap header values
  # will be encoded in UTF-8
  com.sun.am.policy.agents.convertMbyteEnabled = false
  #When the not enforced list or policy has a wildcard '*' character, agent
  #strips the path info from the request URI and uses the resulting request
  #URI to check against the not enforced list or policy instead of the entire
  #request URI, in order to prevent someone from getting access to any URI by
  #simply appending the matching pattern in the policy or not enforced list.
  #For example, if the not enforced list has the value http://host/*.gif,
  #stripping the path info from the request URI will prevent someone from
  #getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
  #However when a web server (for exmample apache) is configured to be a reverse
  #proxy server for a J2EE application server, path info is interpreted in a different
  #manner since it maps to a resource on the proxy instead of the app server.
  #This prevents the not enforced list or policy from being applied to part of
  #the URI below the app serverpath if there is a wildcard character. For example,
  #if the not enforced list has value http://host/webapp/servcontext/* and the
  #request URL is http://host/webapp/servcontext/example.jsp the path info
  #is /servcontext/example.jsp and the resulting request URL with path info stripped
  #is http://host/webapp, which will not match the not enforced list. By setting the
  #following property to true, the path info will not be stripped from the request URL
  #even if there is a wild character in the not enforced list or policy.
  #Be aware though that if this is set to true there should be nothing following the
  #wildcard character '*' in the not enforced list or policy, or the
  #security loophole described above may occur.
  com.sun.am.ignore_path_info = false
  # Override the request url given by the web server with
  # the protocol, host or port of the agent's uri specified in
  # the com.sun.am.policy.agents.agenturiprefix property.
  # These may be needed if the agent is sitting behind a ssl off-loader,
  # load balancer, or proxy, and either the protocol (HTTP scheme),
  # hostname, or port of the machine in front of agent which users go through
  # is different from the agent's protocol, host or port.
  com.sun.am.policy.agents.overrideProtocol =
  com.sun.am.policy.agents.overrideHost =
  com.sun.am.policy.agents.overridePort =
  # Override the notification url in the same way as other request urls.
  # Set this to true if any one of the override properties above is t

  if you can add more details in your question, that'll be better.
  in my case, i initially had pix515e with v6.1 on it, and cannot get a dialtone because my sip phone (ata186) is not registered on my proxy. but when i changed my pix to v6.2, it worked just fine. i didn't put any access-list though, as fixup does it for me already.

• Event ID 91 Could not connect to the Active Directory. Active Directory Certificate Services

  Could not connect to the Active Directory.  Active Directory Certificate Services will retry when processing requires Active Directory access.
  Event ID:      91
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          SYSTEM
  Computer:      DC1.chickbuns.com
  Description:
  Could not connect to the Active Directory.  Active Directory Certificate Services will retry when processing requires Active Directory access.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
      <EventID Qualifiers="49754">91</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-01-07T19:34:00.000000000Z" />
      <EventRecordID>819</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>Application</Channel>
      <Computer>DC1.chickbuns.com</Computer>
      <Security UserID="S-1-5-18" />
    </System>
    <EventData Name="MSG_E_DS_RETRY">
    </EventData>
  </Event>
  :\Users\Administrator>dcdiag /fix
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = DC1
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\DC1
        Starting test: Connectivity
           ......................... DC1 passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\DC1
        Starting test: Advertising
           Warning: DC1 is not advertising as a time server.
           ......................... DC1 failed test Advertising
        Starting test: FrsEvent
           ......................... DC1 passed test FrsEvent
        Starting test: DFSREvent
           ......................... DC1 passed test DFSREvent
        Starting test: SysVolCheck
           ......................... DC1 passed test SysVolCheck
        Starting test: KccEvent
           ......................... DC1 passed test KccEvent
        Starting test: KnowsOfRoleHolders
           ......................... DC1 passed test KnowsOfRoleHolders
        Starting test: MachineAccount
           ......................... DC1 passed test MachineAccount
        Starting test: NCSecDesc
           ......................... DC1 passed test NCSecDesc
        Starting test: NetLogons
           ......................... DC1 passed test NetLogons
        Starting test: ObjectsReplicated
           ......................... DC1 passed test ObjectsReplicated
        Starting test: Replications
           ......................... DC1 passed test Replications
        Starting test: RidManager
           ......................... DC1 passed test RidManager
        Starting test: Services
           ......................... DC1 passed test Services
        Starting test: SystemLog
           ......................... DC1 passed test SystemLog
        Starting test: VerifyReferences
           ......................... DC1 passed test VerifyReferences
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test
           CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test
           CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : chickbuns
        Starting test: CheckSDRefDom
           ......................... chickbuns passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... chickbuns passed test CrossRefValidation
     Running enterprise tests on : chickbuns.com
        Starting test: LocatorCheck
           Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
           A Time Server could not be located.
           The server holding the PDC role is down.
           Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
           1355
           A Good Time Server could not be located.
           ......................... chickbuns.com failed test LocatorCheck
        Starting test: Intersite
           ......................... chickbuns.com passed test Intersite.

  My test lab one sinle domain controller server 2008 R2 Sp1 and member exchange server is using,the event error 91 is generated as per the technet article http://technet.microsoft.com/en-us/library/cc774525(v=ws.10).aspx the  domain
  computer and domain users in public key services container is not listed ..
  C:\Users\Administrator>netdom /query fsmo
  Schema master               DC1.chickbuns.com
  Domain naming master        DC1.chickbuns.com
  PDC                         DC1.chickbuns.com
  RID pool manager            DC1.chickbuns.com
  Infrastructure master       DC1.chickbuns.com
  The command completed successfully.
  Command Line: "dcdiag.exe 
  /V /D /C /E"
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     * Verifying that the local machine DC1, is a Directory Server. 
     Home Server = DC1
     * Connecting to directory service on server DC1.
     DC1.currentTime = 20140110072353.0Z
     DC1.highestCommittedUSN = 131148
     DC1.isSynchronized = 1
     DC1.isGlobalCatalogReady = 1
     * Identified AD Forest. 
     Collecting AD specific global data 
     * Collecting site info.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=chickbuns,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
     The previous call succeeded 
     Iterating through the sites 
     Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
     Getting ISTG and options for the site
     * Identifying all servers.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=chickbuns,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
     The previous call succeeded....
     The previous call succeeded
     Iterating through the list of servers 
     Getting information for the server CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com 
     objectGuid obtained
     InvocationID obtained
     dnsHostname obtained
     site info obtained
     All the info for the server collected
     DC1.currentTime = 20140110072353.0Z
     DC1.highestCommittedUSN = 131148
     DC1.isSynchronized = 1
     DC1.isGlobalCatalogReady = 1
     * Identifying all NC cross-refs.
     * Found 1 DC(s). Testing 1 of them.
     Done gathering initial info.
  ===============================================Printing out pDsInfo
  GLOBAL:
  ulNumServers=1
  pszRootDomain=chickbuns.com
  pszNC=
  pszRootDomainFQDN=DC=chickbuns,DC=com
  pszConfigNc=CN=Configuration,DC=chickbuns,DC=com
  pszPartitionsDn=CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
  fAdam=0
  iSiteOptions=0
  dwTombstoneLifeTimeDays=180
  dwForestBehaviorVersion=3
  HomeServer=0, DC1
  SERVER: pServer[0].pszName=DC1
  pServer[0].pszGuidDNSName (binding str)=771aab3d-96cd-4fb1-90cd-0899fa6b6207._msdcs.chickbuns.com
  pServer[0].pszDNSName=DC1.chickbuns.com
  pServer[0].pszLdapPort=(null)
  pServer[0].pszSslPort=(null)
  pServer[0].pszDn=CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
  pServer[0].pszComputerAccountDn=CN=DC1,OU=Domain Controllers,DC=chickbuns,DC=com
  pServer[0].uuidObjectGuid=771aab3d-96cd-4fb1-90cd-0899fa6b6207
  pServer[0].uuidInvocationId=771aab3d-96cd-4fb1-90cd-0899fa6b6207
  pServer[0].iSite=0 (Default-First-Site-Name)
  pServer[0].iOptions=1
  pServer[0].ftLocalAcquireTime=ea9513a0 01cf0dd4 
  pServer[0].ftRemoteConnectTime=ea2bca80 01cf0dd4 
  pServer[0].ppszMaster/FullReplicaNCs:
  ppszMaster/FullReplicaNCs[0]=DC=ForestDnsZones,DC=chickbuns,DC=com
  ppszMaster/FullReplicaNCs[1]=DC=DomainDnsZones,DC=chickbuns,DC=com
  ppszMaster/FullReplicaNCs[2]=CN=Schema,CN=Configuration,DC=chickbuns,DC=com
  ppszMaster/FullReplicaNCs[3]=CN=Configuration,DC=chickbuns,DC=com
  ppszMaster/FullReplicaNCs[4]=DC=chickbuns,DC=com
  SITES:  pSites[0].pszName=Default-First-Site-Name
  pSites[0].pszSiteSettings=CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
  pSites[0].pszISTG=CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
  pSites[0].iSiteOption=0
  pSites[0].cServers=1
  NC:     pNCs[0].pszName=ForestDnsZones
  pNCs[0].pszDn=DC=ForestDnsZones,DC=chickbuns,DC=com
  pNCs[0].aCrInfo[0].dwFlags=0x00000201
  pNCs[0].aCrInfo[0].pszDn=CN=5fc582f9-b435-49a1-aa54-41769fc24206,CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
  pNCs[0].aCrInfo[0].pszDnsRoot=ForestDnsZones.chickbuns.com
  pNCs[0].aCrInfo[0].iSourceServer=0
  pNCs[0].aCrInfo[0].pszSourceServer=(null)
  pNCs[0].aCrInfo[0].ulSystemFlags=0x00000005
  pNCs[0].aCrInfo[0].bEnabled=TRUE
  pNCs[0].aCrInfo[0].ftWhenCreated=00000000 00000000
  pNCs[0].aCrInfo[0].pszSDReferenceDomain=(null)
  pNCs[0].aCrInfo[0].pszNetBiosName=(null)
  pNCs[0].aCrInfo[0].cReplicas=-1
  pNCs[0].aCrInfo[0].aszReplicas=
  NC:     pNCs[1].pszName=DomainDnsZones
  pNCs[1].pszDn=DC=DomainDnsZones,DC=chickbuns,DC=com
  pNCs[1].aCrInfo[0].dwFlags=0x00000201
  pNCs[1].aCrInfo[0].pszDn=CN=9e1c2cb8-b90b-4e9f-90dd-9903f935e4af,CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
  pNCs[1].aCrInfo[0].pszDnsRoot=DomainDnsZones.chickbuns.com
  pNCs[1].aCrInfo[0].iSourceServer=0
  pNCs[1].aCrInfo[0].pszSourceServer=(null)
  pNCs[1].aCrInfo[0].ulSystemFlags=0x00000005
  pNCs[1].aCrInfo[0].bEnabled=TRUE
  pNCs[1].aCrInfo[0].ftWhenCreated=00000000 00000000
  pNCs[1].aCrInfo[0].pszSDReferenceDomain=(null)
  pNCs[1].aCrInfo[0].pszNetBiosName=(null)
  pNCs[1].aCrInfo[0].cReplicas=-1
  pNCs[1].aCrInfo[0].aszReplicas=
  NC:     pNCs[2].pszName=Schema
  pNCs[2].pszDn=CN=Schema,CN=Configuration,DC=chickbuns,DC=com
  pNCs[2].aCrInfo[0].dwFlags=0x00000201
  pNCs[2].aCrInfo[0].pszDn=CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
  pNCs[2].aCrInfo[0].pszDnsRoot=chickbuns.com
  pNCs[2].aCrInfo[0].iSourceServer=0
  pNCs[2].aCrInfo[0].pszSourceServer=(null)
  pNCs[2].aCrInfo[0].ulSystemFlags=0x00000001
  pNCs[2].aCrInfo[0].bEnabled=TRUE
  pNCs[2].aCrInfo[0].ftWhenCreated=00000000 00000000
  pNCs[2].aCrInfo[0].pszSDReferenceDomain=(null)
  pNCs[2].aCrInfo[0].pszNetBiosName=(null)
  pNCs[2].aCrInfo[0].cReplicas=-1
  pNCs[2].aCrInfo[0].aszReplicas=
  NC:     pNCs[3].pszName=Configuration
  pNCs[3].pszDn=CN=Configuration,DC=chickbuns,DC=com
  pNCs[3].aCrInfo[0].dwFlags=0x00000201
  pNCs[3].aCrInfo[0].pszDn=CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
  pNCs[3].aCrInfo[0].pszDnsRoot=chickbuns.com
  pNCs[3].aCrInfo[0].iSourceServer=0
  pNCs[3].aCrInfo[0].pszSourceServer=(null)
  pNCs[3].aCrInfo[0].ulSystemFlags=0x00000001
  pNCs[3].aCrInfo[0].bEnabled=TRUE
  pNCs[3].aCrInfo[0].ftWhenCreated=00000000 00000000
  pNCs[3].aCrInfo[0].pszSDReferenceDomain=(null)
  pNCs[3].aCrInfo[0].pszNetBiosName=(null)
  pNCs[3].aCrInfo[0].cReplicas=-1
  pNCs[3].aCrInfo[0].aszReplicas=
  NC:     pNCs[4].pszName=chickbuns
  pNCs[4].pszDn=DC=chickbuns,DC=com
  pNCs[4].aCrInfo[0].dwFlags=0x00000201
  pNCs[4].aCrInfo[0].pszDn=CN=CHICKBUNS,CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
  pNCs[4].aCrInfo[0].pszDnsRoot=chickbuns.com
  pNCs[4].aCrInfo[0].iSourceServer=0
  pNCs[4].aCrInfo[0].pszSourceServer=(null)
  pNCs[4].aCrInfo[0].ulSystemFlags=0x00000003
  pNCs[4].aCrInfo[0].bEnabled=TRUE
  pNCs[4].aCrInfo[0].ftWhenCreated=00000000 00000000
  pNCs[4].aCrInfo[0].pszSDReferenceDomain=(null)
  pNCs[4].aCrInfo[0].pszNetBiosName=(null)
  pNCs[4].aCrInfo[0].cReplicas=-1
  pNCs[4].aCrInfo[0].aszReplicas=
  5 NC TARGETS: ForestDnsZones, DomainDnsZones, Schema, Configuration, chickbuns, 
  1 TARGETS: DC1, 
  =============================================Done Printing pDsInfo
  Doing initial required tests
     Testing server: Default-First-Site-Name\DC1
        Starting test: Connectivity
           * Active Directory LDAP Services Check
           Determining IP4 connectivity 
           Failure Analysis: DC1 ... OK.
           * Active Directory RPC Services Check
           ......................... DC1 passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\DC1
        Starting test: Advertising
           The DC DC1 is advertising itself as a DC and having a DS.
           The DC DC1 is advertising as an LDAP server
           The DC DC1 is advertising as having a writeable directory
           The DC DC1 is advertising as a Key Distribution Center
           The DC DC1 is advertising as a time server
           The DS DC1 is advertising as a GC.
           ......................... DC1 passed test Advertising
        Starting test: CheckSecurityError
           * Dr Auth:  Beginning security errors check!
           Found KDC DC1 for domain chickbuns.com in site Default-First-Site-Name
           Checking machine account for DC DC1 on DC DC1.
           * SPN found :LDAP/DC1.chickbuns.com/chickbuns.com
           * SPN found :LDAP/DC1.chickbuns.com
           * SPN found :LDAP/DC1
           * SPN found :LDAP/DC1.chickbuns.com/CHICKBUNS
           * SPN found :LDAP/771aab3d-96cd-4fb1-90cd-0899fa6b6207._msdcs.chickbuns.com
           * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/771aab3d-96cd-4fb1-90cd-0899fa6b6207/chickbuns.com
           * SPN found :HOST/DC1.chickbuns.com/chickbuns.com
           * SPN found :HOST/DC1.chickbuns.com
           * SPN found :HOST/DC1
           * SPN found :HOST/DC1.chickbuns.com/CHICKBUNS
           * SPN found :GC/DC1.chickbuns.com/chickbuns.com
           [DC1] No security related replication errors were found on this DC!
           To target the connection to a specific source DC use /ReplSource:<DC>.
           ......................... DC1 passed test CheckSecurityError
        Starting test: CutoffServers
           * Configuration Topology Aliveness Check
           * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=chickbuns,DC=com.
           * Performing upstream (of target) analysis.
           * Performing downstream (of target) analysis.
           * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=chickbuns,DC=com.
           * Performing upstream (of target) analysis.
           * Performing downstream (of target) analysis.
           * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=chickbuns,DC=com.
           * Performing upstream (of target) analysis.
           * Performing downstream (of target) analysis.
           * Analyzing the alive system replication topology for CN=Configuration,DC=chickbuns,DC=com.
           * Performing upstream (of target) analysis.
           * Performing downstream (of target) analysis.
           * Analyzing the alive system replication topology for DC=chickbuns,DC=com.
           * Performing upstream (of target) analysis.
           * Performing downstream (of target) analysis.
           ......................... DC1 passed test CutoffServers
        Starting test: FrsEvent
           * The File Replication Service Event log test 
           Skip the test because the server is running DFSR.
           ......................... DC1 passed test FrsEvent
        Starting test: DFSREvent
           The DFS Replication Event Log. 
           ......................... DC1 passed test DFSREvent
        Starting test: SysVolCheck
           * The File Replication Service SYSVOL ready test 
           File Replication Service's SYSVOL is ready 
           ......................... DC1 passed test SysVolCheck
        Starting test: FrsSysVol
           * The File Replication Service SYSVOL ready test 
           File Replication Service's SYSVOL is ready 
           ......................... DC1 passed test FrsSysVol
        Starting test: KccEvent
           * The KCC Event log test
           Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
           ......................... DC1 passed test KccEvent
        Starting test: KnowsOfRoleHolders
           Role Schema Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
           Role Domain Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
           Role PDC Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
           Role Rid Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
           Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
           ......................... DC1 passed test KnowsOfRoleHolders
        Starting test: MachineAccount
           Checking machine account for DC DC1 on DC DC1.
           * SPN found :LDAP/DC1.chickbuns.com/chickbuns.com
           * SPN found :LDAP/DC1.chickbuns.com
           * SPN found :LDAP/DC1
           * SPN found :LDAP/DC1.chickbuns.com/CHICKBUNS
           * SPN found :LDAP/771aab3d-96cd-4fb1-90cd-0899fa6b6207._msdcs.chickbuns.com
           * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/771aab3d-96cd-4fb1-90cd-0899fa6b6207/chickbuns.com
           * SPN found :HOST/DC1.chickbuns.com/chickbuns.com
           * SPN found :HOST/DC1.chickbuns.com
           * SPN found :HOST/DC1
           * SPN found :HOST/DC1.chickbuns.com/CHICKBUNS
           * SPN found :GC/DC1.chickbuns.com/chickbuns.com
           ......................... DC1 passed test MachineAccount
        Starting test: NCSecDesc
           * Security Permissions check for all NC's on DC DC1.
           * Security Permissions Check for
             DC=ForestDnsZones,DC=chickbuns,DC=com
              (NDNC,Version 3)
           * Security Permissions Check for
             DC=DomainDnsZones,DC=chickbuns,DC=com
              (NDNC,Version 3)
           * Security Permissions Check for
             CN=Schema,CN=Configuration,DC=chickbuns,DC=com
              (Schema,Version 3)
           * Security Permissions Check for
             CN=Configuration,DC=chickbuns,DC=com
              (Configuration,Version 3)
           * Security Permissions Check for
             DC=chickbuns,DC=com
              (Domain,Version 3)
           ......................... DC1 passed test NCSecDesc
        Starting test: NetLogons
           * Network Logons Privileges Check
           Verified share \\DC1\netlogon
           Verified share \\DC1\sysvol
           ......................... DC1 passed test NetLogons
        Starting test: ObjectsReplicated
           DC1 is in domain DC=chickbuns,DC=com
           Checking for CN=DC1,OU=Domain Controllers,DC=chickbuns,DC=com in domain DC=chickbuns,DC=com on 1 servers
              Object is up-to-date on all servers.
           Checking for CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com in domain CN=Configuration,DC=chickbuns,DC=com on 1 servers
              Object is up-to-date on all servers.
           ......................... DC1 passed test ObjectsReplicated
        Starting test: OutboundSecureChannels
           * The Outbound Secure Channels test
           ** Did not run Outbound Secure Channels test because /testdomain: was
           not entered
           ......................... DC1 passed test OutboundSecureChannels
        Starting test: Replications
           * Replications Check
           DC=ForestDnsZones,DC=chickbuns,DC=com has 1 cursors.
           DC=DomainDnsZones,DC=chickbuns,DC=com has 1 cursors.
           CN=Schema,CN=Configuration,DC=chickbuns,DC=com has 1 cursors.
           CN=Configuration,DC=chickbuns,DC=com has 1 cursors.
           DC=chickbuns,DC=com has 1 cursors.
           * Replication Latency Check
           ......................... DC1 passed test Replications
        Starting test: RidManager
           ridManagerReference = CN=RID Manager$,CN=System,DC=chickbuns,DC=com
           * Available RID Pool for the Domain is 1600 to 1073741823
           fSMORoleOwner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
           * DC1.chickbuns.com is the RID Master
           * DsBind with RID Master was successful
           rIDSetReferences = CN=RID Set,CN=DC1,OU=Domain Controllers,DC=chickbuns,DC=com
           * rIDAllocationPool is 1100 to 1599
           * rIDPreviousAllocationPool is 1100 to 1599
           * rIDNextRID: 1103
           ......................... DC1 passed test RidManager
        Starting test: Services
           * Checking Service: EventSystem
           * Checking Service: RpcSs
           * Checking Service: NTDS
           * Checking Service: DnsCache
           * Checking Service: DFSR
           * Checking Service: IsmServ
           * Checking Service: kdc
           * Checking Service: SamSs
           * Checking Service: LanmanServer
           * Checking Service: LanmanWorkstation
           * Checking Service: w32time
           * Checking Service: NETLOGON
           ......................... DC1 passed test Services
        Starting test: SystemLog
           * The System Event log test
           Found no errors in "System" Event log in the last 60 minutes.
           ......................... DC1 passed test SystemLog
        Starting test: Topology
           * Configuration Topology Integrity Check
           * Analyzing the connection topology for DC=ForestDnsZones,DC=chickbuns,DC=com.
           * Performing upstream (of target) analysis.
           * Performing downstream (of target) analysis.
           * Analyzing the connection topology for DC=DomainDnsZones,DC=chickbuns,DC=com.
           * Performing upstream (of target) analysis.
           * Performing downstream (of target) analysis.
           * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=chickbuns,DC=com.
           * Performing upstream (of target) analysis.
           * Performing downstream (of target) analysis.
           * Analyzing the connection topology for CN=Configuration,DC=chickbuns,DC=com.
           * Performing upstream (of target) analysis.
           * Performing downstream (of target) analysis.
           * Analyzing the connection topology for DC=chickbuns,DC=com.
           * Performing upstream (of target) analysis.
           * Performing downstream (of target) analysis.
           ......................... DC1 passed test Topology
        Starting test: VerifyEnterpriseReferences
           ......................... DC1 passed test VerifyEnterpriseReferences
        Starting test: VerifyReferences
           The system object reference (serverReference)
           CN=DC1,OU=Domain Controllers,DC=chickbuns,DC=com and backlink on
           CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
           are correct. 
           The system object reference (serverReferenceBL)
           CN=DC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=chickbuns,DC=com
           and backlink on
           CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
           are correct. 
           The system object reference (msDFSR-ComputerReferenceBL)
           CN=DC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=chickbuns,DC=com
           and backlink on CN=DC1,OU=Domain Controllers,DC=chickbuns,DC=com are
           correct. 
           ......................... DC1 passed test VerifyReferences
        Starting test: VerifyReplicas
           ......................... DC1 passed test VerifyReplicas
        Starting test: DNS
           DNS Tests are running and not hung. Please wait a few minutes...
           See DNS test in enterprise tests section for results
           ......................... DC1 passed test DNS
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test
           CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test
           CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : chickbuns
        Starting test: CheckSDRefDom
           ......................... chickbuns passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... chickbuns passed test CrossRefValidation
     Running enterprise tests on : chickbuns.com
        Starting test: DNS
           Test results for domain controllers:
              DC: DC1.chickbuns.com
              Domain: chickbuns.com
                 TEST: Authentication (Auth)
                    Authentication test: Successfully completed
                 TEST: Basic (Basc)
                    The OS
                    Microsoft Windows Server 2008 R2 Enterprise  (Service Pack level: 1.0)
                    is supported.
                    NETLOGON service is running
                    kdc service is running
                    DNSCACHE service is running
                    DNS service is running
                    DC is a DNS server
                    Network adapters information:
                    Adapter [00000007] Intel(R) PRO/1000 MT Network Connection:
                       MAC address is 00:0C:29:DE:7F:EB
                       IP Address is static 
                       IP address: 192.168.1.30
                       DNS servers:
                          192.168.1.30 (dc1.chickbuns.com.) [Valid]
                    The A host record(s) for this DC was found
                    The SOA record for the Active Directory zone was found
                    The Active Directory zone on this DC/DNS server was found primary
                    Root zone on this DC/DNS server was not found
                 TEST: Forwarders/Root hints (Forw)
                    Recursion is enabled
                    Forwarders Information: 
                       192.168.1.1 (<name unavailable>) [Valid] 
                 TEST: Delegations (Del)
                    Delegation information for the zone: chickbuns.com.
                       Delegated domain name: _msdcs.chickbuns.com.
                          DNS server: dc1.chickbuns.com. IP:192.168.1.30 [Valid]
                 TEST: Dynamic update (Dyn)
                    Test record dcdiag-test-record added successfully in zone chickbuns.com
                    Test record dcdiag-test-record deleted successfully in zone chickbuns.com
                 TEST: Records registration (RReg)
                    Network Adapter
                    [00000007] Intel(R) PRO/1000 MT Network Connection:
                       Matching CNAME record found at DNS server 192.168.1.30:
                       771aab3d-96cd-4fb1-90cd-0899fa6b6207._msdcs.chickbuns.com
                       Matching A record found at DNS server 192.168.1.30:
                       DC1.chickbuns.com
                       Matching  SRV record found at DNS server 192.168.1.30:
                       _ldap._tcp.chickbuns.com
                       Matching  SRV record found at DNS server 192.168.1.30:
                       _ldap._tcp.48c41195-2630-4461-aaef-ec2a63cd8bf3.domains._msdcs.chickbuns.com
                       Matching  SRV record found at DNS server 192.168.1.30:
                       _kerberos._tcp.dc._msdcs.chickbuns.com
                       Matching  SRV record found at DNS server 192.168.1.30:
                       _ldap._tcp.dc._msdcs.chickbuns.com
                       Matching  SRV record found at DNS server 192.168.1.30:
                       _kerberos._tcp.chickbuns.com
                       Matching  SRV record found at DNS server 192.168.1.30:
                       _kerberos._udp.chickbuns.com
                       Matching  SRV record found at DNS server 192.168.1.30:
                       _kpasswd._tcp.chickbuns.com
                       Matching  SRV record found at DNS server 192.168.1.30:
                       _ldap._tcp.Default-First-Site-Name._sites.chickbuns.com
                       Matching  SRV record found at DNS server 192.168.1.30:
                       _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.chickbuns.com
                       Matching  SRV record found at DNS server 192.168.1.30:
                       _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.chickbuns.com
                       Matching  SRV record found at DNS server 192.168.1.30:
                       _kerberos._tcp.Default-First-Site-Name._sites.chickbuns.com
                       Matching  SRV record found at DNS server 192.168.1.30:
                       _ldap._tcp.gc._msdcs.chickbuns.com
                       Matching A record found at DNS server 192.168.1.30:
                       gc._msdcs.chickbuns.com
                       Matching  SRV record found at DNS server 192.168.1.30:
                       _gc._tcp.Default-First-Site-Name._sites.chickbuns.com
                       Matching  SRV record found at DNS server 192.168.1.30:
                       _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.chickbuns.com
                       Matching  SRV record found at DNS server 192.168.1.30:
                       _ldap._tcp.pdc._msdcs.chickbuns.com
                 Total query time:0 min. 3 sec.. Total RPC connection
                 time:0 min. 0 sec.
                 Total WMI connection time:0 min. 6 sec. Total Netuse connection
                 time:0 min. 0 sec.
           Summary of test results for DNS servers used by the above domain
           controllers:
              DNS server: 192.168.1.1 (<name unavailable>)
                 All tests passed on this DNS server
                 Total query time:0 min. 0 sec., Total WMI connection
                 time:0 min. 5 sec.
              DNS server: 192.168.1.30 (dc1.chickbuns.com.)
                 All tests passed on this DNS server
                 Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered 
                 DNS delegation for the domain  _msdcs.chickbuns.com. is operational on IP 192.168.1.30
                 Total query time:0 min. 3 sec., Total WMI connection
                 time:0 min. 0 sec.
           Summary of DNS test results:
                                              Auth Basc Forw Del  Dyn  RReg Ext
              Domain: chickbuns.com
                 DC1                          PASS PASS PASS PASS PASS PASS n/a  
           Total Time taken to test all the DCs:0 min. 9 sec.
           ......................... chickbuns.com passed test DNS
        Starting test: LocatorCheck
           GC Name: \\DC1.chickbuns.com
           Locator Flags: 0xe00033fd
           PDC Name: \\DC1.chickbuns.com
           Locator Flags: 0xe00033fd
           Time Server Name: \\DC1.chickbuns.com
           Locator Flags: 0xe00033fd
           Preferred Time Server Name: \\DC1.chickbuns.com
           Locator Flags: 0xe00033fd
           KDC Name: \\DC1.chickbuns.com
           Locator Flags: 0xe00033fd
           ......................... chickbuns.com passed test LocatorCheck
        Starting test: FsmoCheck
           GC Name: \\DC1.chickbuns.com
           Locator Flags: 0xe00033fd
           PDC Name: \\DC1.chickbuns.com
           Locator Flags: 0xe00033fd
           Time Server Name: \\DC1.chickbuns.com
           Locator Flags: 0xe00033fd
           Preferred Time Server Name: \\DC1.chickbuns.com
           Locator Flags: 0xe00033fd
           KDC Name: \\DC1.chickbuns.com
           Locator Flags: 0xe00033fd
           ......................... chickbuns.com passed test FsmoCheck
        Starting test: Intersite
           Skipping site Default-First-Site-Name, this site is outside the scope
           provided by the command line arguments provided. 
           ......................... chickbuns.com passed test Intersite

• Issue Password-less SSH:  Sun OpenDS 2.0 as Naming Service

  We are in the final phase of a proof of concept for Sun OpenDS as the Naming service for an important customer and facing problem with password-less ssh. We narrowed the problem down to password policy specifying a value for password maximum age. SSH succeeds with ?0? (zero) but requires password if the value is different from 0.
  Any help in getting a resolution is greatly appreciated, as this is a road block now.
  The following information is gathered.
  The test is performed from a host thud which is setup as an ldapclient.
  thud 275 ssh thud -i .ssh/thud
  Password:
  Last login: Tue Oct 13 06:57:01 2009 from xxx
  Apparent reason (trimmed):
  debug3: authmethod_lookup publickey
  debug3: remaining preferred: keyboard-interactive,password
  debug3: authmethod_is_enabled publickey
  debug1: Next authentication method: publickey
  debug1: Trying public key: .ssh/thud
  debug3: send_pubkey_test
  debug2: we sent a publickey packet, wait for reply
  debug1: Server accepts key: pkalg ssh-dss blen 434 lastkey 1166d0 hint 0
  debug2: input_userauth_pk_ok: fp 07:15:b3:07:8d:da:b3:c8:34:d0:34:91:60:77:e0:39
  debug3: sign_and_send_pubkey
  debug1: read PEM private key done: type DSA
  debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
  debug2: we did not send a packet, disable method
  debug3: authmethod_lookup keyboard-interactive
  debug3: remaining preferred: password
  debug3: authmethod_is_enabled keyboard-interactive
  debug1: Next authentication method: keyboard-interactive
  Password:
  Corresponding debug info from server (thud):
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: userauth-request for user doejohn service ssh-connection method publickey
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: test whether pkalg/pkblob are acceptable
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: temporarily_use_uid: 6147/150 (e=0/1)
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: trying public key file /home/doejohn/.ssh/authorized_keys
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: matching key found: file /home/doejohn/.ssh/authorized_keys,
  line 2Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.info] Found matching DSA key: 07:15:b3:07:8d:da:b3:c8:34:d0:34:91:60:77:e0:39
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: restore_uid: 0/1
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: userauth-request for user doejohn service ssh-connection method publickey
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: attempt 2 initial attempt 0 failures 1 initial failures 0
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: temporarily_use_uid: 6147/150 (e=0/1)
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: trying public key file /home/doejohn/.ssh/authorized_keys
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: matching key found: file /home/doejohn/.ssh/authorized_keys, line 2
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.info] Found matching DSA key: 07:15:b3:07:8d:da:b3:c8:34:d0:34:91:60:77:e0:39
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: restore_uid: 0/1
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: ssh_dss_verify: signature correct
  Oct 13 07:29:36 thud sshd[21187]: [ID 966290 auth.debug] PAM[21187]: pam_start(sshd-pubkey,doejohn,0:179560) - debug = 1
  Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:service)
  Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:user)
  Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:conv)
  Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:rhost)
  Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:tty)
  Oct 13 07:29:36 thud sshd[21187]: [ID 665327 auth.debug] PAM[21187]: pam_acct_mgmt(179560, 0)
  Oct 13 07:29:36 thud sshd[21187]: [ID 118111 auth.debug] PAM[21187]: load_modules(179560, pam_sm_acct_mgmt)=/usr/lib/security/pam_roles.so.1
  Oct 13 07:29:36 thud sshd[21187]: [ID 143372 auth.debug] PAM[21187]: load_function: successful load of pam_sm_acct_mgmt
  Oct 13 07:29:36 thud sshd[21187]: [ID 118111 auth.debug] PAM[21187]: load_modules(179560, pam_sm_acct_mgmt)=/usr/lib/security/pam_projects.so.1
  Oct 13 07:29:36 thud sshd[21187]: [ID 143372 auth.debug] PAM[21187]: load_function: successful load of pam_sm_acct_mgmt
  Oct 13 07:29:36 thud sshd[21187]: [ID 118111 auth.debug] PAM[21187]: load_modules(179560, pam_sm_acct_mgmt)=/usr/lib/security/pam_unix_account.so.1
  Oct 13 07:29:36 thud sshd[21187]: [ID 143372 auth.debug] PAM[21187]: load_function: successful load of pam_sm_acct_mgmt
  Oct 13 07:29:36 thud sshd[21187]: [ID 118111 auth.debug] PAM[21187]: load_modules(179560, pam_sm_acct_mgmt)=/usr/lib/security/pam_ldap.so.1
  Oct 13 07:29:36 thud sshd[21187]: [ID 143372 auth.debug] PAM[21187]: load_function: successful load of pam_sm_acct_mgmt
  Oct 13 07:29:36 thud sshd[21187]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
  Oct 13 07:29:36 thud sshd[21187]: [ID 267958 auth.debug] pam_unix_account: doejohn: Ignore module
  Oct 13 07:29:36 thud sshd[21187]: [ID 545954 auth.debug] libsldap: more_info is empty, using default values
  Oct 13 07:29:36 thud sshd[21187]: [ID 340006 auth.debug] PAM[21187]: pam_acct_mgmt(179560, 0): error Authentication failed
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.notice] Failed publickey for doejohn from 172.16.1.207 port 44363 ssh2
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: userauth-request for user doejohn service ssh-connection method keyboard-interactive
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: attempt 3 initial attempt 0 failures 3 initial failures 0
  Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: keyboard-interactive devs
  Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:conv)
  Oct 13 07:29:36 thud sshd[21187]: [ID 873394 auth.debug] PAM[21187]: pam_end(179560): status = Authentication failed
  Sending the Account Usability control on the server returns:
  ?The account is not usable?
  solaris-z1 487 # ldapsearch -D 'cn=directory manager' -w xxx -b 'dc=texas,dc=net' -J "accountUsability:true" uid=doejohn
  # Account Usability Response Control
  # The account is not usable
  dn: uid=doejohn,ou=eng,ou=People,dc=texas,dc=net
  uid: doejohn
  shadowLastChange: 14480
  loginShell: /bin/ksh
  userPassword: {CRYPT}GOUlmnz01bJbwcY69Btp2sIRJrLf+5RtAj4oug==
  objectClass: person
  objectClass: organizationalPerson
  objectClass: inetOrgPerson
  objectClass: shadowAccount
  objectClass: IEEPerson
  objectClass: posixAccount
  objectClass: top
  givenName: John
  cn: John Doe
  sn: Doe
  telephoneNumber: ...
  gecos: ...
  homeDirectory: /home/doejohn
  mail: [email protected]
  uidNumber: 6147
  gidNumber: 150
  manager: ...
  For someone with a different password policy (max age is 0) the account is usable.
  Ldapclient is running on a SPARC, Solaris 9 system; the Sun OpenDS 2.0 is running on Solaris 10 Sparc.
  Password-less ssh works as expected when using a system not using LDAP.

  See https://opends.dev.java.net/servlets/ProjectForumMessageView?messageID=31827&forumID=3292.
  Regards,
  Ludovic.