Directory Server Authentication
Hi,
In Iplanet Directory Server 5.1, is there any facility to find the users who are logged in already?We want to prevent the same user again logging in for the second time from some other system.
Thanks in advance
Hi,
In Iplanet Directory Server 5.1, is there any
facility to find the users who are logged in
already?No.
We want to prevent the same user again
logging in for the second time from some other
system.You will need the Sun ONE Directory Proxy Server 5.2 for this functionality. See:
http://wwws.sun.com/software/products/directory_proxy/home_dir_proxy.html
Alternatively, you could develop a pre-operation plugin to achieve this.
Bertold
Similar Messages
-
Lion Server problem - Computer is already a network directory server
So I purchased Lion Server to trial it at home and it is not going well. Initially I was having issues connecting to the web interfaces for profile manager, etc. The server was not responding and so I uninstalled server and reinstalled it from the Mac Store (FYI: Apple has charged me for the OS and the server app as a result of this for some reason!!!)
With Server reinstalled I went to set up the server as a network directory and am shown this message every time I try to set up the directory admin account: "Computer is already a network directory server - This computer is already configured to manage network accounts. It cannot be configured again."
This leaves me unable to set up any profile or device management, I have tried the following solutions:
Uninstall and reinstall server
Deleted ServerVersion plist
Reinstalled Lion
Reinstalled Lion with format of HDD (although I did recover from a Time Machine Backup which included settings)
Any help would be appreciated.Sorry I copied the wrong log.
What is happening is the Open Directory Assistant attempts to create and Open Directory Master but fails claiming there was a configuration error and to view the configuration log which I have copied below.
2011-07-28 19:57:45 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2011-07-28 19:57:45 +0000 command: /usr/bin/ldapsearch -x -LLL -H ldapi://%2Fvar%2Frun%2Fldapi -b cn=config -s base olcServerID
2011-07-28 19:57:45 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2011-07-28 19:57:45 +0000 command: /usr/sbin/mkpassdb -o -u diradmin -p -q
2011-07-28 19:57:46 +0000
2011-07-28 19:57:48 +0000 command: /usr/sbin/mkpassdb -setadmin 0xdc9dacf8b95311e0b494d49a20d93acc 0
2011-07-28 19:57:48 +0000 Admin's entry UUID is: 9134bc0a-a748-4161-b6b2-53c136b933b9
2011-07-28 19:57:48 +0000 Setting SASL realm to <SERVER.FREEMAN.PRIVATE>
2011-07-28 19:57:48 +0000 command: /usr/sbin/mkpassdb -setrealm SERVER.FREEMAN.PRIVATE
2011-07-28 19:57:48 +0000 command: /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.PasswordService.plist
2011-07-28 19:57:49 +0000 Stopping LDAP server (slapd)
2011-07-28 19:57:52 +0000 Starting LDAP server (slapd)
2011-07-28 19:57:52 +0000 Waiting for slapd to start
2011-07-28 19:57:52 +0000 ...
2011-07-28 19:57:54 +0000 Configuring Kerberos server, realm is SERVER.FREEMAN.PRIVATE
2011-07-28 19:57:54 +0000 command: /usr/sbin/kdcsetup -f /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi -w -a diradmin -p **** -v 1 SERVER.FREEMAN.PRIVATE
2011-07-28 19:58:18 +0000 Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config File
Creating Kerberos Database
Creating new random master key
Creating Kerberos Admin user
Creating ACL file
Adding kerberos auth authority to admin user
Starting kdc & kadmind
Adding the new KDC into the KerberosClient config record
Finished
2011-07-28 19:58:18 +0000 command: /usr/sbin/kdcsetup -e
2011-07-28 19:58:18 +0000 command: /usr/sbin/sso_util configure -x -r SERVER.FREEMAN.PRIVATE -f /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi -a diradmin -p **** -v 1 all
2011-07-28 19:58:19 +0000 command: /usr/sbin/mkpassdb -kerberize
2011-07-28 19:58:19 +0000 Updating user records and principals
2011-07-28 19:58:34 +0000 Asking OpenDirectoryConfig to bind to server: 127.0.0.1
2011-07-28 19:58:38 +0000 Attempting to open /LDAPv3/127.0.0.1 node
2011-07-28 19:58:38 +0000 Verified /LDAPv3/127.0.0.1 node is available
2011-07-28 19:58:40 +0000 command: /usr/sbin/sso_util info -r /LDAPv3/127.0.0.1 -p
2011-07-28 19:58:40 +0000 Creating Root CA
2011-07-28 19:58:41 +0000 ***Error creating domain CA. Error - The specified item already exists in the keychain.
2011-07-28 19:58:41 +0000 Root CA creation failed with error - -25299
2011-07-28 19:58:41 +0000 Destroying OD master as CA creation failed with error 75
2011-07-28 19:58:41 +0000 Logging slapd container data to /var/run/slapconfig_error_1311883121
2011-07-28 19:58:41 +0000 Stopping LDAP server (slapd)
2011-07-28 19:58:44 +0000 command: /usr/sbin/slapcat -l /var/run/slapconfig_error_1311883121/user.ldif
2011-07-28 19:58:44 +0000 command: /usr/sbin/slapcat -b cn=authdata -l /var/run/slapconfig_error_1311883121/authdata.ldif
2011-07-28 19:58:45 +0000 Error retrieving kerberos realm
2011-07-28 19:58:45 +0000 CopyReplicaArray: ldap_search_ext_s failed
2011-07-28 19:58:45 +0000 Error retrieving replica array
2011-07-28 19:58:45 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.opendirectorybackup.plist
2011-07-28 19:58:45 +0000 Deleting Cert Authority related data
2011-07-28 19:58:45 +0000 No intCAIdentity, not removing int CA from keychain
2011-07-28 19:58:45 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist
2011-07-28 19:58:45 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist
2011-07-28 19:58:45 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist
2011-07-28 19:58:45 +0000 _destroyLDAPServer: Failed to find computer record named server.freeman.private$: 2100 Connection failed to the directory server.
2011-07-28 19:58:45 +0000 Updating ldapreplicas on primary master
2011-07-28 19:58:45 +0000 Unable to locate primary master
2011-07-28 19:58:45 +0000 Primary master node is nil!
2011-07-28 19:58:45 +0000 Unable to locate ldapreplicas record: 0 (null)
2011-07-28 19:58:45 +0000 Error setting read ldap replicas array: 0 (null)
2011-07-28 19:58:45 +0000 Error setting write ldap replicas array: 0 (null)
2011-07-28 19:58:45 +0000 Could not retrieve xmlplist from ldapreplicas: 0 (null)
2011-07-28 19:58:45 +0000 Error synchronizing ldapreplicas: 0 (null)
2011-07-28 19:58:45 +0000 Removing self from the database
2011-07-28 19:58:45 +0000 Warning: An error occurred while re-enabling GSSAPI.
2011-07-28 19:58:45 +0000 Stopping LDAP server (slapd)
2011-07-28 19:58:46 +0000 cleanKeytab: unable to retrieve default realm -
How do I bind to directory server with SSL and authentication?
I'm running Lion Server 10.7.3, Open Directory master. In Open Directory/Settings/LDAP, I've checked the box to Enable SSL and selected a (self-signed) certificate. In Policies/Binding, I've checked the box to Enable Authenticated Directory Binding.
Testing with a client computer on which Snow Leopard has been freshly installed and fully updated, I went to System Prefs/Accounts to bind to the new directory server. The good news is, the binding was successful, and when the client initiates an AFP connection with the server, it uses Kerberos, creating a ticket as expected. (Which doesn't work with Lion clients, alas, but that's a seperate matter.)
Here are the problems:
1) It looks like the binding did not use SSL. By which I mean that when I opened Directory Utility and examined the LDAPv3 entry, the SSL checkbox was not checked. (If I then check the box, everything looks fine until I restart the client, after which I have a red dot. So I'm guessing that checking the box does nothing until after restart, and that it breaks the binding.)
2) I was never prompted to authenticate for the directory binding.
So I get that literally I'm *enabling* SSL and Authenticated Directory Binding, but it seems like the defaults are to bind without SSL or authentication, and there's no obvious-to-me way to force the binding to use those things. How do I do that?
What I'd really like to do is *require* SSL and Authenticated Directory Binding. I want this because my belief (correct me if I'm wrong) is that if authentication is required to bind to the server, no one will be able to bind to my server without my permission, and that SSL offers a more secure connection to my server than not-SSL. How do I require these things, or do I not really want to?
Thank you.You cannot connect to databases via Muse at the moment. Please refer: http://forums.adobe.com/message/5090145#5090145
Cheers,
Vikas -
Ubuntu Karmic authentication against Snow leopard open directory server
Hi,
I'm looking for help. I've tried to configure an installation of Karmic to authenticate against our office's open directory server running on an osx snow leopard server. Currently `getent password` show all users including those from the open directory server when running the command as both root and normal users. However authentication against the open directry users fails with the following messages in the /var/log/auth.log:-
Dec 7 22:42:05 [hostname] getent: nss_ldap: failed to bind to LDAP server ldap://server.domain.com: Invalid credentials
Dec 7 22:42:05 [hostname] getent: nss_ldap: could not search LDAP server - Server is unavailable
(I've changed the hostname and ldap url)
/etc/ldap.conf has:-
base dc=server,dc=domain,dc=com
ldap_version 3
rootbinddn cn=diradmin,dc=server,dc=domain,dc=com
bind_policy soft
pam_password md5
/etc/ldap.secret is set to the password of the diradmin user and has a permission mask of 600
/etc/pam.d/common-passwd :-
password sufficient pam_ldap.so md5
password required pam_unix.so nullok obscure md5
password optional pam_smbpass.so nullok use_authtok tryfirstpass missingok
/etc/pam.d/common-auth:-
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so usefirstpass
auth requisite pam_deny.so
auth required pam_permit.so
/etc/pam.d/common-account:-
account [success=2 newauthtokreqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session optional pamckconnector.so nox11
Does anyone have any ideas where to go from here?
Message was edited by: zebardyHi
It's easy enough to 'connect' any version of OS X Server to any other version of OS X Server. Use the Join button in the Users & Groups Preferences Pane. Alternatively use the Directory Utility itself.
You seem to be misunderstanding what an Open Directory Master and Replica are? They are not what I think you think they are. They are not a 'back-up' of each other if you're providing more than the shared Directory Service.
An OD Replica maintains a read-only copy of the LDAP Database (Usernames, Passwords and Policies etc) that's stored on the OD Master and nothing more. If the Master was to go offline for any reason the Replica can be quickly promoted to a Master Role and continue to provide information for the shared directory. This assumes it has easy and quick access to the Volume storing networked home folders? The LDAP Database in that case would then become writable. Later on and whenever you've fixed the problem with the old Master it can quickly be demoted and made a Replica of the now new Master.
Although this is for 10.6 Server (it is nevertheless still applicable) everything you need to know about Master and Replica relationships is here:
http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf
Page 55 onwards.
From Page 64:
"The Open Directory master and its replicas must use the same version of Mac OS X Server. . ."
If your OD Master is also providing Mail, Calendar and Contact Services then none of these will be replicated. You will have to maintain a backup of these databases yourself using whatever method you deem fit for your needs.
HTH?
Tony -
Authentication error while creating directory server through dscc
Hi
I am getting authentication error while creating a DS from dscc on windows box on a linux RHEL4 server.However I do not get an authentication issue when creating a ds on solaris box from same dscc.
Can someone guide me what might be the issue?
Thanks
AartiHi,
Please check there is no firewall issue between your windows client to Linux directory server. You may be able to login via dscc but when you create DS instance, your dscc agent port might be an issue not able to talk to Directory server because of firewall. -
Oracle Portal for LDAP Authentication using Iplanet directory server
I have oracle portal on solaries machine and Iplanet directory server 5.1 on windows NT,
Can i user portal user authentication Iplanet LDAP.
Regards
srinivasYes You can. You have to provide the necessary info while running the ssoldap.sql.
Vinodh R. -
Setup Java system directory server 6 client for user authentication
I am trying to set up a native LDAP client for sun directory server 6 for network based user authentication. I checked the sun doc for naming service (LDAP) and the documentation are for setting up LDAP client for directory server 5. Is there any documentation for setting up LDAP client for directory server 6? Or the documents for setting LDAP client for directory server 5 is still good for 6? Particularly, I want to use SSL communication between server and client.
Hi,
could be one of the other 'bad jokes' of DS/ldapclient because the documentation describes a lot of stuff about profiles etc. but: you need some special schema files to use the whole stuff and they are not installed with Solaris or DS (and they include the NisDomainObject). I had to search for them in the internet. They are also printed in the documentation. Save them in your server's config/schema directory as i.e. 61DUAConfigProfile.ldif and 62nisDomain.ldif and try idsconf again (maybe you have to cleanup something).
I test and prepare DS6 here, and we will use it in production too. I hadn't any problem with it and it has some important advantages over DS5.2. But we won't have a huge directory so I can't tell you anything more about it.
Regards
Jochem Ippers
Here are the ldifs:
61DUAConfigProfile.ldif:
dn: cn=schema
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live, in seconds, before a client DUA should re-read this configuration profile' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by a DUA' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server for a specific service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
objectClasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top STRUCTURAL DESC 'Abstraction of a base configuration for a DUA' MUST ( cn ) MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) X-ORIGIN 'user defined' )
62nisDomain.ldif:
dn: cn=schema
attributeTypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
objectClasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top STRUCTURAL MUST nisDomain X-ORIGIN 'user defined' ) -
Authentications on the Apache Directory Server
hi all,
am a j2ee developer..am still new to the LDAP servers.....i downloaded the Apache Directory Server 1.5 to act as a LDAP server..and its working on my machine because i checked its port and its working....i need to open a session on this server from my j2ee web application and make my authentications on this server...but dont know how to start...so please i need your help if any body used this server before...
thx in advance....try to configure as stated in the following document.
http://help.sap.com/saphelp_nw04/helpdata/en/18/5cea2296190e4cb7faf9468ad793ea/content.htm
I have seen several discussions on sdn on the same, also make a keyward search on sdn.
Also check this for pros and cons for having Apache ...
Problem while configuring the Apache Web Server as the Intermediary Server
Edited by: SJ on Aug 3, 2008 10:11 AM -
I am developing support for the DIGEST-MD5 sasl mechnism on a c-ldap client. I am using the evaluation version of the iPlanet Directory Server 5.0 which lists DIGEST-MD5 as a supported SASL mechanism. The server is running on NT 4.0 After installing the Directory Server with the test database, a changed the passwordStorageScheme from the default of SSHA to clear text. I then added my test user. When I run my test I always get back a resultCode of 49 (invalidCredentials). The digest-challenge I receive from the server and my digest-response are shown below. I have satisfied myself that the calculation of the response directive in the digest response is correct. Does anyone see any problems in the digest response or have any other suggestions? Is there a known problem with the iPlanet Directory Server 5.0?
digest-challenge:
realm="BGB2.ndp.provo.novell.com",nonce="Ed8UPLXsWaC6CN",qop="auth",algorithm=md5-sess,charset=utf-8
digest-response:
username="uid=bgbrown,ou=people,dc=siroe,dc=com",realm="BGB2.ndp.provo.novell.com",cnonce="A9IuPJKr30RiwL",nc=00000001,qop=auth,digest-uri="ldap/BGB2.ndp.provo.novell.com",response=97061205298e5ebaf206c8ac3598fdce,charset=utf-8,nonce="Ed8UPLXsWaC6CN"Found the answer. When the username is an LDAP DN it needs to be proceeded by "dn:".
example: username="dn:uid=bgbrown,ou=people,dc=siroe,dc=com"
The server also accepts a simple uid value.
example: username="bgbrown" -
Using iws4.1 and Directory Server 5.0 for authentication, is there a way to force a log off ?
Hi,
You can set this in "iPlanet Diretory Server", to force the user to log off after particular time. For more info. check iPlanet Directory server guide.
Regards,
Dakshin. -
SUN ONE Directory Server installation Problem on Win XP
Can some one look at the installation error on WIndows XP
ERROR: Ldap authentication failed for url ldap://santoshlaptop.cook.com:51303/o=NetscapeRoot user id admin (151:Unknown error.)
Fatal Slapd Did not add Directory Server information to Configuration Server.
Configuration of the Directory Server failed.
Error Directory Server configuration failure
Checking connection to the Configuration Directory Server... failed.
The Admininistration Server cannot be configured.
Error Administration Server configuration failure
Error Configuration of the server(s) failed
Thanks a lot
SantoshHI everyone,
I tried installing directory server 5.2 p4 on WIN XP Professional machine and got the following error:
[slapd-Teja]: starting up server ...
[slapd-Teja]: [22/Sep/2006:13:25:52 -0400] - Sun Java(TM) System Directory Server/5.2_Patch_4 B2005.230.0301 (32-bit) starting up
[slapd-Teja]: [22/Sep/2006:13:25:54 -0400] - Listening on all interfaces port 30145 for LDAP requests
[slapd-Teja]: [22/Sep/2006:13:25:54 -0400] - slapd started.
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
ERROR: Ldap authentication failed for url ldap://ldapteja.hcs.com:30145/o=NetscapeRoot user id admin (151:Unknown error.)
Fatal Slapd Did not add Directory Server information to Configuration Server.
Configuration of the Directory Server failed.
Error Directory Server configuration failure
Checking connection to the Configuration Directory Server... done.
Registering Administration Server with Configuration Directory Server... done.
Loading Administration Server tasks... done.
Loading global Administration Server configuration... done.
Generating configuration files ... done.
Writing Administration Server keys to the Windows registry... done.
Configuration of the Administration Server succeeded.
Administration server started properly.
Error Configuration of the server(s) failed.
Click Next to continue.
In fact I did install 5.2 before on my machine but I think it was 5.2 p2. I then installed 5.1 on the same machine.. as the machine was running slow I uninstalled both 5.1 and 5.2 as well.. but from then on I cannot install 5.2 on my lasptop .. can please suggest me some thing that can fix this problem..
I had this in my host file
192.168.1.107 Teja.hcs.com..
Any help is reatly appreciated .. -
Open Directory Server "not responding"
This is strange, and I'm not sure what if anything is wrong...
My server is an OD Master. LDAP, Password Server, and Kerberos all report running. AFP authentication is set to Kerberos (only). Authenticated directory binding is enabled. Client computers are bound to the directory server. They connect via AFP, a ticket is created (viewable in Ticket Viewer), everything works fine (apparently).
However... in System Preferences/Accounts/Login Options, there's a red dot (not Leica) next to the directory server IP, and if I click on Edit it says "The server is not responding". This is the case for all client computers, not just one. Not sure when it started; when I set it up they were all green of course.
So, what does this "server is not responding" mean? Given that clients can do everything they need to do, can/should I consider this a non-issue?Thanks Classic and Chris. Good questions.
The server isn't behaving as expected. Following Classic's suggestion, I tried binding without SSL. I didn't expect it to work, I thought SSL was required. (Under OD Settings/Policies/Binding, "Encrypt all packets (requires SSL or Kerberos)" is checked.) But with SSL unchecked, I was prompted for diradmin username/password. I entered the correct credentials, but they were rejected. So I tried leaving the credentials blank. That bound the client to the directory successfully (green dot). But "Enable authenticated directory binding" is checked.
With the green dot, I tried connecting to the server over AFP, but could not. Only when I manually copied in the Kerberos file was I able to successfully connect to AFP. (Shouldn't the Kerberos file be created automatically at some point?)
So, clearly something is wrong with SSL, and also perhaps with my settings. (The server should only allow binding with authentication and over SSL, but it does not, and it does allow unauthenticated binding without SSL.)
OD Overview confirms that Kerberos is running. Not connected to an AD domain (nor should be).
Running the kadmin.local command gives me a very long list of items that look like e.g. service/[email protected] or service/LKDC:[email protected] One of the services listed is "afpserver". (There are also listings for a number of services that aren't run on the server.)
AFP is restricted to two groups; the username I'm using for AFP connections is a member of one of those groups. -
Access read-only LDAP for username/password, Directory Server LDAP for rest
Hello! I keep trying to find documentation on the above, but thus far I have been unable to find something that explains this well (and my attempts at figuring out thus far have failed).
I have a read-only LDAP that is used University wide, and I am not allowed to change how it currently operates. It uses double-bind authentication in that you search for a user to get their DN, then bind to that DN with the users password to see if it was correct.
I'd like to use the above setup to verify a user's credential as well as return some basic information about them (name, email, etc). After this, I'd like to use another freshly installed Directory Server LDAP to manage the roles that seem to be needed for Portal Server (as I cannot write to the original LDAP).
Any help or advice on the above would be appreciated! Thank you.The authentication you described is the default way LDAP authentication works.
AM Ldap auth-module allows you to 'pull' attributes from the LDAP server you're using for authentication and store it in it's 'amSDK' Directory Server - which is leveraged by Portal Server (if you're talking about Sun's Portal Server).
However this is only done if the profile is created (set 'dynamic profile generation' in auth - service).
As Portal Server does not support the new 'identity repsoistory API' of AM you have to stick to AM's legacy mode when using Portal Server.
To keep the the data in sync (if needed) you have to write a post-auth class.
-Bernhard -
How to install directory server/client on Solaris 9 for dummys
Hi,
after reading hunderts of pages, after asking questions in forums without getting the right answers, i was able to install the directory server in our company.
Here is the summary i made for myself. Perhaps it helps others to avoid the same problems.
Set up a Directory Server (sun one ds 5.1)
Present situation:
-Nisplus is installed
-Solaris OS 9 sparc 64bit is installed
-DS5 Software is normally already installed in Solaris 9. Check off with 'pkginfo | grep IPLT*'
-Otherwise install from Solaris OS 9 Disc1 with 'pkgadd -d IPLTxxxx .'
-Software setup with '/usr/sbin/directoryserver setup'
Install admin- and directory server.
For Directory Server use port 389 (necessary for later use of SSL)
For Admin Server use any empty port > 1024
Run directoryserver as root (necessary for using port 389 and for -starting servers from console)
Use default Directory Manager DN cn=Directory manager
Use your domain as DIT (default information tree) example: dc=example, dc=com
As second DIT, setup installs o=NetscapeRoot. Don't change this DIT at all!!!!!
The server stores all the default schemas there which are absolutely important for the directoy
server. Don't change anything there !
-Configure software with 'idsconfig'
Preferred - and default server xxx.xxx.xxx.xxx (ip_adds of your directory server)
Use default search scope one
Use credential's Proxy
Use authentication Simple (you may change this later if needed)
All the rest should remain on default settings
You will be asked for a proxy passwort
-Start the directoryserver console with '/usr/sbin/directoryserver startconsole'
-If it's not yet running, start the directory server from console or with command 'directoryserver -s instance_name start'
-If it's not yet running, start the admin server from console or with command 'directoyserver start-admin'
-On directoryserver's gui at configuraton/password set password encryption to 'unix crypt algorithm (CRYPT)'
Import Data
-Get Data from Nisplus with
'niscat passwd.org_dir passwd.ldap'
'niscat hosts.org_dir hosts.ldap'
'niscat groups.org_dir groups.ldap'
etc
-adjust the files. (try it out with one entry of a file only. You may delete this entry with the gui very easy if it's not successfull.
-hosts.ldap must look like
xxx.xxx.xxx.xxx machine1
xxx.xxx.xxx.xxx machine2
xxx.xxx.xxx.xxx machine3
First value is the ip-address, second one is the hostname.
If you have more than one hostname per machine, use a second line (don't write 2 names behind the ip-address like you did in nisplus!!!)
Change content of files into ldif format
-perl migrate_hosts.pl hosts.ldap hosts.ldif
-perl migrate passwd.pl passwd.ldap passwd.ldif
-You may download the above perl-Files from http://www.padl.com
Change the converted passwd.ldif File as follows:
-before change:
dn: uid=mario,ou=People,dc=krinfo,dc=ch
uid: mario
cn: mario
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: {crypt}6O9m3uK./T/rM
loginShell: /bin/bash
uidNumber: 1020
gidNumber: 14
homeDirectory: /home/mario
-after change:
dn: uid=mario,ou=People,dc=krinfo,dc=ch
uid: mario
cn: mario
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount <--- this line must be inserted
objectClass: top
userPassword: {crypt}6O9m3uK./T/rM
loginShell: /bin/bash
uidNumber: 1020
gidNumber: 14
homeDirectory: /home/mario
Insert the line for every entry in the passwd.ldif file
You may now import all these xxxx.ldif files into the directory server with
-ldapadd -h name_of_directoryserver -D "cn=Directory Manager" -w password -f XXXXX.ldif
You may use this commands later to import further data.
-Initialise a client
'ldapclient -a proxyDN=cn=proxyagent,ou=profile,dc=example,dc=com init xxx.xxx.xxx.xxx'
The xxx.xxx.xxx.xxx at the end is the ip address of the directory server
-This will make a client with data taken from the default profile from the directory server. This profile has been produced with the earlier command idsconfig and can be changed if needed.
-The System will ask you for the proxy password (given the first time in idsconfig dialog)
-You may now look at the produces files
in '/var/ldap/ldap_client_file' for the client settings
in '/var/ldap/ldap_client_cred' for the proxy settings
'ldapclient list' shows the settings of the client
With 'ldaplist -h' you may see all the existing entries with their objects.
Activate the client
-If it's not yet running, start '/usr/lib/ldap/ldap_cachemgr'
-All nisplus daemons/programs have been stopped by ldapclient command. If not, stop them manually.
-/etc/nsswitch.conf should have been copied from /etc/nsswitch.ldap from ldapclient too.
-If not, do it manually.
example
passwd: files ldap
group: files ldap
hosts ldap dns files
etc
I recommend to change the file '/etc/nsswitch.ldap' because the system oftens copies nsswitch.ldap to nsswitch.conf and if nsswitch.ldap is adapted, you must now change it again and again.
you may now check whether ldap is working fine with the following requests:
getent passwd username
getent hosts hostname
getent groups
getent network
These commands should give you the requested answer.
Be sure to clean:
/etc/hosts inside is only your workstation and the directory server
/etc/passwd only default and local entries
/etc/groups only default and local entries
etc
try a telnet to your own machine to check, whether password and automount of your home_dirctory works fine.
I failed here. All was working fine, but the password exchange did not because of credential/authentication problems.
Best regards and good luck
MarioDirectory Server 5.1 does not support Kerberos authentication.
Beside this there are some extensions in MS kerberos authentication that makes it almost impossible to have a MS client authenticate with something else than AD.
Regards,
Ludovic. -
Make Plug-in to Directory Server
Hi,
Iwas trying to get some API documentations and examples to create plug-ins to Directory Server in Java, however I was not able to download any useful.
I have to integrate a special authentication method into Directory Server (that is part of a Portal Server). Can you please help to find the appropriate SDK/documents?Hi,
The java program that you want to run when add/modify occurs can be kicked off in the class that implemented the Listner.
Also, these programs will work on only those LDAP servers which support Persistent Search Control. Probably that was the reason why you didn't see anything happening when you started the listener and modified your LDAP database.
The listener works fine in Netscape Direcory Service LDAP but doesn't work in OID(Oracle) or AD(Microsoft) directories.
Hope this helps!
-Rama
Maybe you are looking for
-
Use sustring of FileName in Condition editor
Hi All, I want to give some condition based on the substring of a file Name. Example, in the file name is "header1234.txt" the characters from 7 to 10 represent a company code and the corresponding receiver should be determined based on this string.
-
Custom screen field in the SRM portal screen for Business Partner Bidder
I need to add a custom screen field in the SRM portal screen for Business Partner. I have added this custom field in the include structure: CI_EEW_BUT000 and activated it. I was expecting to see the enhanced field available in the SRM portal screen w
-
Tabbed Panel issue. The tabs scroll together with the content.
Hi, The idea is to "block" the tabs above, so the visitor, when scrolling a content, he can still see ALWAYS the tabs in the top, so he can change to the other tabs quickly. WIth other tabbed panels I didn't have this problem. The explorers have to d
-
Worklist Portlet : 500 Internal Server Error
Can anyone help me interpret this error? When I try to run the worklist portlet(the rest work), this is what I'm getting in the opmn log. The URL is correct. Thanks 06/03/21 10:24:39 Needs customization 06/03/21 10:24:39 Sytem property oracle.int.por
-
Hallo everyone, We are installing Personas and facing several challenges. Personas 2 SP02 was installed according to instructions of Note '1848339 - Installation and Upgrade note for Personas' and configured according to the Config Guide v1.3 (rel. M