Directory Server recommendations (NIS to LDAP)

I'm starting out looking into migrating our NIS database to LDAP using Sun Directory Server.
We currently use NIS primarily for authentication and Unix account information.
I've installed Sun Java System Directory Server 5.2.4 on a Solaris 10 machine (is this different than iPlanet or whatever is installed by default -- idsconfig)?
I'm trying to figure out which is the best way to tackle the migration. I haven't yet stumbled across any tools for automatically importing NIS stuff into my LDAP directory yet, but I suppose some 3rd party scripts exists.
Beyond that, I see reference to a Gateway (rpc.nisd) that can be used to ferry NIS+ requests to an LDAP backend. See http://www.phptr.com/articles/article.asp?p=101621&seqNum=2&rl=1. My question is, does this work only with NIS+ or would it work with NIS as well?
Any other tips and/or best practices would be appreciated. There's a lot of documentation out there, but for various versions of the directory server with just enough differences to confuse me. :)
TIA.

I have done this migration a couple of times now and the best thing to do is just write a perl script to grab all of the nis data out of the mappings files and then have the script create a ldif file with all the correct attributes. The script is not that hard to create and once done you can just import all your users right into ldap via the ldif file.

Similar Messages

Unable to create the Directory Server entry on the LDAP Console

When I try to create the connection with the Directory Server I get the following message:
Could not contact the DSCC agent on <server>. Use the command cacaoadm to check that the DSCC agent is installed and running on port 11162.
I found a bug related to this issue and installed the patch 123893-15. I restarted the cacaoadm and the console:
root@mntsammx # cacaoadm list-params
snmp-adaptor-port=11161
snmp-adaptor-trap-port=11162
jmxmp-connector-port=11162
commandstream-adaptor-port=11163
rmi-registry-port=11164
secure-webserver-port=11165
java-flags=-Xms4M -Xmx128M -Dcom.sun.management.jmxremote -Dfile.encoding=utf-8 -Djava.endorsed.dirs=/usr/lib/cacao/lib/endorsed
micro-agent=false
java-home=/usr/jdk/jdk1.5.0_18
jdmk-home=/usr/share/lib/jdmk
nss-lib-home=/usr/lib/mps/secv1
nss-tools-home=/usr/sfw/bin
retries=4
log-file-limit=1000000
log-file-count=3
log-file-append=true
enable-instrumentation=false
user=root
group=sys
network-bind-address=127.0.0.1
watchdog-heartbeat-timeout=60
And as you can see it is running on that port. What else needs to be done ?
Thanks!

Well... this ALMOST worked. I got closer. I found out there are three cacaoadm deamons on the machine, so, I started the correct one at this time:
[server1]/opt/myuser> ps -ef | grep cacao
root 17773 1 0 Jun 12 ? 0:02 /usr/lib/cacao/lib/tools/launch -w /var/cacao/instances/default -L 16384 -P /va
myusermx 22756 20845 0 10:06:14 pts/4 0:00 grep cacao
So, I stopped the old one:
root@server1 # cd /usr/sbin
root@server1 # ./cacaoadm stop
root@server1 # ps -ef |grep cacao
root 23393 23045 0 10:16:20 pts/4 0:00 grep cacao
root@server1 #
Then I changed to the location of the correct one
cd /opt/myuser/sunoneldap/dsee6/cacao_2/usr/sbin/
[server1]/opt/myuser/sunoneldap/dsee6/cacao_2/usr/sbin> ./cacaoadm set-param network-bind-address=<my_ip>
[server1]/opt/myuser/sunoneldap/dsee6/cacao_2/usr/sbin> ./cacaoadm start
[server1]/opt/myuser/sunoneldap/dsee6/cacao_2/usr/sbin> ./cacaoadm status
default instance is DISABLED at system startup.
Current retries count : 0/4
Processes:
23755
Uptime: 0 day(s), 0:0
[server1]/opt/myuser/sunoneldap/dsee6/cacao_2/usr/sbin> ps -ef | grep cacao
myusermx 23753 1 0 10:17:53 ? 0:00 /opt/myuser/sunoneldap/dsee6/cacao_2/usr/lib/cacao/lib/tools/launch -w /opt/man
myusermx 23918 20845 0 10:18:22 pts/4 0:00 grep cacao
So, I went back to the console, at this time it let me thru the step to accept the certificate, I did click next and an exception was threw. I copied it, but I lost it. After that, I wasn't able to get to the same point again, I am back to the old message that it can't contact the cacaoadm....
Any other inputs?

Directory server 6.2 for LDAP Naming on Solaris 9 SPARC

I'm in a POC at CU site and I'm trying to set up a Solaris 9 with a Directory Server 6.2 for Naming Services.
After installing the whole thing, I'm at the point of running idsconfig and I'm getting the following error
ERROR: idsconfig only works with iDS version 5.x, not 6.2.I've no evidence of the fact that my configuration is not supported. Does anyone knows if I'm missing some patches? A quick run on sunsolve does not shows any specific patch for the issue on Solaris 9 (does it exist for Solaris 10).
Thanks for helping.

This has been discussed before here: http://forum.java.sun.com/thread.jspa?threadID=5178211
There is a fairly recent patch for 10 that corrects the problem but the easiest thing to do is just edit the idsconfig file and change the variable for the major version from 5 to 6 and voila, you're good.

How to create users with i18n characters in SunONE directory server?

Was trying to create users and groups with i18n characters in SunONE directory server
1. Started LDAP console using -l option
2. Chaged the Locale to Japanese
3. Entered few japanese character as username (meaning internationalization user name)
4. However, I could not able to type the password using the "soft keyboard" that comes with Japanese Locale
5. to overcome with #4, for now, I typed english chars as the password
6. Click OK to save the above username/pwd
7. It says "netscape.ldap.LDAPException: error result (19); value of attribute "uid" contains extended (8-bit) characters"
Has anyone ever created i18n user names in SunONE Directory Provider? Please help...

Hi LostLad,
Soryy for my ignorance...Could you please be elaborate on how to remove "uid attribute from 7-bit ASCII plugin?
Thanks in advance..

Weblogic server 5.1.0 with sp8 does not work with LDAP (Netscape Directory Server 4.12)

I have weblogic server 5.1.0 with the sp8 running on Windows NT server 4.0.
The weblogic server is configured to use LDAP realm (Netscape directory
server 4.12).
When I try to run weblogic server and I am getting the following errors:
The WebLogic Server did not start up properly.
Exception raised: java.lang.reflect.InvocationTargetException
java.lang.reflect.InvocationTargetException: java.lang.ExceptionInInitialize
or: weblogic.security.ldaprealm.LDAPRealmException: cannot connect to ldapse
without a principal to authenticate as
at weblogic.security.ldaprealm.LDAPDelegate.setupProperties(LDAPDele
.java, Compiled Code)
at weblogic.security.ldaprealm.LDAPDelegate.<clinit>(LDAPDelegate.ja
83)
at weblogic.security.ldaprealm.LDAPRealm.<init>(LDAPRealm.java:34)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Class.java:241)
at weblogic.security.acl.Realm.getRealm(Realm.java:78)
at weblogic.security.acl.Realm.getRealm(Realm.java:56)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1756)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
java.lang.ExceptionInInitializerError: weblogic.security.ldaprealm.LDAPRealm
ption: cannot connect to ldapserver without a principal to authenticate as
at weblogic.security.ldaprealm.LDAPDelegate.setupProperties(LDAPDele
.java, Compiled Code)
at weblogic.security.ldaprealm.LDAPDelegate.<clinit>(LDAPDelegate.ja
83)
at weblogic.security.ldaprealm.LDAPRealm.<init>(LDAPRealm.java:34)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Class.java:241)
at weblogic.security.acl.Realm.getRealm(Realm.java:78)
at weblogic.security.acl.Realm.getRealm(Realm.java:56)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1756)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
And here is the my ldaprealm.properties file
netscape.server.host=localhost
netscape.server.port=389
netscape.server.ssl=false
netscape.server.principal=uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot
netscape.server.credential=password
netscape.user.dn=ou=People, o=towers.com
netscape.user.filter=(&(uid=%u)(objectclass=person))
netscape.group.dn=ou=Groups, o=towers.com
netscape.group.filter=(&(cn=%g)(objectclass=groupofuniquenames))
netscape.membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquename
s))
By looking at the error message, it seems like the "server.principal" and
"server.credential" info is not correct.
But I was able to use the same Netscape Directory server with Welogic 5.1.0
with sp4, although the ldaprealm.properties file has somewhat different
format.
Did anyone have similar problems with sp8?
Thanks in advance for any suggestions.

BEA support just gave me the solution.
They told me to uncomment out the line
server.alias=netscape
in the ldaprealm.properties file
And I am able to start weblogic with my NIS
Thanks
"Enrique" <[email protected]> wrote in message
news:[email protected]...
>
Hi,
Have you try to remove the "system" user on the LDAP server?
Regards.
"Honghai Zhang" <[email protected]> wrote:
I have weblogic server 5.1.0 with the sp8 running on Windows NT server
4.0.
The weblogic server is configured to use LDAP realm (Netscape directory
server 4.12).
When I try to run weblogic server and I am getting the following errors:***************************************************************************
The WebLogic Server did not start up properly.
Exception raised: java.lang.reflect.InvocationTargetException
java.lang.reflect.InvocationTargetException:
java.lang.ExceptionInInitialize
or: weblogic.security.ldaprealm.LDAPRealmException: cannot connect toldapse
without a principal to authenticate as
atweblogic.security.ldaprealm.LDAPDelegate.setupProperties(LDAPDele
..java, Compiled Code)
atweblogic.security.ldaprealm.LDAPDelegate.<clinit>(LDAPDelegate.ja
83)
atweblogic.security.ldaprealm.LDAPRealm.<init>(LDAPRealm.java:34)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Class.java:241)
at weblogic.security.acl.Realm.getRealm(Realm.java:78)
at weblogic.security.acl.Realm.getRealm(Realm.java:56)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1756)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
java.lang.ExceptionInInitializerError:weblogic.security.ldaprealm.LDAPRealm
ption: cannot connect to ldapserver without a principal to authenticate
as
atweblogic.security.ldaprealm.LDAPDelegate.setupProperties(LDAPDele
..java, Compiled Code)
atweblogic.security.ldaprealm.LDAPDelegate.<clinit>(LDAPDelegate.ja
83)
atweblogic.security.ldaprealm.LDAPRealm.<init>(LDAPRealm.java:34)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Class.java:241)
at weblogic.security.acl.Realm.getRealm(Realm.java:78)
at weblogic.security.acl.Realm.getRealm(Realm.java:56)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1756)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)***************************************************************************
And here is the my ldaprealm.properties file////////////////////////////////////////////////////////////////////////////
netscape.server.host=localhost
netscape.server.port=389
netscape.server.ssl=false
netscape.server.principal=uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot
netscape.server.credential=password
netscape.user.dn=ou=People, o=towers.com
netscape.user.filter=(&(uid=%u)(objectclass=person))
netscape.group.dn=ou=Groups, o=towers.com
netscape.group.filter=(&(cn=%g)(objectclass=groupofuniquenames))
netscape.membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquename
s))////////////////////////////////////////////////////////////////////////////
By looking at the error message, it seems like the "server.principal" and
"server.credential" info is not correct.
But I was able to use the same Netscape Directory server with Welogic5.1.0
with sp4, although the ldaprealm.properties file has somewhat different
format.
Did anyone have similar problems with sp8?
Thanks in advance for any suggestions.

Access read-only LDAP for username/password, Directory Server LDAP for rest

Hello! I keep trying to find documentation on the above, but thus far I have been unable to find something that explains this well (and my attempts at figuring out thus far have failed).
I have a read-only LDAP that is used University wide, and I am not allowed to change how it currently operates. It uses double-bind authentication in that you search for a user to get their DN, then bind to that DN with the users password to see if it was correct.
I'd like to use the above setup to verify a user's credential as well as return some basic information about them (name, email, etc). After this, I'd like to use another freshly installed Directory Server LDAP to manage the roles that seem to be needed for Portal Server (as I cannot write to the original LDAP).
Any help or advice on the above would be appreciated! Thank you.

The authentication you described is the default way LDAP authentication works.
AM Ldap auth-module allows you to 'pull' attributes from the LDAP server you're using for authentication and store it in it's 'amSDK' Directory Server - which is leveraged by Portal Server (if you're talking about Sun's Portal Server).
However this is only done if the profile is created (set 'dynamic profile generation' in auth - service).
As Portal Server does not support the new 'identity repsoistory API' of AM you have to stick to AM's legacy mode when using Portal Server.
To keep the the data in sync (if needed) you have to write a post-auth class.
-Bernhard

Can an email address be a member of an LDAP group even if it isn't associated with an object in the Directory Server?

Can an email address be a member of an LDAP group even if it isn't
associated with an object in the Directory Server?
<P>
General members of a group are the members defined in the
Directory Server. They are full-fledged members of the group who
may have a set of permissions associated with their membership,
a title, or other attributes. Mail-specific users are users who
are not full-fledged members of the group, but who receive mail
sent to the group. Mail-specific users need not be identified as
a user in the Directory Server--an email address is sufficient.
An example of this is a group of salespeople, all of whom are in
the group "North American Sales Team." They have access to a
sales-tracking database, on-line quota information, and
competitive information. The mail-specific users of this group
are the admins who support the members of the sales team, who need
to get the mail that goes out to the group, but don't need access
to the applications and information that the salespeople do.

Hey EllyK,
Welcome to the BlackBerry Support Community Forums.
Thanks for the question.
I would suggest performing this workaround and then try to login to BlackBerry Link:
Open BlackBerry World on the BlackBerry smartphone and sign in using the BlackBerry ID.
Connect the BlackBerry 10 smartphone to the computer.
Open BlackBerry Link
Sign in using the BlackBerry ID.
Let me know if the issue still persists.
Cheers.
-ViciousFerret
Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
Be sure to click Like! for those who have helped you.
Click Accept as Solution for posts that have solved your issue(s)!

Account on LDAP Directory Server.

Folks,
I am trying to provision user using 'Anonymous Login' concept on Lighthouse as well as on
Directory Server, i am having IDM 7.1, Directory Server is already configured in my IDM.
Just wanted to know which all WorkFlow / UserForms do i need to customize to achieve this ?
Anticipatring help from folks.
Randhir Singh

Never mind, I found the solution myself - I had to reinitialize the LDAP administrator.

Newbie: IBM Directory Server LDAP Java Implementation

Good day friends,
I'm new in developing LDAP applications. I'm using IBM Directory Server v4.1 & need to develop a application (a web application - JSP/Servlet/EJB). I'm doing this as part of a Web project where i need to store the User Info of the registering user to LDAP server with proper Organisational Hierarchy & Privileges. I'm using Java for this application. I have the proper JNDI environment set for LDAP interaction. Can anyone provide me with a best practice/right procedure for implementing this, like searching for an entry, inserting/updating an entry & how to make use of Attributes provided in IBM DS 4.1.
I searched IBM redbook & others for this but without any success. All Prog references are pertaining to C & very minimal info for Java implementation. I found some info in other LDAP like Netscape & Novell, but there structuring is different from IBM DS. I would appreciate if anyone can throw some light on this regard. I would appreciate a complete Java Programmers Reference Guide for IBM Directory Server v4.1.
Thanking u in anticipation.
cheers,
J2EEDev.

I'm coping with the same question as you had.
Did you get any valuable information or a Java programmers reference guide for IBM directory server ?
If so, could you send me an url where I can obtain the required information ?
Thanks for your reply !
Dirk

Oracle Portal for LDAP Authentication using Iplanet directory server

I have oracle portal on solaries machine and Iplanet directory server 5.1 on windows NT,
Can i user portal user authentication Iplanet LDAP.
Regards
srinivas

Yes You can. You have to provide the necessary info while running the ssoldap.sql.
Vinodh R.

Ldap client with directory server 6.0 on solaris 9 systems

I have a directory server 6.0 running on a solaris 9 system. I have set up idsconfig, vlvindex and certificate database on the server side. The client ldap I am trying to set up is also solaris 9 system. I have set the certificate database on this ldap client using the Resource Kit certutil and import the server certificate to client certificate database. It seems the TLS secure connection did work between LDAP server and client. (I use the Resource Kit ldapsearch command to test it) I use 'ldapclient -v init ...' command using 'profileName=tlsprofile' to initialize the LDAP client and the information returned from that command said LDAP client configed sucsessfully. But when I run ldapaddent command to import /etc/passwd. I got error:
Passwd container does not exist.
The ldapaddent command I ran like this:
ldapaddent -v -f <passwd file> -D "cn=Directory Manager" passwd
Then I tried to use 'ldapclient -v manual ....' command to set up LDAP client. That command finishes succefully. But I still can not import /etc/passwd using ldapaddent with same error.
What is wrong with my set-up?
Thanks,
--xinhuan

I looked into the /var/adm/messages, and I have the following error:
ldap_cachemgr[1640]: [ID 605618 daemon.error] libldap: CERT_VerifyCertName: cert server name 'directory server' does not match 'hostname.mycompany.com': SSL connection denied
It seems I have problem with SSL certificate set-up. I did generate the server side 'hostname.mycompany.com' certificate then use the Resource Kit certutil import that certificate to the client side. Is that right way to do?
Thanks,
--xinhuan

Directory server and ldap TLS on windows platform

Any body, tested "sun directory server" and "ldap tls" on windows platform"??? cause I tried it, and I cant established a secure connection. On other platform, and I speack about solaris 9, evry thing is ok. Some comments??

It's a rather unusual way to use attribute subtypes. You may be able to do something with the mapping engine in DPS - I'll wait for Sylvain or someone else who knows DPS really well to answer that. But from the perspective of the information model, I have some doubts about this approach. For instance, what happens if you have multiple subtypes on a single-valued attribute?
Usually, for example, if there is a "preferred" common name as opposed to some other common names, it would be modeled in an entirely different attribute type, such as "preferredName". The subtypes are almost exclusively used for language specification nowadays. That's another question - what happens if you ever need to store multiple languages in your Directory?
Do you know of anyone else who is using this kind of information model in their Directory?

How to install directory server/client on Solaris 9 for dummys

Hi,
after reading hunderts of pages, after asking questions in forums without getting the right answers, i was able to install the directory server in our company.
Here is the summary i made for myself. Perhaps it helps others to avoid the same problems.
Set up a Directory Server (sun one ds 5.1)
Present situation:
-Nisplus is installed
-Solaris OS 9 sparc 64bit is installed
-DS5 Software is normally already installed in Solaris 9. Check off with 'pkginfo | grep IPLT*'
-Otherwise install from Solaris OS 9 Disc1 with 'pkgadd -d IPLTxxxx .'
-Software setup with '/usr/sbin/directoryserver setup'
     Install admin- and directory server.
     For Directory Server use port 389 (necessary for later use of SSL)
     For Admin Server use any empty port > 1024
     Run directoryserver as root (necessary for using port 389 and for -starting servers from console)
     Use default Directory Manager DN cn=Directory manager
     Use your domain as DIT (default information tree) example: dc=example, dc=com
     As second DIT, setup installs o=NetscapeRoot. Don't change this DIT at all!!!!!
The server stores all the default schemas there which are absolutely important for the directoy
server. Don't change anything there !
-Configure software with 'idsconfig'
     Preferred - and default server xxx.xxx.xxx.xxx (ip_adds of your directory server)
     Use default search scope one
     Use credential's Proxy
     Use authentication Simple (you may change this later if needed)
     All the rest should remain on default settings
     You will be asked for a proxy passwort
-Start the directoryserver console with '/usr/sbin/directoryserver startconsole'
-If it's not yet running, start the directory server from console or with command 'directoryserver -s instance_name start'
-If it's not yet running, start the admin server from console or with command 'directoyserver start-admin'
-On directoryserver's gui at configuraton/password set password encryption to 'unix crypt algorithm (CRYPT)'
Import Data
-Get Data from Nisplus with
     'niscat passwd.org_dir passwd.ldap'
     'niscat hosts.org_dir hosts.ldap'
     'niscat groups.org_dir groups.ldap'
     etc
-adjust the files. (try it out with one entry of a file only. You may delete this entry with the gui very easy if it's not successfull.
-hosts.ldap must look like
xxx.xxx.xxx.xxx machine1
xxx.xxx.xxx.xxx machine2
xxx.xxx.xxx.xxx machine3
     First value is the ip-address, second one is the hostname.
     If you have more than one hostname per machine, use a second line (don't write 2 names behind the ip-address like you did in nisplus!!!)
Change content of files into ldif format
-perl migrate_hosts.pl hosts.ldap hosts.ldif
-perl migrate passwd.pl passwd.ldap passwd.ldif
-You may download the above perl-Files from http://www.padl.com
Change the converted passwd.ldif File as follows:
-before change:
dn: uid=mario,ou=People,dc=krinfo,dc=ch
uid: mario
cn: mario
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: {crypt}6O9m3uK./T/rM
loginShell: /bin/bash
uidNumber: 1020
gidNumber: 14
homeDirectory: /home/mario
-after change:
dn: uid=mario,ou=People,dc=krinfo,dc=ch
uid: mario
cn: mario
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount <--- this line must be inserted
objectClass: top
userPassword: {crypt}6O9m3uK./T/rM
loginShell: /bin/bash
uidNumber: 1020
gidNumber: 14
homeDirectory: /home/mario
Insert the line for every entry in the passwd.ldif file
You may now import all these xxxx.ldif files into the directory server with
-ldapadd -h name_of_directoryserver -D "cn=Directory Manager" -w password -f XXXXX.ldif
You may use this commands later to import further data.
-Initialise a client
'ldapclient -a proxyDN=cn=proxyagent,ou=profile,dc=example,dc=com init xxx.xxx.xxx.xxx'
The xxx.xxx.xxx.xxx at the end is the ip address of the directory server
-This will make a client with data taken from the default profile from the directory server. This profile has been produced with the earlier command idsconfig and can be changed if needed.
-The System will ask you for the proxy password (given the first time in idsconfig dialog)
-You may now look at the produces files
in '/var/ldap/ldap_client_file' for the client settings
in '/var/ldap/ldap_client_cred' for the proxy settings
'ldapclient list' shows the settings of the client
With 'ldaplist -h' you may see all the existing entries with their objects.
Activate the client
-If it's not yet running, start '/usr/lib/ldap/ldap_cachemgr'
-All nisplus daemons/programs have been stopped by ldapclient command. If not, stop them manually.
-/etc/nsswitch.conf should have been copied from /etc/nsswitch.ldap from ldapclient too.
-If not, do it manually.
example
passwd: files ldap
group: files ldap
hosts ldap dns files
etc
I recommend to change the file '/etc/nsswitch.ldap' because the system oftens copies nsswitch.ldap to nsswitch.conf and if nsswitch.ldap is adapted, you must now change it again and again.
you may now check whether ldap is working fine with the following requests:
getent passwd username
getent hosts hostname
getent groups
getent network
These commands should give you the requested answer.
Be sure to clean:
/etc/hosts      inside is only your workstation and the directory server
/etc/passwd     only default and local entries
/etc/groups only default and local entries
etc
try a telnet to your own machine to check, whether password and automount of your home_dirctory works fine.
I failed here. All was working fine, but the password exchange did not because of credential/authentication problems.
Best regards and good luck
Mario

Directory Server 5.1 does not support Kerberos authentication.
Beside this there are some extensions in MS kerberos authentication that makes it almost impossible to have a MS client authenticate with something else than AD.
Regards,
Ludovic.

Data propagation problems w/ NIS+ to LDAP migration..

Hello All,
I'm running in to an issue performing an NIS+ to LDAP migration with Solaris 9.
It all happens like this: NIS+ successfully populates the directory through the 'initialUpdateAction=to_ldap' option-- afterwards, no updates made directly to LDAP are ever pushed back into NIS+.
I'm of the understanding (which might be incorrect) that after performing the initial update, NIS+ should simply act as a cache to the data stored in LDAP. Do I need to perform an 'initialUpdateAction=from_ldap' after populating LDAP to force the direction of the data propagation to change?
I'm experienced with LDAP, so I'm comfortable everything is all right on that side, however, I'm not so sure about NIS+. Anyone out there who has gone through this migration who'd be willing to offer some assistance or advice would be greatly appreciated.
Many thanks in advance..
..Sean.

Well, you neglected to outline exactly how you accomplished your migration.
Starting with Tiger Server using NetInfo as a standalone server, we created an Open Directory Master, as described in Apple's Open Directory Guide. By the time we'd finished that, we had an OD admin. From there, we did as I previously described -- exported with WGM from NetInfo, imported with WGM into LDAP, deleted with WGM from NetInfo.
See http://support.apple.com/kb/TA23888?viewlocale=en_US
This seems to be an article on how to re-create a password that's been lost. That's not really what we need, though. The OD admin account we created works fine for other services, just not for WGM. And other admin users we created work fine for other services, but not for WGM. The problem is that although admin users can log into many services, they can't log into WGM -- only root can.

Sun Java Directory server 6.3.1

Hello,
Anyone with knowledge to configure mail aliases in LDAP especially in Sun java directory server 6.x? I have already created the container ou=aliases
The problem is i get the below error when I install LDAP client on a server:
+Apr 23 18:32:00 Server1 sendmail[10032]: [ID 801593 mail.crit] n3NHW0HC010032: SYSERR(root): ldap_init/ldap_bind failed to localhost in map aliases.ldap: Can't connect to the LDAP server+
I found that I dont have aliases not configured in LDAP, the mail host sits on a different server. Other than this my client works perfectly over SSL
Thanks in advance
sys

Sys
SOrry but this looks to me like you have serveral problems. Most of them are Sendmail related. Maybe it would be a better idea to ask in a sendmail forum instead of a Directory server forum. Since you have not posted any configs I can not more than speculate. Here are my guesses:
Apr 29 11:58:21 server1 sendmail[3138]: [ID 801593 mail.info] n3TAwKaC003138: n3TAwKaD003138: return to sender: Host unknown (Name server: mailhost.xxxx.com: host not found)if mailhost.xxxx.com is an existing host then I guess you have a problem with DNS resolution. Are you able to resolve hosts other than those related to this case or infrastructure (eg. can you resolve www.google.com)? If not then you should have a look at /etc/resolv.conf. There shold be a series of nameserver lines followed by the IP-Addresses of the nameservers (Important: IPs . not names). Another source of error could be found in the "hosts:" line in /etc/nsswitch.conf (it ususally reads "hosts: files dns").
Apr 29 12:04:22 server1 sendmail[3219]: [ID 801593 mail.crit] n3TB4Muk003218: SYSERR(root): ldap_init/ldap_bind failed to localhost in map aliases.ldap: Can't connect to the LDAP serverNow this means your sendmail is trying to connect to an LDAP Directory on the same host to resolve aliases. If the port is correct you might find in the <instance_root>/logs/access file further details about what the sendmail server tried and why it failed. If there is no entry in the access log this would mean that there is no LDAP-Server listening on the port sendmail connects to. Fact is that somewhere you "told" sendmail to connect to the ldap server and it is failing to do so.
Apr 29 12:04:22 server1 sendmail[3219]: [ID 801593 mail.alert] n3TB4Muk003219: Losing ./qfn3TB4Muk003219: savemail panic
Apr 29 12:04:22 server1 sendmail[3219]: [ID 801593 mail.crit] n3TB4Muk003219: SYSERR(root): savemail: cannot save rejected email anywhereNow this errormessage is normal if alias resolution does not work. An errormessage would be generated which is sent by the user MAILER-DEAMON. In sendmail default config MAILER-DEAMON is an alias for postmaster which is again an alias for root. But if teher is no aliases there is no "account" MAILER-DEAMON. This errormessage will most likely disapear as soon as you resolved the alias issue.
So much for the errormessages. Unfortunately you are not very specific on your environment. I try to guess what I have understood and try to formulate queries which might help you to find the problem.
- There is a host A running solaris 10 and an Sun Directory Server 6.3.1
-- On what port is the server listening and what information can you get at its current configuration with an anonymous bind (eg. ldapsearch without username or password)
-- You have setup a suffix on this server and created an ou=aliases
-- Have you inserted the standard aliases (such as MAILER-DEAMON or postmaster)?
- There is a host B which is the mailhost.
-- B i trying to connect to localhost (so host B not A) to get informations from an LDAP. Is LDAP running on localhost yes or no? You are not clear on this topic.
-- what did you (or anyone else) do to get the server to obtain aliases from an LDAP (this is not standard config - You need to modify settings to do this)
-- it is definitely a good idea to define a global bunch of settings in confLDAP_DEFAULT_SPEC (especially the options -d -P -b -h should be set in your case most likely)
If these hints do not solve your problems I definitely recommend posting in an sendmail forum and read the sendmail documentation (eg. https://www.sendmail.org/doc/sendmail-current/cf/README). As far as I know LDAP in sendmail is pretty new in std sendmail and you have to expect that documentation on this topic is still poor.
Regards
Martin

Directory Server recommendations (NIS to LDAP)

Similar Messages

Maybe you are looking for