Failover ldap server

Similar Messages

• LDAP failover - what happens when the primary LDAP server returns...?

  Hi,
  Got a question regarding LDAP failover...
  I`m running IMS5.2hf2.09 and when our corporate LDAP server has a hiccup the IMS box succesfully fails over to the next one according to the 'local.ugldaphost' configutil entry and the following entry is recorded in the http log:
  [05/Feb/2006:21:00:02 -0500] ******** [29882]: General Error: ldappool: ldap1.***.***.*** : Can't connect to the LDAP server - failover to ldap2.***.***.***However my question is when does it recover back to the original LDAP server (ldap1) or does it stay on the failover LDAP server (ldap2) until that has a problem and so on? In this instance (where it has failed over to ldap2) there are no other log entries saying it has returned back to the original LDAP server (ldap1) yet NETSTAT shows LDAP connections to ldap1.
  Our LDAP team have got some changes planned and so I want to understand the failover process better.
  Thanks,
  Tom
  iPlanet Messaging Server 5.2 HotFix 2.09 (built Nov 18 2005)
  libimta.so 5.2 HotFix 2.09 (built 10:35:58, Nov 18 2005)
  SunOS ******** 5.8 Generic_108528-19 sun4u sparc SUNW,Ultra-80

  Thanks Jay - that makes quite a difference!
  Our failover LDAP server (ldap2) is over in Asia so if the primary LDAP server (ldap1 in US) has a hiccup - ALL LDAP traffic is going to go to Asia until ldap2 has a problem.
  The majority of our IMS servers are in the US so I guess we`ll need to watch out for delays whilst in failover mode.

• How can we update data in LDAP server using PL/SQL.

  Hi,
  How can we update data in LDAP server using PL/SQL program.
  Is there any sample code for refrence.
  Thanks,
  Tarun

  Hi Justin,
  Thanks for your help. You got my correct requirements.
  Tim's example returning all the attributes of current user which is admin user. Please correct me if I am wrong.
  I have the following information:
  the admin user and password,server info , port and ldap_base for admin.
  I have uid and password for regular user, I am trying find the ldap_base for regular user, which may be different from adminuser.
  Please help me.
  Thanks,
  Edited by: james. on Jan 12, 2009 5:39 PM

• Problem instaliing sun one LDAP server on windows server 2008 r2

  Hi all ,
  I am trying to install Ldap server (Sun ONE Directory Server) on windows server 2008
  I am using apache-tomcat-7.0.28 and java jdk1.7.0_05
  I am following this manual for installing :
  https://blogs.oracle.com/marginNotes/entry/installing_directory_server_enterprise_edition1
  I have a problem with the cacao agent and how to install it .
  I've got this error message :
  c:\Program Files\Sun\dsee7\bin>dsccsetup cacao-reg
  Configuring Cacao...
  ## Failed to run "c:/Program Files/Sun/dsee7/ext/cacao_2/bin/cacaoadm.bat" set-
  aram "jdmk-home=c:/Program Files/Sun/dsee7/lib/private"
  #### Cannot create service for instance: [cacao.instance.name].
  #### Cannot perform firstime inialisation and configuration.
  ## Exit code is 1
  Failed to configure Cacao.
  I stuck and with no other solutions . I hope if you could to help with this issue .
  i will glad to know if there is any other ways to install this specific Ldap server ,
  Thanks,
  Alon

  You most likely skipped the step of starting the installed server prior to trying to access admin URL. Please check this document:
  http://docs.sun.com/source/817-1830-10/win.html
  Relevant section is:
  You can start the Administration Server in either of the following ways:
  # Select Start Menu -> Programs -> Sun ONE Web Server, and choose Start Web Server Administration Server.
  # From the Control Panel�s Services item.
  HTH...

• ASA Remote Access Authentication with LDAP Server

  Thank you in advance for your help.
  I am configuring an ASA to authenticate with a ldap server for ipsec vpn access.  My customer has 3 networks that are to be accessed by remote users.  However they want to be able to say that one user can get to 2 of the networks and not the 3rd.  So basically they want control over what network behind the firewall each user can access.  This seems doable from my reading and I had planned to creating a group for each network that needs accessible and either do attribute maps to each group with a separate group created on the ldap server for authentication.  Basically a ldap group on the ldap server that will have the users name in the group in order for access.  I can restrict access via acl's or filtering to force my group to only be allowed access to a specific network.  Here is the problem I am having now.
  The ldap server has been created and seems to be working fine.  I have created my AAA groups and servers and I have done the ldap test with a test user vpntest and a password on the ldap server.  When I run the authentication test from the ADSM or command line I get a good authentication successful message.  So I configured a vpn client remotely and attempted to authenticate to this group and it says there is no user by that name.  Below is a paste of the debug.  The second part is when I did a successful test from the ASDM or CLI and it worked great.  The first part is when I attempted from the vpn client.  It all looks the same from the search criteria.  What am I missing here or does anyone more knowledgeable see anything that I am doing wrong.  Can this be done this way or should I try radius.  The customer was just adament about using ldap.
  extvpnasa5510#
  [243] Session Start
  [243] New request Session, context 0xd5713fe0, reqType = 1
  [243] Fiber started
  [243] Creating LDAP context with uri=ldaps://130.18.22.44:636
  [243] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
  [243] supportedLDAPVersion: value = 2
  [243] supportedLDAPVersion: value = 3
  [243] No Login DN configured for server 130.18.22.44
  [243] Binding as administrator
  [243] Performing Simple authentication for  to 130.18.22.44
  [243] LDAP Search:
          Base DN = [ou=employees,o=msues]
          Filter  = [uid=vpntest]
          Scope   = [SUBTREE]
  [243] User DN = [uid=vpntest,ou=employees,o=msues]
  [243] Talking to iPlanet server 130.18.22.44
  [243] No results returned for iPlanet global password policy
  [243] Fiber exit Tx=386 bytes Rx=414 bytes, status=-1
  [243] Session End
  extvpnasa5510#
  [244] Session Start
  [244] New request Session, context 0xd5713fe0, reqType = 1
  [244] Fiber started
  [244] Creating LDAP context with uri=ldaps://130.18.22.44:636
  [244] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
  [244] supportedLDAPVersion: value = 2
  [244] supportedLDAPVersion: value = 3
  [244] No Login DN configured for server 130.18.22.44
  [244] Binding as administrator
  [244] Performing Simple authentication for  to 130.18.22.44
  [244] LDAP Search:
          Base DN = [ou=employees,o=msues]
          Filter  = [uid=vpntest]
          Scope   = [SUBTREE]
  [244] User DN = [uid=vpntest,ou=employees,o=msues]
  [244] Talking to iPlanet server 130.18.22.44
  [244] Binding as user
  [244] Performing Simple authentication for vpntest to 130.18.22.44
  [244] Processing LDAP response for user vpntest
  [244] Authentication successful for vpntest to 130.18.22.44
  [244] Retrieved User Attributes:
  [244]   sn: value = test user
  [244]   givenName: value = vpn
  [244]   uid: value = vpntest
  [244]   cn: value = vpn test user
  [244]   objectClass: value = top
  [244]   objectClass: value = person
  [244]   objectClass: value = organizationalPerson
  [244]   objectClass: value = inetOrgPerson
  [244] Fiber exit Tx=284 bytes Rx=414 bytes, status=1
  [244] Session End

  Hi Larry,
  You can map AD group memberships to specific group policies on the ASA, you can find that configuration here:
  - http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
  Let me know if further assistance is required!
  Please proceed to rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• How to change LDAP server setting in Access Manager 6.2

  Hi,
  We have initially set authentication as a SunONE Directory Server 5.1 (master DS1) in Sun Java System Access Manager 6.2. In both /etc/opt/SUNWam/config/serverconfig.xml
  /etc/opt/SUNWam/config/AMConfig.properties
  conf files, DS1 was set initially. Also on console's Service Configuration ->LDAP->Primary LDAP Server was set as "DS1"
  Now the problem is that I am not able to change the DS1 to the other master "DS2". I set DS2 in both above conf files and also the Service Configuration page as Primary LDAP Server. I restarted the server. When I stopped the DS1, I couldn't login access manager console with any user. It looks like it is still trying to get authentication from DS1.
  Does anybody know what I am missing here?
  Regards,

  After hopeless tries, I finally made it work;) The trick was actually updating the sunKeyValue attribute of the entry:
  "dn:ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthLDAPService,ou=ser
  vices,dc=company,dc=com" in one of the master DS I have.
  Even though I set DS2 and loadBalancer hosts in all conf files and in Primary LDAP conf in amconsole's Service Configuration, it just didn't work until I inserted loadBalancer host in sunKeyValue attribute.
  Hope it helps to someone....
  -Bora

• Getting HTTP 500 Error When Trying To Authenticate Against LDAP Server (Active Directory)

  Hello,
  I am currently facing an issue when I try and use LDAP authentication in my Apex application as I am getting a HTTP 500 Internal Server Error message. For my authentication scheme I have used the pre-configured option of how to connect to an LDAP server and in my development environment this seems to be working fine but now I have deployed my application to our staging environment and I am getting the error. If I switch to the Application Express Authentication scheme then I don't get the error.
  I've had a look at the log file on the server and I see I am getting this error:
  [#|2015-03-31T16:19:11.254+0100|SEVERE|glassfish3.1.2|null|_ThreadID=21;_ThreadName=Thread-2;|JDBCException [kind=UNAVAILABLE]
      at oracle.dbtools.common.jdbc.JDBCException.wrap(JDBCException.java:99)
      at oracle.dbtools.common.config.db.DatabaseConfig.getConnection(DatabaseConfig.java:81)
      at oracle.dbtools.common.jdbc.ora.OraPrincipal.connection(OraPrincipal.java:69)
      at oracle.dbtools.apex.ModApexContext.getConnection(ModApexContext.java:372)
      at oracle.dbtools.apex.OWA.getStatement(OWA.java:536)
      at oracle.dbtools.apex.OWA.init(OWA.java:308)
      at oracle.dbtools.apex.ModApex.doPost(ModApex.java:138)
      at oracle.dbtools.apex.ModApex.service(ModApex.java:303)
      at oracle.dbtools.rt.web.HttpEndpointBase.modApex(HttpEndpointBase.java:347)
      at oracle.dbtools.rt.web.HttpEndpointBase.service(HttpEndpointBase.java:130)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:770)
      at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1550)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
      at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
      at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
      at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
      at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
      at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:860)
      at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:757)
      at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1056)
      at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:229)
      at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
      at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
      at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
      at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
      at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
      at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
      at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
      at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
      at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
      at java.lang.Thread.run(Thread.java:662)
  Caused by: java.sql.SQLException: Exception occurred while getting connection: oracle.ucp.UniversalConnectionPoolException: All connections in the Universal Connection Pool are in use
      at oracle.ucp.util.UCPErrorHandler.newSQLException(UCPErrorHandler.java:488)
      at oracle.ucp.util.UCPErrorHandler.throwSQLException(UCPErrorHandler.java:163)
      at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:928)
      at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:863)
      at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:855)
      at oracle.dbtools.common.config.db.DatabaseConfig.getConnection(DatabaseConfig.java:71)
      ... 33 more
  Caused by: oracle.ucp.UniversalConnectionPoolException: All connections in the Universal Connection Pool are in use
      at oracle.ucp.util.UCPErrorHandler.newUniversalConnectionPoolException(UCPErrorHandler.java:368)
      at oracle.ucp.util.UCPErrorHandler.throwUniversalConnectionPoolException(UCPErrorHandler.java:49)
      at oracle.ucp.util.UCPErrorHandler.throwUniversalConnectionPoolException(UCPErrorHandler.java:80)
      at oracle.ucp.util.UCPErrorHandler.throwUniversalConnectionPoolException(UCPErrorHandler.java:131)
      at oracle.ucp.common.UniversalConnectionPoolImpl.borrowConnectionWithoutCountingRequests(UniversalConnectionPoolImpl.java:279)
      at oracle.ucp.common.UniversalConnectionPoolImpl.borrowConnection(UniversalConnectionPoolImpl.java:142)
      at oracle.ucp.jdbc.JDBCConnectionPool.borrowConnection(JDBCConnectionPool.java:157)
      at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:916)
      ... 36 more
  So it seems that every time I try and use LDAP I hit this error. Also after awhile I have to re-start the Apex Listener for that domain. I have came across this thread: LDAP Authentication Question but I am not sure if the user got the problem solved or not.
  Our infrastructure is as follows:
  Database: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit
  Apex Listener: 2.0.3.221.10.13
  GlassFish Server Open Source Edition 3.1.2.2 (build 5)
  If anybody has any idea what is causing this that would be great.
  Cheers,
  Paul.

  Hi Colm,
  Thanks for getting back to me on this. I have downloaded and created a new ORDS server with 2.0.10 and while I don't get the error:
  Exception occurred while getting connection: oracle.ucp.UniversalConnectionPoolException: All connections in the Universal Connection Pool are in use 
  I am now getting the following (I have turned on the logging)
  No more data to read from socket java.sql.SQLRecoverableException: No more data to read from socket
  at oracle.jdbc.driver.T4CMAREngine.unmarshalUB1(T4CMAREngine.java:1157) at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:345)
  at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:223) at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:531)
  at oracle.jdbc.driver.T4CCallableStatement.doOall8(T4CCallableStatement.java:205)
  at oracle.jdbc.driver.T4CCallableStatement.executeForRows(T4CCallableStatement.java:1043)
  at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1336)
  at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePreparedStatement.java:3612)
  at oracle.jdbc.driver.OraclePreparedStatement.execute(OraclePreparedStatement.java:3713)
  at oracle.jdbc.driver.OracleCallableStatement.execute(OracleCallableStatement.java:4755)
  at oracle.jdbc.driver.OraclePreparedStatementWrapper.execute(OraclePreparedStatementWrapper.java:1378)
  at sun.reflect.GeneratedMethodAccessor1991.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at oracle.ucp.jdbc.proxy.StatementProxyFactory.invoke(StatementProxyFactory.java:230)
  at oracle.ucp.jdbc.proxy.PreparedStatementProxyFactory.invoke(PreparedStatementProxyFactory.java:124)
  at oracle.ucp.jdbc.proxy.CallableStatementProxyFactory.invoke(CallableStatementProxyFactory.java:101)
  at $Proxy432.execute(Unknown Source) at oracle.dbtools.apex.OWA.execute(OWA.java:145)
  at oracle.dbtools.apex.ModApex.handleRequest(ModApex.java:201)
  at oracle.dbtools.apex.ModApex.doPost(ModApex.java:152)
  at oracle.dbtools.apex.ModApex.service(ModApex.java:303)
  at oracle.dbtools.rt.web.HttpEndpointBase.modApex(HttpEndpointBase.java:350)
  at oracle.dbtools.rt.web.HttpEndpointBase.service(HttpEndpointBase.java:132)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:770)
  at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1550)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
  at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
  at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
  at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
  at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
  at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:860)
  at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:757)
  at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1056)
  at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:229)
  at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
  at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
  at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
  at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
  at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
  at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
  at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
  at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
  at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
  at java.lang.Thread.run(Thread.java:662)    
  I cant see anything glaring that is causing this. I have also increased the Minimum Connections to 30 and Maximum Connections to 100 with the administration part of Configuring ORDS via SQL Developer and it still has no desired effect.
  The application works fine in our Development and Testing Environment but since I have ported it over to our production instance I am unable to log into it using my Active Directory credentials.
  Cheers,
  Paul.

• How can portal use two different LDAP Server in UME

  Hi,
  My question is Can UME in portal be configured for multiple LDAP sources.Currently i have a setting in portal
  as follows:
  Server Name : Abcd
  port : 1234
  user : CN=" ",Ou=" ",Ou=" ",Dc=AD,Dc=my company,Dc=com
  password :
  user path : DC=AD,Dc=My company,Dc=Com
  group Path : same as user path
  I want to configure one more LDAP server to my portal UME,how can give values for that in above sttings.I even want these current settings to be enabled.
  Do anyone have idea on this.
  Thanks and Regards
  Rani A

  Hi again ,
  I know it can be done. But how urgent is this for you.
  I can get back to you in couple of days, me lil busy today.
  cheers,
  Anu...

• How do I add an objectclass to existing LDAP server entry using an ldif file?

  I am trying to fix an LDAP server that has been operating with schema check off. I need to add an objectclass to the groups so that some attributes that have been added to the groups will be "legal." From the documentation, the changetype: modify will allow the changing/adding of attributes that are already a part of the schema objects that define the entry. It does not look like I can add an objectclass with the modify operation.
  If this is the case, then how do I add an objectclass to an existing entry? Using the GUI is not possible since the directory server in question is not being managed with an admin server. Please tell me that I do not have to delete the groups and import them again with an LDIF file that has the new objectclass added.
  Kent

  See this post:
  http://softwareforum.sun.com/servlet/ProcessRequest?RHIVEID=181&RPAGEID=135&HOID=50B500000008000000636B0000&USEARCHCONTEXT_CATEGORY_0=_21_%24_7_&USEARCHCONTEXT_CATEGORY_S=0&UCATEGORY_0=_21_%24_7_&UCATEGORY_S=0

• How to use company users on existing ldap server as EP6.0 sp2  Users?

  Hi everybody
  Our company user data is on a  LDAP server we want to connect our EP6  UME  to this existing LDAP server so that existing company users can access  the Portal with their company id and password. What configuration we should do on the portal ?
  thanks and regards
  Rajendra

  Hi!
  Look at Admin Guide:
  Administration Guide->Portal Platform->System Administration->User Management Configuration->Configuration of Data Sources Used for User Management->Defining an LDAP Directory as a Data Source
  WBR, Lnk

• Can an LDAP server be it's own client?

  In short yes, why would you want to do this? Many reasons, but mine is to be able to use ldap on laptops running Solaris and have them log into the machine with ldap credentials off the network. When we plug them back onto the network, I have a master server send any new data via one-way replication. I will give 2 separate ways to accomplish this. One is, to put it bluntly, a dirty hack to get it working. The second is much more elegant and it's the one I have stressed tested to verify that it works.
  Disclaimer: I have only used these methods on Solaris10 update 3 with Trusted Extensions using directory server 5.2 as well as the administration server. I have used a few different kinds of machines (all x86) and have not had a problem with it. I do not know if it will work on any other version or hardware. I haven't even looked at the source code, all assumptions made here are from observing the systems behavior while making minor changes.
  Now, the reasons why normally you can't be your own client (at least as far as I can tell) is because of the way the system boots and the dependencies that the ldap/client service needs to start up. If you boot a machine that is it's own client and ldap/client runs before the directory server starts, of course it will fail. The system boots the services first, then legacy init scripts. Directory Server 5.2 uses init scripts. Correct me if I am wrong, but that is the only real hurdle in your way.
  So the first way to get it 'working' (dirty hack) is to delay the ldap/client smf service from starting until the directory server is started. After you become a client of yourself (in this case the global zone) disable the ldap/client serrvice.
  svcadm disable ldap/clientThen enable it temporarily with the -t option
  svcadm enable -t ldap/clientWell if you were to reboot now it would not work because the service would not start at boot because it is set to be administratively down. Edit the S72directory script in /etc/rc2.d and after the start commands just add the svcadm enable -t ldap/client command and it will load right after directory server starts. Will this work? Yes, is it a clean way to do it? NO. I used this method just for testing the theory that the only reason I could not be my own client was because of the booting issue.
  Now the best way that I can see to accomplish this is to create your own smf services for the directory server and admin server. That way all you have to do is add a dependency to the ldap/client xml file to wait until the new directory server service is started before it starts. So in /var/svc/manifest/site create a folder called ldap (I put this in site because I didn't want to run into any issues of patching). In /var/svc/manifest/site/ldap/ create two xml files named:
  quick note: These are the first services I have created. There may be a much better way to make them. If you can re-code it better, please let me know so I can look at them. Also there is no restart command in here (actually I just noticed that) so adding one of those would be wise.
  ds_admin.xml and directory_server.xml.
  ds_admin.xml contains<?xml version="1.0"?>
  <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
  <!--
       Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
       Use is subject to license terms.
       ident     "@(#)client.xml     1.4     04/12/09 SMI"
       NOTE:  This service manifest is editable; its contents will not
       be overwritten by package or patch operations, including
       operating system upgrade.
  -->
  <service_bundle type='manifest' name='SUNWdsadmin:dsadmin'>
  <service
       name='site/ldap/ds_admin'
       type='service'
       version='1'>
       <create_default_instance enabled='false' />
       <single_instance />
       <dependency
           name='fs'
           grouping='require_all'
           restart_on='none'
           type='service'>
            <service_fmri value='svc:/system/filesystem/minimal' />
       </dependency>
       <dependency
           name='net'
           grouping='require_all'
           restart_on='none'
           type='service'>
            <service_fmri value='svc:/network/initial' />
       </dependency>
       <exec_method
           type='method'
           name='start'
           exec='/lib/svc/method/ds_admin start'
           timeout_seconds='120' >
            <method_context>
                 <method_credential user='root' group='sys' />
            </method_context>
       </exec_method>
       <exec_method
           type='method'
           name='stop'
           exec='/lib/svc/method/ds_admin stop'
           timeout_seconds='60' >
            <method_context>
                 <method_credential user='root' group='sys' />
            </method_context>
       </exec_method>
       <stability value='Unstable' />
       <template>
            <common_name>
                 <loctext xml:lang='C'>
                 LDAP Admin server      
                 </loctext>
            </common_name>
            <description>
                 <loctext xml:lang='C'>
  LDAP admin server
  Information Service lookups
                 </loctext>
            </description>
       </template>
  </service>
  </service_bundle>and directory_server.xml contains:
  <?xml version="1.0"?>
  <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
  <!--
       Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
       Use is subject to license terms.
       ident     "@(#)client.xml     1.4     04/12/09 SMI"
       NOTE:  This service manifest is editable; its contents will not
       be overwritten by package or patch operations, including
       operating system upgrade.
  -->
  <service_bundle type='manifest' name='SUNWds:ds'>
  <service
       name='site/ldap/directory_server'
       type='service'
       version='1'>
       <create_default_instance enabled='false' />
       <single_instance />
       <dependency
           name='usr'
           grouping='require_all'
           restart_on='none'
           type='service'>
            <service_fmri value='svc:/system/filesystem/minimal' />
       </dependency>
       <dependency
           name='net'
           grouping='require_all'
           restart_on='none'
           type='service'>
            <service_fmri value='svc:/network/initial' />
       </dependency>
    <dependency
              name='ds_admin'
              grouping='require_all'
              restart_on='none'
              type='service'>
                  <service_fmri
                      value='svc:/site/ldap/ds_admin' />
       </dependency>
       <exec_method
           type='method'
           name='start'
           exec='/lib/svc/method/directory_server start'
           timeout_seconds='120' >
            <method_context>
                 <method_credential user='root' group='sys' />
            </method_context>
       </exec_method>
       <exec_method
           type='method'
           name='stop'
           exec='/lib/svc/method/directory_server stop'
           timeout_seconds='60' >
            <method_context>
                 <method_credential user='root' group='sys' />
            </method_context>
       </exec_method>
       <stability value='Unstable' />
       <template>
            <common_name>
                 <loctext xml:lang='C'>
                 LDAP directory server      
                 </loctext>
            </common_name>
            <description>
                 <loctext xml:lang='C'>
  LDAP directory server
  Information Service lookups
                 </loctext>
            </description>
       </template>
  </service>
  </service_bundle>Now the start/stop scripts will be located in /lib/svc/method and are as followed:
  ds_admin
  #!/sbin/sh
  case "$1" in
       start)
            /usr/sbin/directoryserver start-admin
       stop)
            /usr/sbin/directoryserver stop-admin
            echo "Usage: $0 { start | stop }"
            exit 1
  esac
  exit 0simple yes.
  directory_server
  #!/sbin/sh
  HOST_NAME=`hostname`
  SERVER_ROOT=/var/opt/mps/serverroot
  DIRECTORY_SERVER_INSTANCE=slapd-${HOST_NAME}
  case "$1" in
       start)
            ${SERVER_ROOT}/${DIRECTORY_SERVER_INSTANCE}/start-slapd
       stop)
            ${SERVER_ROOT}/${DIRECTORY_SERVER_INSTANCE}/stop-slapd
            echo "Usage: $0 { start | stop }"
            exit 1
  esac
  exit 0The only thing left to do is modify the ldap/client smf file to wait until the directory server starts before it loads.
  So edit /var/svc/manifest/network/ldap/client.xml and right before the dependency for for /var/ldap/ldap_client_file add this
  <dependency
              name='directory_server'
              grouping='require_all'
              restart_on='none'
              type='service'>
                  <service_fmri
                          value='svc:/site/ldap/directory_server' />
          </dependency>
  Any changes made to the /ldap/client xml file must be made after ALL zones have been installed. If this file is copied to a zone it will never work as the directory_server service is not loaded in the zones.
  Now what? You must remove the legacy init scripts in /etc/rc2.d. Those would be S72directory and S73mpsadm. No need to keep them around, alternatively, you can just change the capital 'S' to lower case and they want start.
  You can now either use svccfg to validate and import the new services or you can reboot. Typically, I reboot and use the '-m verbose' option on boot to watch the services for any errors. I haven't had any lately but on different systems I always watch to see if it behaves different.
  That's it. I have rebooted all the machines many, many times without error. This of course does not address loading the directory server or adding users, tnrhdb file, etc... We have scripted most of loading out and once we get some error correction coded in I will post them.
  Also, if you find any errors or even a better way to accomplish this, please post it.

  This restriction is only in terms of implementing the Solaris support for LDAP as a naming service. If the Solaris OS is configured to use LDAP as a naming service, it can't use a LDAP server running on the same host.
  The reason is that the LDAP server makes naming service calls before it gets fully started up. If the OS wants to use the LDAP server for the naming service, then a deadlock happens, where the LDAP server's gethostbyname() call can't complete because the LDAP server isn't up.
  It is possible to configure the Solaris naming resolution to avoid this problem. I've got a system set up this way myself. Regardless, the official support channels won't support a system set up this way, so if you do this you do it at your own risk.

• Error in authentication with ldap server with certificate

  Hi,
  i have a problem in authentication with ldap server with certificate.
  here i am using java API to authenticate.
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
  I issued the new certificate which is having the up to 5 years valid time.
  is java will authenticate up to one year only?
  Can any body help on this issue...
  Regards
  Ranga

  sorry i am gettting ythe same error
  javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
  here when i am using the old certificate and changing the system date means i can get the authentication.
  can you tell where we can concentrate and solve the issue..
  where is the issue
  1. need to check with the ldap server only
  2. problem in java code only.
  thanks in advance

• Sample connecting to LDAP Server in Java

  Hi,
  I am trying to establishing SSL from Java Application(via Netscape Directory SDK 4.0 - Java version) to the Directory Server(ADS) in a secure manner - i.e. LDAP over SSL.
  I am trying to run this code...
  LDAPConnection ld = null;
  LDAPModificationSet attrs = new LDAPModificationSet();
  attrs.add(LDAPModification.REPLACE,new LDAPAttribute("unicodePwd", "testpassword"));
  try
  LDAPSSLSocketFactory ssl = new LDAPSSLSocketFactory();
  ld = new LDAPConnection( ssl );
  /* Connect to server */
  ld.connect("10.10.10.7",636);
  /* Authenticate to the server as directory manager */
  ld.authenticate(adminDN,password);
  /* Now modify the entry in the directory */
  ld.modify( userDN, attrs );
  catch(Exception e)
  But I don't know where my program reads the Cert. info... I don't know
  if I have to import my internal CA via keytool or I have missed some
  special configuration ..
  When I run this code, the following error appears:
  netscape.ldap.LDAPException: Failed to create SSL socket (91); Cannot connect to the LDAP server
  at netscape.ldap.LDAPSSLSocketFactory.makeSocket(LDAPSSLSocketFactory.java:309)
  at edu.umassmed.chcf.security.ldap.LDAPHelper.setLDAPPassword(LDAPHelper.java:742)
  at edu.umassmed.chcf.security.administration.userhandler.UserHandlerBean.changePassword(User HandlerBean.java:628)
  at edu.umassmed.chcf.security.administration.userhandler.UserHandlerBean_37ncs1_ELOImpl.chan
  gePassword(UserHandlerBean_37ncs1_ELOImpl.java:409)
  at edu.umassmed.chcf.security.administration.userfacade.UserManagerBean.changePassword(UserM
  anagerBean.java:174)
  at edu.umassmed.chcf.security.administration.userfacade.UserManagerBean_3chmth_EOImpl.change
  Password(UserManagerBean_3chmth_EOImpl.java:501)
  at edu.umassmed.chcf.sbb.action.ChangePasswordAction.perform(ChangePasswordAction.java:114)
  at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)
  at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:510)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:265)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:200)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:24
  95)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2204)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  LDAPHelper - authenticateUser() - expLDAP.toString() netscape.ldap.LDAPException: Failed to create S
  SL socket (91); Cannot connect to the LDAP server
  Is this possible? If so, what hints can you give me to get started (any sample code would be greatly appreciated).
  Thanks in advance.
  With Regards,
  Gokul.

  hey guys .. i was struggling with the same thing - finally found this solution -
  use:
  import netscape.ldap.*;
  import netscape.ldap.factory.JSSESocketFactory;
  JSSESocketFactory fact = new JSSESocketFactory(null);
  //unless u wanna specify any specific ciphers in the constructor
  log("Factory created");
  LDAPConnection ld = new LDAPConnection(fact);
  log("Connection initialised");
  ld.connect(MY_HOST, MY_PORT);
  log("Connected");
  ld.authenticate(user, pwd);
  log("Authenticated!");
  Before running this, i used the "keytool" command line utility to import the SSL client certificate into my default trustStore .. as a trusted cert. Dont know if thats required.. but it worked :) Hope this helps.

• Error while connecting to the LDAP server

  In LDAP Server, i have configured OU with the following characteres.
  OU=Administración.
  Now when i try to connect LDAP server from my application, am getting the following exception.
  [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0]
  javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0]
       at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
       at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
       at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
       at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
       at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
       at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
       at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
       at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
       at javax.naming.InitialContext.init(InitialContext.java:223)
       at javax.naming.InitialContext.<init>(InitialContext.java:197)
       at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
  When i search for this, i got the this [link |http://esupport.trendmicro.com/solution/en-us/1037285.aspx/] saying some Accent characters are not converted correctly into 8-bit Unicode Transformation Format (UTF-8).
  Here i have used URLEncoder.encode(mySearchbase, "UTF-8"); to encode the special characters into UTC-8.
  I would like to know whether its a known issue with accent characters or anything else i missed here to handle those characters.
  Thanks,
  -Konanki

  Well, if you're passing an array of bytes to that LDAP access code, then that isn't the right way to encode a String to an array of bytes in UTF-8 encoding. And anyway it's been a long time since I wrote LDAP access code, but I don't recall having to pass arrays of bytes to any of those JNDI classes, so that idea is probably wrong in any case.
  I would suggest, if that page you linked to is actually relevant, that you just install the hot-fix it refers to. On the other hand if it doesn't actually apply to your situation, then you should just ignore it.
  My guess is that UTF-8 or not, your OU value on the server is in fact not "Administraci&oacute;n" -- that's based on the number of mis-encoded characters I see there. So perhaps what you are passing to the JNDI classes does in fact not match the server's value and it isn't an encoding issue at all.

• "untrusted server cert chain" exception while connecting LDAP server

  While connecting to LDAP server using JNDI over JSSE ..This is happening when trying to get the initial context
  using
  InitialDirContext initContext = new InitialDirContext(env);
  where env is a hash table set with the default parametes.The certificate used for is a Novell CA certificate converted to X509 format and the key store is initialized with this

  This got resolved when in the code the following
  System.setProperty("javax.net.ssl.tmrustStore", CertFileName);
  where cert file name is the filename with complete path.the file is a CA certificate of the LDAP server
  in X509 format