GAL LDAP Lookup

Similar Messages

• JMX example LDAP lookup not working

  Hi,
  Section 4.4 of JMX tutorial has several examples of Server.java using LDAP lookup services. I'm trying to run the RMI connector over JRMP without an external directory. Here are the command and its results (with additional tracing):
  $ java -classpath . -Xdebug -Ddebug=true -Dagent.name=test-server-a
  -Durl="service:jmx:rmi://" -Djava.naming.provider.url="$provider" -Djava.naming.security.principal="$principal" -Djava
  .naming.security.credentials="$credentials" jndi.Server
  Creating MBeanServer...
  Creating Connector: service:jmx:rmi://
  In rmi()
  Context.SECURITY_CREDENTIALS is: java.naming.security.credentials
  Entry: java.naming.security.authentication simple
  Entry: java.naming.provider.url ldap://localhost:389/dc=Test
  Entry: java.naming.security.principal cn=Manager,dc=test
  Entry: jmx.remote.jndi.rebind true
  Entry: java.naming.security.credentials secret
  Creating RMI Connector: service:jmx:rmi://
  In start()
  In getRootContext()
  java.naming.provider.url=ldap://localhost:389/dc=Test
  java.naming.security.principal=cn=Manager,dc=test
  java.naming.security.credentials=******
  In register()
  dn: cn=test-server-a
  Unexpected exception caught in main: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - objec
  tClass: value #1 invalid per syntax]; remaining name 'cn=test-server-a'
  javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - objectClass: value #1 invalid per syntax];
  remaining name 'cn=test-server-a'
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2998)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
  at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:770)
  at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
  at jndi.Server.register(Server.java:238)
  at jndi.Server.start(Server.java:396)
  at jndi.Server.rmi(Server.java:364)
  at jndi.Server.main(Server.java:492)
  I'm using OpenLDAP (with Cygwin) on a Windows XP machine. I have also rmiregistry running in the background. Since I'm executing slapd -d -1, OpenLDAP shows that it is encountering the error here:
  conn=0 op=3 ADD dn="cn=test-server-a,dc=Test"
  send_ldap_result: conn=0 op=3 p=3
  send_ldap_result: err=21 matched="" text="objectClass: value #1 invalid per syntax"
  send_ldap_response: msgid=4 tag=105 err=21
  ber_flush: 54 bytes to sd 8
  0000: 30 34 02 01 04 69 2f 0a 01 15 04 00 04 28 6f 62 04...i/......(ob
  0010: 6a 65 63 74 43 6c 61 73 73 3a 20 76 61 6c 75 65 jectClass: value
  0020: 20 23 31 20 69 6e 76 61 6c 69 64 20 70 65 72 20 #1 invalid per
  0030: 73 79 6e 74 61 78 syntax
  ldap_write: want=54, written=54
  0000: 30 34 02 01 04 69 2f 0a 01 15 04 00 04 28 6f 62 04...i/......(ob
  0010: 6a 65 63 74 43 6c 61 73 73 3a 20 76 61 6c 75 65 jectClass: value
  0020: 20 23 31 20 69 6e 76 61 6c 69 64 20 70 65 72 20 #1 invalid per
  0030: 73 79 6e 74 61 78 syntax
  conn=0 op=3 RESULT tag=105 err=21 text=objectClass: value #1 invalid per syntax
  Does this mean there is a configuration problem with OpenLDAP (something missing in the schema)? Or does the problem lie elsewhere? Your guidance will be highly appreciated. Thanks!

  Hello,
  I am using example at http://www.cris.com/~adhawan/tutorial/ with OpenLDAP on WinXP.
  I am getting following error message when I execute the MakeRoot java class
  javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 � objectClass: value #0 invalid per syntax]; remaining name 'o=jndiTest'
  Please help.
  Regards,
  Atul Mathur

• Secure LDAP lookup with 2005Q4 Outlook Connector 7 not working

  Hello all,
  I have Sun Java(TM) System Directory Server/5.2_Patch_4 B2005.230.0041 (64-bit) installed and the latest 2005Q4 Calendar, Messaging and UWC Server. When testing the Outlook Connector, I can get the 2005Q1 version 7 connector to work just fine with all features. I uninstalled the 2005Q1 connector and installed the 2005Q4 connector into a new profile and everyting works expect if I try to make the LDAP lookups secure for the global address list. Changing the port to 636 for ldap causes Outlook to timeout on the lookup. I checked the directory server logs and noticed that the secure connection is being made without errors, but after a minute an ABANDON operation takes place on the secure connection and Outlook gives up. When using port 389 for lookups, the Connector has no issues.

  Jay,
  I think I found the fix. I upgraded the 2005Q1 -> 2005Q4 Sun Java Connectory Deployment Tool. After I uninstalled the deployment tool and then reinstalled the 2005Q4 I was able to create and .exe and create an Outlook profile that did not have any LDAP over SSL problems.

• NAC Appliance and LDAP Lookup

  Hello,
  I have two CAM in HA and two CAS in HA.
  I configure the LDAP Lookup for create rule to role allocation.
  In this configuration are only one windows server to make find the user properties.
  There are one problem when this Windows servers is down. There are any configuration to mitigation when the server is not there.
  Thank you all.

  The LDAP lookup server configs state it uses the LDAP Authentication Provider. The LDAP Authentication Provider says you can have multiple entries in the single field
  LDAP
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_auth.html#wp1158614
  You can add redundancy for LDAP Authentication servers by entering multiple LDAP URLs in the Server URL field separated by a space, for example:
  ldap://ldap1.abc.com ldap://ldap2.abc.com ldap://ldap3.abc.com

• Does JNDI cache physical IP address on ldap lookups?  And How to stop it?

  We are using Oracle's 11.1.0.6 thin jdbc driver using the 'ldap lookup' syntax for database connect string lookups. The ldap server we specify is a DNS alias pointing to a hardware server load balancer, which returns different IP addresses based on load and current availability. During maintenance, we will remove a server from the load balancing rotation, but applications will continue to try connecting to this physical IP address even though DNS is no longer serving it up as a valid address. This causes continuous application failures until either the server is brought back up or the application is bounced. Only the application needs to be bounced, not the websphere or the physical server, so the caching is not being done at the server level.
  We've used the tracing capabilities in the 11g jdbc driver to trace the fact that Oracle is passing in thd DNS alias name and not an IP address to the JNDI interface, so it appears the caching is occurring at the JNDI level. Unfortunately, tracing is not detailed enough to show exactly what JNDI calls are being made.
  Is there any JNDI attributes that can be set to stop JNDI from caching this IP address and force it to re-evalute the new DNS lookup at each invocation?
  We already know Oracle's jdbc thin driver supports specifying secondary failover ldap lookup strings, but this IP address is also getting cached, so while this will reduce the frequency of errors, it won't eliminate the problem, especially if a server is removed from the load balancing rotation permanently.

  - Reset the iOS device. Nothing will be lost
  Reset iOS device: Hold down the On/Off button and the Home button at the same time for at
  least ten seconds, until the Apple logo appears.
  - Power off and then back on the router
  - Reset network settings: Settings>General>Reset>Reset Network Settings
  - iOS: Troubleshooting Wi-Fi networks and connections
  - iOS: Recommended settings for Wi-Fi routers and access points
  - Restore from backup. See:
  iOS: How to back up
  - Restore to factory settings/new iOS device.
  Do you have this problem with other networks/routers/access points? If not then that points to a problem with your network.

• MTA Direct LDAP Lookup Configuration

  Does the MTA Direct LDAP Lookup permit the use of the short login under a multiple domaine configuration ???

  Selim:
  Direct LDAP only applies to the "MTA" portion of Messaing Server. Means SMTP processing.
  Usually, "short form login" is talking about logging in to get messages, via IMAP, POP, or HTTP.
  To get "short form", or login without domain portion of User_ID, you need to use the MMP, as it can provide the long form to the mail store.

• LDAP Lookup / Network Address sometimes populates with TCP

  Our development team has configured our local intranet to do LDAP searches against our tree, thus eliminating the need for users to login. They're doing an IP lookup and then retrieving the user name. What happens very rarely is the the "Network address" field under the Environment tab within ConsoleOne will display "TCP:" followed by the users IP address.
  When this hapens (it's rare), the lookup fails. The typical results display "IP:" followed by the users IP address. This always works. Here's the code that is doing the LDAP query:
  $sLDAPQuery = ldap_search($sLDAPConn, "o=XYZ", "(networkaddress=1#$sIPAddress)")
  Where "(networkaddress=1#$sIPAddress)" is the search string, $sIPAddress being the HEX value of the IP.
  My question is, is there a way for me to eliminate the return value of TCP? Does anyone have any other pointers or potential workarounds for this? Like something that would still allow the IP lookup to succeed when TCP is presented instead of IP?
  Thanks for your help,
  Ryan

  ryan r sd 2 wrote:
  > My question is, is there a way for me to eliminate the return value of
  > TCP? Does anyone have any other pointers or potential workarounds for
  > this? Like something that would still allow the IP lookup to succeed
  > when TCP is presented instead of IP?
  There are different types of network addresses (as defined by that first
  number in the returned string). So, your dev folks need to decode
  according to the type of address that is being returned, and not just
  assume its always IP (ie 1).
  Peter
  eDirectory Rules!
  http://www.DreamLAN.com

• LDAP lookup NOT Integration?

  Hi,
  A problematic AD integration has been rolled back to the local DC Directory.
  However is it possible to simply have a AD lookup rather for the IP phones rather than the full AD integration?

  Not sure why everyone keeps going on and on and on about ccm 5.0... but it's not out yet. If you have a copy or are using, you are fairly brave or are in beta. For all other CCM 4.x... I would recommend bypassing the local cisco ldap and the AD integration, unless you are using the AD integration for Extension Mobility..... even then it's a pain.
  We have been using the Citrix Application Gateway at my current client and it's really nice. It's basically is an LDAP bridge between your AD, LDAP, META, multidomains to callmanager. Couple configs on CallManager and you have a completely integrated Corporate Directory pulling for your AD or even a txt file. The Citrix box basically caches everything locally and serves it th CCM via XML. It's very fast, very flexiable in the fields you can populate and the spelling is amazing. For instance, Cisco's LDAP makes you press the "7" key 4 times to get the letter "S".... with the Citrix box, just keep spelling the name on the keypad and it narrows down to either the name or a list of names to select from. We have 2000 names in our directory and I can look up a name in about 6 seconds and then dial it.
  Anyways... I'm not a sales person, but this has helped me on this rollout 3 fold.

• LDAP lookup in Calendar?

  Does Calendar have the capability to search LDAP when I'm trying to add someone in the invite?

  You can change the password on the account, and change the ASA configuration straight after you change the password.
  For those who are already connected via VPN, they will not be affected. For those who are trying to connect at the same time will be affected while password is being changed.
  However, as soon as the password is changed on your account, you can change the ASA configuration to reflect the new password and tested the account via the ASA test tool to make sure that the new password is authenticating correctly, and that should be all.
  Hope that makes sense.

• LDAP lookup using 8.1.7

  I would like to perform an LDAP query using a Java Stored Procedure. My code works outside of Oracle, but not from within.
  I recieve the following message:
  Cannot instantiate class: oracle.aurora.namespace.InitialContextFactoryImpl
  I make ref. to this object from the following code:
  Hashtable env = new Hashtable();
  env.put (Context.INITIAL_CONTEXT_FACTORY,"oracle.aurora.namespace.InitialContextFactoryImpl");
  env.put(Context.PROVIDER_URL,strLDAPURL);
  DirContext ctx = new InitialDirContext(env);
  I am new to developing Java Stored Procedures.
  Thanks.

  more info.
  We can get DBMS_LDAP to retrieve the information we need. What does DBMS_LDAP use that Java can not?

• Bulk LDAP lookup of users

  Hi,
  What is the best way to perform a bulk lookup of users by DN? I am implementing an API and there could possibly be hundreds or thousands of DNs passed in as an array. I assume that iterating over each one and performing a separate search is not the best way to go about this, despite any connection pooling that is configured. Is there a way to construct a filter string to accomplish this? Is there a size restriction on the length of a search filter?
  Thanks in advance for your help.
  Jen

  ya ..a very lengthy Search filter is causing problems for me in Oracle Internet Directory. Any specifications on the restrictions for search filter, I mean the length

• Transparent lookup of LDAP user properties

  Hi -
  Our developers are using OC4J container security with JAZNUserManager and OID. All is working fine from a security point of view (getRemoteUser, isUserInGroup), but for some properties of the user object (eg email), they are doing a separate ldap lookup. This seems out of sorts to me, dispensing with the mechanics of the security model only to implement it again for something as simple as a property lookup.
  Is there a mechanism available to transparently get at these properties?

  in your domain definition (dc=domain), use the mailRoutingSmartHost attribute. That should do it.

• Outlook Connector shared calendar lookup doesn't work for non-admins

  First the version info:
  JMS 6.2-8.04, Directory Server 5.2, Connector 7.2.402.1
  Non-admin users are not able to retrieve a list of users from the GAL with Outlook Connector. I, as an admin, do get the list. Here is the the access log for a non-admin user. Note that in the RESULT, nentries is always zero.
  mwilson=535258100062018 (non-admin)
  -bash-3.00$ grep -i "conn=425940" access.20080923-112603
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=-1 msgId=-1 - fd=93 slot=93 LDAP connection from 209.152.33.8 to 10.10.3.3
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=0 msgId=1 - BIND dn="uid=535258100062018,ou=people,o=pcc.edu,o=cp" method=128 version=3
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=535258100062018,ou=people,o=pcc.edu,o=cp"
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="cn mail uid objectClass"
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=1 msgId=2 - SORT cn
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=1 msgId=2 - VLV 1:1:1:0 2:19201 (0)
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=2 msgId=3 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=2 msgId=3 - SORT cn
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=2 msgId=3 - VLV 0:8:0:0 1:19201 (0)
  [23/Sep/2008:11:37:25 -0700] conn=425940 op=2 msgId=3 - RESULT err=0 tag=101 nentries=0 etime=0
  [23/Sep/2008:11:39:26 -0700] conn=425940 op=3 msgId=4 - UNBIND
  [23/Sep/2008:11:39:26 -0700] conn=425940 op=3 msgId=-1 - closing - U1
  [23/Sep/2008:11:39:26 -0700] conn=425940 op=-1 msgId=-1 - closed.
  Next, I followed the steps outlined in http://docs.sun.com/app/docs/doc/819-5200/gbnse?l=en&a=view&q=shared+calendar+ldap+lookup.
  I set service.wcap.userprefs.ldapproxyauth = "yes"
  I have the ACI entries as specified in that document.
  (targetattr = "mail || uid || icsCalendar || givenName || sn || cn")
  (targetfilter = (|(objectClass=icscalendaruser)(objectClass=icscalendarresource)))
  (version 3.0;acl "Allow Calendar administrators to proxy - product=ics,class=admin,num=2,version=1";
  allow (proxy)(groupdn = "ldap:///cn=Calendar Administrators, ou=Groups, o=cp");)
  (targetattr = "mail || uid || icsCalendar || givenName || sn || cn")
  (targetfilter = (|(objectClass=icscalendaruser)(objectClass=icscalendarresource)))
  (version 3.0;
  acl "Allow Calendar users to read and search other users - product=ics,class=admin,num=3,version=1";
  allow (read,search)
  (userdn = "ldap:///uid=*,ou=People,o=pcc.edu,o=cp")
  The only oddity I see is that the ACI entries are not passed down to the next directory levels.
  Any thoughts?
  David.

  I reviewed the document and I believe the VLV browsing indexes are setup and functional. I've also checked the ACI entries and they look correct. (The document doesn't mention the ACI entries for proxy authentication.) As I said, an admin user can retrieve names from the GAL, a non-admin user cannot. The only difference in the access log is the returned nentries value.
  ./ldapsearch -h vmpt1 -p 389 -D "uid={uid},ou=People,o=pcc.edu,o=cp" -w {passwd} \
  -b "ou=People,o=pcc.edu,o=cp" -x -s "sub" -S "cn" \
  -G "1:1:dpelinka" "pdsRole=Employee" uid
  results for admin user
  -bash-3.00$ grep "conn=838261" access
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=-1 msgId=-1 - fd=165 slot=165 LDAP connection from 10.10.3.5 to 10.10.3.3
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=0 msgId=1 - BIND dn="uid=311914191753070,ou=People,o=pcc.edu,o=cp" method=128 version=3
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=311914191753070,ou=people,o=pcc.edu,o=cp"
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid"
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=1 msgId=2 - SORT cn
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=1 msgId=2 - VLV 1:1:dpelinka 4799:19235 (0)
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=1 msgId=2 - RESULT err=0 tag=101 nentries=3 etime=0
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=2 msgId=3 - UNBIND
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=2 msgId=-1 - closing - U1
  [25/Sep/2008:14:30:30 -0700] conn=838261 op=-1 msgId=-1 - closed.
  results for non-admin user:
  -bash-3.00$ grep "conn=839346" access
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=-1 msgId=-1 - fd=226 slot=226 LDAP connection from 10.10.3.5 to 10.10.3.3
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=0 msgId=1 - BIND dn="uid=299899598658566,ou=People,o=pcc.edu,o=cp" method=128 version=3
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=299899598658566,ou=people,o=pcc.edu,o=cp"
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid"
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=1 msgId=2 - SORT cn
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=1 msgId=2 - VLV 1:1:dpelinka 4799:19235 (0)
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=2 msgId=3 - UNBIND
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=2 msgId=-1 - closing - U1
  [25/Sep/2008:14:32:47 -0700] conn=839346 op=-1 msgId=-1 - closed.

• C100 LDAP accept to multiple AD domains?

  Hi All,
  Just been settings up our Ironport c100 and noticed that per listener you can only have one LDAP lookup host (or many in failover) however what we require is the following:
  Inbound e-mail for [email protected] c100 lookups AD (LDAP) of domainA.com for the user and accepts or denies, now at the same time another inbound e-mail comes in but for [email protected] this needs to the do the lookup against the domainB.com AD server which is a completly different host to domainA.com (infact different network/customer).
  From what i can see at the moment I would need to setup a separate Listener for each domain with 2 IPs each which would soon get very out of hand.
  Has anybody done this before or have any idea how this could be done??
  Just a side note I setup an ADAM server and used the AD to ADAM syncronizer to get a copy of the domain into a partition in the ADAM server and then another domain into its own partition but seeing as the C100 needs a base DN this makes this impossible, unless anybody again has some ideas about this....

  Torsten is correct, the feature that you need for supporting either different LDAP servers per domain or tiered LDAP lookups is due in the 5.5 release slated for Q3/2007 so this will be addressed.
  With regards to ADAM I personally haven't done an installation with ADAM however I will stated that it's not required to put a base DN into the LDAP profile. So you might want to consider removing the base DN from your ADAM profile and see if the query will work for you.
  Another good step might be to download the Softerra LDAP browser utility and take a look at the ADAM server to idenify relevent pieces of LDAP information...assuming that it doesn't conform to AD's (|mail={a})(proxyAddresses=smtp:{a})) query string.
  Sincerely,
  Jay Bivens
  IronPort Systems

• Duplicates in Outlook connector global address list (GAL)

  I am getting duplicates in GAL of Outlook 2007, some addresses appear seven times or more. I have followed the guide for VLV Browsing, it makes no difference to the problem. There are less duplicates if I use search base: ou=People,o=Organization1,dc=example,dc=com. Actually I want to use search base: dc=example,dc=com, thus showing all the organizations (truely global address book). In order for this to work I have use the ACI access control to filter the entries that I want in the GAL (ACI I'm using is below). I seems that when I filter out entries with "psincludeingab=false" It correctly doesn't display that contact but a duplicate entry of another contact occurs in it's place. It's as if it's getting empty entries due to ACI filtering and filling the blank entries in with the last successfully retrieved entries. Thunderbird GAL (ldap address book) is much better, I can filter it server -side (ACI) or client side (search filter in the advanced tab). I have been battling with this issue for a while now, I can't understand why nobody else appears to have this problem.
  ACI for valid users/groups/resources:
  ACI syntax:
  (target = ldap:///o=*,dc=example,dc=com) (targetscope = subtree) (targetfilter = (& (!(psincludeingab=false)) (|(objectclass=inetorgperson)(objectclass=inetResource)(objectclass=icscalendargroup))))(targetattr != "userPassword") (version 3.0; acl "Access Corporate Directory"; allow (read, compare, search) (userdn = "ldap:///uid=*,ou=People,o=*,dc=example,dc=com");)
  ACI location:
  dc=example,dc=com

  ethoms wrote:
  1) I can't easily share address books accross orgs/domains.Sharing personal address-books across hosted domains is definitely a useful feature. I could however not find an existing RFE (request for enhancement) to have this feature added to Convergence or UWC/CE so it seems the demand for such a feature is low.
  2) I can't subsribe or even access subcribed address books in Convergence.Bug #6690621 - "Enable advanced personal address book functionality (creation/deletion/sharing)". Hopefully this feature is added in Convergence Update 1.
  3) I can't access any address book (other than GAL) in Thunderbird.Thunderbirds in-built LDAP functionality is basic i.e. no LDAP write support which makes integrating LDAP PAB address-book functionality costly to develop. As no paying customers seem to care enough about Thunderbird PAB support to raise this as an issue I don't believe there are any intentions to address this in the short-term.
  The longer-term vision is to provide a CardDAV server for which there are existing Thunderbird extensions:
  http://wikis.sun.com/display/CommSuite/Project+Aries
  4) I can't create a user that exists in more than one org/domain whilst having only one mailbox yet able to send from all their domain aliases. The problem with this workaround is neither Comms Express nor Convergence allow change of From address and thus consolidated sent items is not possible.Actually it is possible to customize Comms Express to allow a user to select from a From: drop-down listing of their mailequivalentaddress: attributes. I have provided these steps to customers who have logged support cases in the past.
  There is a longer-term plan to have 'multiple send identities' in Convergence along the same lines as Thunderbird.
  RFE #6673157 - "Multiple send identies".
  On the whole I'm very happy with Comms Suite, I like the fact that it all works over Internet, not just LAN (thick client, thin client and administration interfaces).The various components of Comm Suite were developed with a large ISP style deployments in mind so working across the Internet is a given.
  What could definetely be improved is more features for multi-org/domain companies/enterprises that are both seperate and yet together on different levels and services. In the ISP world hosted domains remain very-much separate. As you have noted this model doesn't apply for smaller deployments (Universities/SME) so there is definitely work that can be done on this level.
  Also needs more GUI configuration and managemant services (e.g. mailbox management/statistics, more DA options).The underpinnings of GUI configuration (or at least simplified configuration/administration) is already occurring with a shift towards XML storage of configuration data in Messaging Server (and I believe IM server). This step makes it much easier to build tools (whether they be cli/gui based) which can parse/modify the existing configuration.
  But as I'm sure I've mentioned in the past, the only way to get traction on the features you desire is to bring these issues up with your Sun Account Rep.
  Regards,
  Shane.