Hash function in directory server

Similar Messages

• Backup / Journaling function for IPlanet Directory Server?

  Hi,
  does the iPlanet Directory Server provide a journaling function (logging and restore possibility of all changes made between two backups) ?
  I can�t find anything in the docs, but I somehow can�t image that this feature is not supported ...
  Thanks
  Kris

  I'd be interested to know this, as well. Did you find an answer for this?

• Messenger Express: How do I add the Directory Server to the address book search tool?

  In Messenger Express (ME) how do I add the Directory Server (DS) to the address book
  search tool?
  <P>
  Edit the globals.pl file. Look for a line similar to: <BR>
  @dirservers = ('MyCompany::phonebook.foo.com::o=FooCorp.,c=US','Four11 Directory::ldap.four11.com::');
  <P>
  Add an entry to the list. The list is comma delimited and each entry is a
  string. The string contains three fields, delimited by a double colon (::). The
  first field is the name you want to appear in the User Interface (UI). The second is
  the hostname of the DS and the third is the Distinguished Name (DN) to use when searching.
  <P>
  Please note, Messenger Express is part of the Messaging Server. For more
  information on Messenger Express, please see the release notes at
  http://home.netscape.com/eng/server/MExpress/relnotes.htm

  You can't add a new contact to specific group and there is no app for this. 3rd party apps don't have access to private iPhone APIs with security concerns being a primary reason, which such a function would require.

• Where in migration process does old server stop functioning as primary server?

  I am migrating from a SBS 2003 box to a new WS 2012 R2 Essentials box - following the instructions from 
  "Migrate from Previous Versions to Windows Server 2012 R2 Essentials or Windows Server Essentials Experience".   What I need to know is where in the process does
  the old server stop functioning as a server for my network.   What I mean by this is when in the migration process (when I add the new server as a replicate DC?  not until I demote the old server?) will any programs/databases on the old server no
  longer be available to client computers?  
  Thanks for any insight.

  Yeah, we need to agree on what is meant by "the server". In Windows, Server means many different things. Each time you move, a role or feature from the "old" to the "new" the old server ceases to function as "the server"
  for that role or feature. The basic functions of a Windows DC include Active Directory, 5 FSMO roles, file and print services, and application services to name just a few.
  So the answer to your question is more to do with what you mean by "server".  In particular, for the application role, you must move the app to the new server by whatever means the developer recommends.  At that point, regardless of whatever
  else is going on the old server is out of the picture for that application.
  Larry Struckmeyer[MVP] If your question is answered please mark the response as the answer so that others can benefit.

• Migration Users with MD5 Passwords to Directory Server 6.1 on Solaris 10

  Hi,
  We are currently in a requirement of migrating some users to a application database to inside LDAP. Currently Application maintained the passwords in the MD5 hash form. Typical 32 digit Hex value - 41da76f0fc3ec62a6939e634bfb6a342
  Is there a way we can migrate these Users password to directory Server as-is so that they don't end up facing the prospect of resetting post migration.
  I have done some of the initial ground work but seems to be missing other critical info if at all it's possible.
  I believe it's possible to have CRYPT password policy (which directory server uses from underlying OS) as one of the plug-ins to configure in a way that underlying CRYPT utility starts to process/provide/support MD5 hashes. I got it to work, my using the below command on DSEE instance:
  dsconf set-plugin-prop -p 389 CRYPT argument:'$md5$'
  But for some reasons the MD5 hash (Sun MD5 library) provides does not match with the original hash value. It's 22 char long (as I have not specified any salt length) so I am assuming it's Base64 encoded. I have a perl script which converts the original 32-digit hex values to a base64 encoded representation (which I have also verified with other open source tools)
  Is there a way I can tweak CRYPT utility or something so that it understands typical standard MD5 hashes. (Confused between Sun MD5 and BSD (Linux) MD5 - none of them seems to match standard MD5 generated value).
  Any leads on this would be really helpful ?

  Just to reclarify or throw more information:
  a password - cleartext value - testuser1 has 32-digit HEX value as - 41da76f0fc3ec62a6939e634bfb6a342
  Same password when converted to Base64 pattern becomes - Qdp28Pw+xippOeY0v7ajQg==
  But when I use pwdhash utility in DSE after configuring CRYPT to use MD5 hashes it becomes -
  {crypt}$md5$$LiB/H70zXr3xfQPoXVuUQ1
  I used below command :
  pwdhash -D /opt/SUNWdsee/dsee6/ds6/slapd-oha-dev -s CRYPT testuser1
  Actual hash value of pwdhash is -LiB/H70zXr3xfQPoXVuUQ1 with rest of the prefix is to meet RFC standard and salt and algo name separator.
  I am wondering if Sun MD5 default uses any salt even when I haven't used or DS does it. Or if any other MD5 option is there which can be used.
  Thanks,
  Gaurav

• Binding to directory server vs. OD replica

  Can someone explain the practical differences between binding a server to an OD master vs. being a replica of that OD master?
  Why would I bind a server instead of making a replica? Seems like the replica would always be easier to admin and would provide the same function...?

  I'm wondering why someone would do this. Why bind one server to another vs. making that second server a replica?
  The real issue is whether this server is going to provide authentication services to other clients.
  In addition to not wanting all your data on a single machine, if you have many client systems it may overwhelm a single directory server. For these reasons you may create a replica (or number of replicas) that keep in sync with the master server and have a complete copy of the entire Open Directory database (all users, machines, groups, etc.)
  These replicas can then be used to provide authentication services to client systems, as well as provide failover for the client in case this machine goes away for any reason.
  In contrast there's no need for every client system to have the entire directory. If you have many machines, the number of update messages that get passed around and need to be replicated to every machine on the network would be cumbersome, at best.
  Then there's also an element of security - the directory should have some level of protection since it includes data about every user, including their password and other personal details. If you replicate this to every machine then any user on your network could poke around the data at their leisure. Contrast that with a typical client machine that only has the account credentials for the current user.
  So for any network you should create one master and at least one replica. Client systems should point to a replica and should not be Open Directory replicas themselves.

• Where to download "netscape directory server 4.11 or later"

  Hi, there,
  I just want to test some ldap functions on windows 2000. I find some guys said Netscape Directory Server 4.11 is a good choice. Where can I download a evaluation version? I can't find it on Netscape.
  Thanks.

  Just go to www.iplanet.com

• Unable to Start/Stop Directory server from console

  We have two Directory Server 5.2 installations with both running as masters with replication between them. One of them was installed with the admin server and the other without. On the one that was installed without the admin server we added it afterwards.
  We now find that on the one that had the admin server installed after the directory server that we cannot start/stop the directory server from the server console nor can we view or access backups or logs from the console. The system does however create the log and backup files and we can start/stop it from the command line.
  I read in a post somewhere that the admin server can be created with a different user from the directory server or with the same username but a different domain and wondered if that was the problem but have looked through the configuration files on both machines and haven't managed to spot a discrepancy.
  Does anyone have any ideas where and what to check?
  Thanks in advance.
  Peter

  Ah, I wouldn't have recognized this scenario if you didn't report the scrozzled user name. The "access denied" error happens for the simple reason that 'IAyjcJlYKL' is not a valid user in your domain. Fancy that. If you look in your config.xml for the "node-manager-username" element, you may find the value is encrypted, and probably is 'IAyjcJlYKL'.
  It might be best if you filed a support case for this. I can make some guesses about what you should do, but it's just a guess. In any case, if you try fixing something, make a backup of the file first.
  The two things you can try doing are (backup the files and shut down everything first):
  * Edit the nm_password.properties file, replacing the one "hashed" line with two lines, setting the "username" property and the "password" property, both in cleartext. When the nodemanager starts up, it will replace those two lines with the "hashed" value.
  * Edit the config.xml file, replacing the values in the "node-manager-username" and "node-manager-password-encrypted" elements with their cleartext versions.
  Then start up the nodemanager and server.
  I'm familiar with this because I saw this happen, and I'm trying to remember the strange thing we had to do. I worked this out with BEA support a while ago. If it helps, my case number was #796710.

• Active Directory - Server 2008 R2 and 2012 R2 (Server Formatting or not productive

  Hello guys, I come here to try to clarify a great doubts regarding Server Operating Systems, I will attempt to detail the most of my scenario.
  Suppose I have a Server 2008 R2 in production, and this is my Active Directory server (meudominio.local) and am managing through Group Policy settings my workstations that are around 60-70 computers, guys my doubts the thing is, if I need some time to format
  and perform a fresh installation of my server as it will be my Active Directory? Of course I will have lost my domain controller and I have to accomplish the placement of each workstation again that enters my domain one by one.
  I know there is the option of AD replication, so we call the Active Directory, even for another version of the Operating System, prátia already realized this, but it most often comes not functioning properly, done without replication problems Server 2003 to
  2008 R2.
  Guys like to know a solution to not having to put my plants in my domain network again one by one, is there any way to backup so that when I reinstalled the system and the AD again in my server stations return to "see" again that server as your domain
  controller, even me installing AD with the same domain name before this formatting stations do not respond to this driver in this case do the Network ID or add the station to the area again, so she creates a new user profile for example (Max.meudominio) while
  your old profile "guy" still remains on the machine, I adopted the practice of editing the record of this newly created profile and pointing him well for the old user folder which contains all data and settings, eg edit my key "ProfileImagePath"
  regedit logged in with the newly created profile (Max.meudominio) ->
  (switch "ProfileImagePath" C:\Users\Max.meudominio) thus pointing to the folder before replacing in the field again this season after formatted server, thus ->
  (Switch "ProfileImagePath" C:\Users\Max), detail that we give permission for all such user "C:\Users\Max" folder, after that restart the computer and he comes back with the user profile and all your settings.
  I wonder if there is another method to perform this procedure, do not know even a backup AD to not have to replace all the seasons again "meudominio.local".
  Thank you for your attention!
  Translation with Google translator! Sorry.
  Matias Duarte Coordenador de Suporte Dual Solucoes&#174; | Solu&#231;&#245;es em tecnologia da informa&#231;&#227;o

  As the practice of replication I know her mostly said she has some flaws when I do the replication of my domain to another server but it works correctly, so having a server "master" and the other ServidorBKP as "slave", in redundancy,
  the problem is when I say, and put the "ServidorBKP" being my primary domain controller and disabling my main controller, to disable or turn off my main controller the stations themselves are unable to login because it does not communicate with the
  my ServidorBKP "slave" even I put it as the main driver of course.
  Regarding the System State as far as I know this option existed in Server 2003.
  I also got some information, confer on the links below.
  http://msdn.microsoft.com/en-us/library/bb727048.aspx
  http://technet.microsoft.com/pt-br/library/cc758435(v=ws.10).aspx
  http://technet.microsoft.com/en-us/library/cc961934.aspx
  I'm still researching other ways, getting communicate any news to everyone. (Google Translate)
  Matias Duarte Coordenador de T.I. Dual Solucoes® | Soluções em tecnologia da informação http://www.matiasduarte.com.br

• Sun Directory Server attribute userPassword and SSHA

  I am trying to write my own java code to validate an input plain text password against the corresponding encoded value as it appears on the Sun One directory server attribute 'userPassword'.
  For example the userPassword attribute value might look like this:
  {SSHA}...some-ssha-encoded-jibberish...
  Now what does the java code snippet look like that take as input a
  plain-text password String and encodes it to see if it matches the
  Sun One encoded attribute value??

  I know that doing an LDAP bind will accomplish the 'logical' equivlant of what I am after but for my application purposes I need to be able to validate the password string with my own code. In fact my problem goes beyond just the {SSHA} style hash I also need to be able to validate the {crypt} style has as well. I have solved the {SHA} style hash validation but the other two hashes are problematic thus far.

• Sun Directory Server crashed

  Hi ,
  i dont know where to post this question because i really dont understand myself the error
  i downloaded Sun Directory Server 5.2 and installed in both my Solaris
  one of them is Solaris 8 ( Production Server)
  the other one is Solaris 10 ( Another Prod Server )
  i did master-master ldap replication but it works okay for quite sometimes ( few days )
  only today i found today that one of the directory server is crashing and what i found in the log is
  Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfe000000       /usr/lib/libpthread.so.1
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfdfd0000       /usr/lib/libCrun.so.1
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfdfb0000       /usr/lib/libmp.so.2
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfdf90000       /usr/lib/libaio.so.1
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfdf40000       /usr/lib/libresolv.so.2
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfede0000       /usr/platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfded0000       /usr/lib/nss_files.so.1
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfdea0000       /var/Sun/mps/bin/https/lib/libAdmservPlugin.so
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfde70000       /var/Sun/mps/lib/libadmsslutil52.so
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfde40000       /v[19/Dec/2006:17:17:10] config (10607): # An error report file has been saved as hs_err_pid10607.log.
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): # Please refer to the file for further information.
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): #
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:14] info (10610): Installing a new configuration
  [19/Dec/2006:17:17:14] info (10610): [LS ls1] http://ils1app3.tpcils.com, port 390 ready to accept requests
  [19/Dec/2006:17:17:14] info (10610): A new configuration was successfully installed
  [19/Dec/2006:17:17:14] info (10610): Using the Java HotSpot(TM) Server VM v1.4.1_01 from Sun Microsystems Inc.
  [19/Dec/2006:17:17:14] info (10610): Java VM classpath: /var/Sun/mps/bin/https/jar/NSServletLayer.jar:/var/Sun/mps/bin/https/jar/NSJavaUtil.jar:/var/Sun/mps/bin/https/jar/NSJavaMiscUtil.jar:/var/Sun/mps/bin/https/jar/servlet.jar:/var/Sun/mps/bin/https/jar/servlet-2.3-filters-api.jar:/var/Sun/mps/bin/https/jar/jspengine.jar:/var/Sun/mps/java/ldapjdk.jar:/var/Sun/mps/java/jss311.jar:
  [19/Dec/2006:17:17:14] info (10610): Loading IWSSessionManager by default.
  [19/Dec/2006:17:17:14] info (10610): IWSSessionManager: Maximum number of sessions is 1000
  [19/Dec/2006:17:17:14] catastrophe (10610): Server crash detected (signal SIGSEGV)
  [19/Dec/2006:17:17:14] info (10610): Crash occurred in function PR_Write from module /var/Sun/mps/lib/libnspr4.so
  [19/Dec/2006:17:17:14] config (10610):
  [19/Dec/2006:17:17:14] config (10610): An unexpected exception has been detected in native code outside the VM.
  [19/Dec/2006:17:17:14] config (10610):
  [19/Dec/2006:17:17:14] config (10610): Unexpected Signal : 11 occurred at PC=0xFEEBB384
  [19/Dec/2006:17:17:14] config (10610):
  [19/Dec/2006:17:17:14] config (10610): Function=
  [19/Dec/2006:17:17:14] config (10610): PR_Write+0x0
  [19/Dec/2006:17:17:14] config (10610):
  [19/Dec/2006:17:17:14] config (10610): Library=/var/Sun/mps/lib/libnspr4.so
  [19/Dec/2006:17:17:14] config (10610):
  [19/Dec/2006:17:17:14] config (10610):
  [19/Dec/2006:17:17:14] config (10610): Cannot obtain thread information
  [19/Dec/2006:17:17:14] config (10610):This is happening is the Solaris 8
  while in the Solaris 10 ( new box ) i cant see there is an error being logged.
  Any help/idea would be highly appreciated.
  Thanks

  Could it be because of too many load calls to LDAP server?
  or different java version ??

• Sun Directory Server as Primary Domain Controller.

  Hello,
  I've recently installed Sun Directory Server, Access Manager, and DSEE Identity Manager, on CentOS 5.2, with success, but my question is:
  Can I use this directory as a primary domain controller for my network, I want to know if it is possible to integrate this directory in the same way that Active Directory works, I mean connecting Windows computers to the DC with some kind of connector (because windows won't connect to another directory than AD natively). I know that there are some MSGina replacements, like pgina, but I'm looking for some serious solution, especially for computers running Windows Vista.
  Thanks in advance.

  Hi,
  thanks for your answer, but.. there is a way to configure the DSEE to be like a native 2000/2003 Active Directory?, I mean, connecting directly to the DSEE without using Samba, I know that is possible to use that solution, but you lose some functionality.
  I've been trying to do some research about the topic, like modifying the bind DNS to act like a AD DNS, and it works at a certain grade, windows xp detects the SVR records but when it tries to connect to the directory it fails giving me an error telling that the DC isn't available. It will be great to make such environment, Windows XP / Vista connected to DSEE without third party software.
  Any comment would be greatly appreciated.
  Thanks.

• Synchronization between AD and Sun Java Directory Server

  I would like to build an environment as below, kindly let me know whether it is possible or not.
  My Enterprise Directory is Active Directory and i have Policy Server which directs the sso users to get authenticated with that server. I would like to synchronize the user data from Active Directory to Sun Java Directory Server (existing version is 5.2 Service Pack 4) including the passwords and i would like to know with which hashing algorithm these passwords are stored in the sun directory server. Because i want to synchronize the same attributes from sun java directory server to Oracle Internet Directory and is it possible to get my sso users to get authenticated at OID even?
  Kindly let me know whether this approach is feasible or not?
  Any suggestion to this approach is greatly appreciated...
  Thanks in advance...
  Regards,
  Kishore Repakula.

  i would like to know with which hashing algorithm these
  passwords are stored in the sun directory server.Like most other directory servers, SunDS offers a few choices here.
  The most secure is SSHA, which you'd probably want to use unless you have apps with dependencies on other hashes (e.g., CRYPT for backward compatibility with UNIX password field).
  I would like to synchronize the user data from Active Directory
  to Sun Java Directory Server (existing version is 5.2
  Service Pack 4) including the passwords...Sun has a "Identity Synchronization for Windows" product which might work for you.
  http://www.sun.com/software/products/directory_srvr_ee/identity_synch/
  Unfortunately, the big trick with AD passwords is that they are stored in a proprietary one-way hash, so you can't just sync them directly over to another directory. Likewise, you can't import password hashes from other sources into AD and expect them to work.

• Integrating Sun Java Directory Server with Sun Java Application Server 7

  Hi,
  My basic goal is to implement Single Sign On within the network i,e if the user is inside the company's network and tries to access any application, then he should not be required for Username/password again becuase he is in the network.
  My question is Is this possible with Sun Java System DIrectory server. If yes how can we integrate Directory Server with Sun Java System Application Server 7 2004Q2.
  Please help.
  Thanks

  Directory Server in itself doesn't provide any kind of SSO functions. Basically it is a high performing data repository accessible via LDAP and DSML. It is, however, a key component used by SSO applications like Access Manager. If your applications are web applications then take a look at Access Manager for your SSO needs.
  Regards,
  Scott

• Messaging Server authenticate against directory server

  Just wonder how to make messaging server authenticate against directory server? Basically I created users on the directroy server, and would like to let these users to access messaging server?
  Thanks for advice!

  I'm sorry, your question doesn't really make any sense.
  Messaging Server always authenticates to users in a Directory.
  How did you "create users"? That may be the problem. If you don't create the users with the provisioning tools provided with Messaging, then the users don't have the correct object classes and attributes to function as Messaging users.