IMS52 (with Direct LDAP Mode) Directory Failover

Similar Messages

• What is direct ldap mode.

  I wanna know about some people suugest that use direct ldap. I want to diffrences b/w default and direct ldap mode and how to enable it.

  I'm going to quote from the engineers responsible for Direct LDAP, "Dirsync is the blackest kind of black magic. Direct LDAP is White Magic."
  Basically, Dirsync is an old holdover from the days when Sun didn't have a high-performance Directory Server, but did have a high-performance mail server. Since the old Sun Directory Server (no relationship to the current product, purchased as part of Netscape), Dirsync was developed as a way to gather the entire contents of the old directory into the mail server.
  Since the current Sun JES directory server, iPlanet Directory Server is a very high-performance product, this is no longer needed. Dirsync uses a directory server in a very non-optimal way, essentially. Every day, Dirsync goes to the directory, and says, "tell me all you know". Every 10 minutes, it says to the directory, "tell me all you've learned in the last 10 minutes". These queries are very difficult for a directory server to handle, especially in large deployments, and can crash a directory server.
  Direct LDAP is different. It uses the directory server in the way that the directory server was designed to be used. Look up a single user, with an indexed search. Direct LDAP is well documented, while Dirsync was not. Direct LDAP uses advanced cache systems. Dirsync did not. Direct LDAP is undergoing development and fixes, while Dirsync is not. Dirsync has bugs, and will never be fixed.
  Messaging 6.0 and later do not even include the Dirsync capability.
  Direct LDAP proves to perform faster than Dirsync, in real deployments, too.
  Hopefully, that answers the questions?

• Some things no longer work after switch to direct LDAP mode

  Hi,
  today i have tried switching to direct ldap mode following the documentation
  now i can no longer send mail directed to hosts as
  [email protected]
  i always get a 5.1.1 unknown or illegal alias:
  whereas email@{subdomain}.domain.com is ok, as long as the subdomain is known to the MTA, ie it is an alias object in the DC tree
  also, some aliases defined in the file "aliases" are no longer recognized,
  for convenience, i had some default forward lines likes
  *@domain.com: @otherrelay:*@domain.com
  which effectively acted like a smarthost, ie mail to addresses not known in domain.com were forwarded to "otherrelay"
  now, probably i could solve the second problem either using a smarthost in the DC tree 's domain config
  the first problem, however, puzzles me...it look like if it doesn't find a matching address, and the host is not known as a domain, then further rewrite rules are not applied ?

  i found the problem,
  in option.dat, DOMAIN_UPLEVEL must be set to 0, in order to have the old behaviour (wildcards in aliasfile, and possibility to send mails directly to specified hosts)
  i had set it to 1, in the hope the MTA would be more tolerant to find users (if [email protected] is not found, then maybe it exists at [email protected], so use this instead) as some of our users have quite problems addressing other users in the correct subdomain.

• Problem with Direct LDAP

  Hi Jay,
  I am having a problem with the switch to Direct LDAP. I am finally doing it on my production server. Using ldap 4.16 currently. Once I get this working I am upgrading to 5.2
  We have a server that holds messages until a user releases them. This server is called ewall.mydomain.com.
  They get a message in their inbox that allows them to click on a link to send the ewall server a message to release the held mail.
  the link would look like this:
  [email protected]
  (all on one line)
  This worked just fine in dirsync mode but after switching to Direct Ldap I get an 5.1.1 unknown or illegal alias when the user tries to send the message. If I switch back to dirsync mode it works fine again. Everything else is working fine.
  Any ideas?
  Thanks
  Don

  Well, it means that for some reason, your [email protected]
  user isn't being picked up in the direct ldap.
  It could be that your domain is "mydomain.com", and the user is in "ewall.mydomain.com". dirsync assumes that subdomains are part of an overall domain
  direct ldap doesn't, unless you set
  domain_uplevel=3 in your option.dat, and recompile

• Tax issue with Direct Input mode of RFBIBL00

  Hi, I have a problem using <b>RFBIBL00</b> (direct input mode) to create A/R invoices. There is no tax associated with the invoice, however, when I use direct input mode, instead of posting immediately, a batch input session is created. In the log, an <b>information</b> message: <i>'Specify a tax jurisdiction key'</i>. The BDC session is processed with no error.
  When using Call transaction mode for RFBIBL00, the document is posted immediately but the requirement is to use Direct input mode.
  There is no converted data in the BBTAX structure since the doc. does not need to post to tax account. Do I need to populate the Tax amount, Tax code and jurisdiction code in this structure and BBSEG in order to by pass the information message?
  Any advice is appreciated.
  - Minami

  Problem solved. Just need to untie the relationship between the ITEM import structure and the BBTAX so the Direct Input program will not require a tax jurisdiction code.

• Setup table Administration with Direct Delta mode

  Hi guys,
  I have a direct delta as update mode for my 2LIS_11_VAITM extractor in R/3.
  I'd like to know if I have to manage the relative setup table (MC11VA0ITMSETUP) with this update mode also. 
  For instance, If I delete an ODS content and restart a new INIT on BW system, do I need to delete and then to fill the setup table?
  In general, Do I need always to menage the setup table with each kind of update mode (direct delta, queued delta and V3 update)?
  if you know the answers, please reply me direcly without insert link.
  Many Thanks.

  yes, you do....the initial loads for lo datasources are completely independent of the delta loads and hence of the delta method...
  /people/sap.user72/blog/2005/01/19/logistic-cockpit-delta-mechanism--episode-three-the-new-update-methods
  M.

• Optimizing Mailing Lists with Direct LDAP

  Hey all,
  I've noticed performance issues with iMS 5.2p1 (with iDS 5.1) with respect to direct LDAP look up's, especially for large mailing lists. Even a 28 user list takes 10 minutes, where as with MS 4.1.5 it was practaically instance. We also have a dynamic group with everyone (4000 people or so) and it simply pegs the LDAP server @100% CPU and sits there for a day. It seems that there are a ton of ways to optimize the caches and LDAP lookups. Where should I start or what should I do? What settings should I look to fix on the LDAP server, IMTA, etc. to speed things up?
  Thanks!
  Chris

  This was an LDAP server optimization issue. I increased the memory for both the slapd cache and the database cache. I then added indexes for all the common items search for by the IMTA. I was watching the slapd access logs and saw that the IMTA searchs for a lot of imortant items that are not indexed by default. I added indexes for:
  inetUserStatus
  mailUserStatus
  inetMailGroupStatus
  mailEquivalentAddress
  mailRoutingAddress
  mailMsgMaxBlocks
  mailQuota
  mailMsgQuota
  mailProgramDeliveryInfo
  mailDeliveryFileURL
  maildeliveryfile
  mailConversionTag
  mailDeliveryOption
  vacationStartDate
  vacationEndDate
  mailForwardingAddress
  memberURL
  rfc822mailmember
  mailAccessDomain
  mailMessageStore
  preferredLanguage
  mailAllowedServiceAccess
  Now a message to everyone that took 24 hours and never went through takes just over a minute to get to 4000 users on my little test server. Smaller dynamic lists are even faster. General performance of message delivery is also faster, as is SMTP response from the client prespective.

• Direct Ldap configuration mismatch....

  I am running directory server 5.1 and messaging server 5.2.
  I have one message store (msA.example.com) for users to retriew mail and it queries directory master server (dsA.exaple.com) with direct ldap configured.
  I am configuring another messaging server (msB.example.com) with smtp authentication for same users to send mail through that and it queries another ldap consumer server (dsB.example.com).
  dsB is replicated by dsA immediatly after any modification done to dsA. My present setup works fine if msB is configured on dirsync mode, but I want to configure it to use direct ldap from dsB.
  When I try to send email via msB (with direct ldap enabled) it waits a long time after (smtp) authentication and then terminated with "server unexpectedly terminated the connection" message on outlook client. I can not see any message on mail.log_current.
  All my direct ldap settings are correct and compiled properly.
  Later I found that when I comment the
  " $* $E$F$U%$[email protected]$V$H " line on imta.cnf file it works fine, ie. without any delay message is delivered.
  (But this has to be uncomment with direct ldap mode according to the sun documentation)
  Can anyone clarify this? I could see even without uncommenting the above line direct ldap works fine!

  Thanks for replys...
  But I tried with the way that you mentioned, but still the problem persists.
  No any message on DEBUG logs.
  But I have some more thing to tell....
  When I first install the messaging server (msB), I used the dsA as the ldap server. So after installation I got gelow results with configutil.
  local.ugldaphost = dsA.example.com
  local.ldaphost = dsA.example.com
  local.service.pab.ldaphost = dsA.example.com
  Since I want to use ldap queries from dsB, I change user lookups to dsB
  Then the output was,
  local.ugldaphost = dsB.example.com
  local.ldaphost = dsA.example.com
  local.service.pab.ldaphost = dsB.example.com
  Do you think this cause thye error?
  I can not use dsB for local.ldaphost since it causes the msB not usable. What I only need here is to get the user lookups from dsB.

• Direct LDAP in 5.2

  Hi, I am testing out features in 5.2 after an upgrade from NMS 4.15. I couldnt find any benefits of using Dirsync so I switched to direct LDAP mode. The main reason was that if I make a change in the directory I want the mail server to pick it up right away, just like it does in 4.15.
  I have noticed that, even in direct LDAP mode, things like changing a users forwarding address or vacation message take about 15 minutes for the mail server to pick up. It does not seem like a direct lookup at all, there must be some type of caching. Has anyone else experienced this, or can someone explain it ?
  Thanks,
  Mark

  I have the same problem.
  Did you get any answer for it ?
  Vincent

• Aliases, mailforwardaddress,direct ldap, seeking clarification

  Howdy,
  We're running iMS 5.2p1 with IDS. We're still in dirsync mode and simply want to switch to direct ldap. The instructions are clear but I'm hesitating as I look into our aliases file and how to proceed. My questions are as follows -
  1) yes or no: In direct ldap mode, the msg-instance/db/aliases file is NOT used ever?
  2) if the answer to #1 is YES, then is the "solution" to create an ldap entry for a simple mail-id with a mailforwardaddress: attribute? Or if distributing to multiple users from a single mail-id, create a group/distribution list?
  3) Is it possible to be in direct ldap mode AND still use an alias database?
  We're not in the extreme on alias usage, maybe a few hundred. However when I start looking at adding a few hundred LDAP entries and then managing mailforwardaddresses: for something I used to do in one line in an alias file it becomes overkill. Perchance an ou=alias ldap entry could be thrown into the next version or maybe even gasp use the alias entry for all our Solaris servers which is already stored in LDAP?
  It may be a case where performance vs. scalability vs. simplicity and I can accept that as a sound reason. Man alive though I love iMS and my aliases file! <smile>
  Thanks for any feedback,
  Doug

  Actually, I'd like to correct that.
  ) yes or no: In direct ldap mode, the
  msg-instance/db/aliases file is NOT used ever?
  The aliasesdb.db is referred to, in the case that
  direct ldap lookup does not find anything (this is
  what the "alias magic" setting in option.dat does).
  2) if the answer to #1 is YES, then is the "solution"
  to create an ldap entry for a simple mail-id with a
  mailforwardaddress: attribute? Or if distributing to
  multiple users from a single mail-id, create a
  group/distribution list?
  I"m not at all sure what you're trying to achieve.
  We normally recommend REMOVING the old aliasesdb.db,
  , unless there are things there you need to keep, or
  are willing to maintain.
  If you need a few aliases, there is a separate
  aliases file. If you need alternate addresses, put
  'em in the user's mailalternateaddress or
  mailequivalentaddress attributes.This makes sense, I'll summarize more below.
  >
  3) Is it possible to be in direct ldap mode AND still
  use an alias database?
  Again, yes, but why would you want to do that? You'd
  have to create the database, and maintain it. Bad
  Idea.
  We're not in the extreme on alias usage, maybe a few
  hundred. However when I start looking at adding a few
  hundred LDAP entries and then managing
  mailforwardaddresses: for something I used to do in
  one line in an alias file it becomes overkill.
  Why forwarding addresses? This really doesn't make
  sense.Sure it does, in my mind <smile> here's the situation. We're a college where students, staff and faculty will either graduate, move to another college nearby or move across country. When they do so, maintaining an entry in a file such as -
  jsmith: [email protected]
  Is pretty simple. This file can also be shared with other Sun servers or placed into the LDAP/NIS Alias entry. So the functionality extends beyond iMS a bit.
  With a graduating class of say 400, with an email forwarding policy of 12 months after departure, these would accumulate in the LDAP database with no other iMS information than a mailforwardaddress needed. As we know, LDAP requires a tad more information to accept a record. Hence the perception on my part of the alias file. (I'm just afraid of change, bear with me!)
  >
  How do you do it NOW? What is it you're doing?We run in dirsync mode and rebuild the alias database. I also think I'm using the terms alias *file* and alias *database* interchangeably. I do understand that the DB gets built from the file.
  >
  >
  Perchance an ou=alias ldap entry could be thrown into
  the next version or maybe even *gasp* use the alias
  entry for all our Solaris servers which is already
  stored in LDAP?
  It may be a case where performance vs. scalability
  vs. simplicity and I can accept that as a sound
  reason. Man alive though I love iMS *and* my aliases
  file! <smile>
  Again, what is it exactly that you want to do? Most
  likely there's an easy way to do it.
  Thanks for any feedback,Thank you, I appreciate the additional information. We also use the alias file to add quick addresses like for a department which only wants mail sent from one email address to many. No other functionality needed. For example -
  summerconference2003: user1, user2, user3
  A simple and quick "one to several" email address. Granted, for iMS I'd have to add the domain but the concept is the same.
  Thanks again,
  Doug

• [OBPM 10gR3]How to configer a hybrid directory with Oracle LDAP Server

  Hey, guys,
  Does anyone have experience on configering a hybrid directory with Oracle LDAP Server? How to config the mapping conf file for Oracle LDAP in the directory of \OraBPMwlHome\conf?
  Here is my conf file. But I got some LDAP mapping errors. It's really weird OBPM doesn't support Oracle's self LDAP, at least it does not provide the conf file.
  -----------errors------------
  Exception [javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Function Not Implemented]; remaining name '']. Reason: [LDAP: error code 53 - Function Not Implemented] fuego.directory.DirectoryRuntimeException: Exception [javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Function Not Implemented]; remaining name '']. at fuego.directory.DirectoryRuntimeException.wrapException(DirectoryRuntimeException.java:85) at fuego.directory.hybrid.ldap.JNDIQueryExecutor.select(JNDIQueryExecutor.java:203) at fuego.directory.hybrid.ldap.JNDIQueryExecutor.selectAllFromView(JNDIQueryExecutor.java:84) at fuego.directory.hybrid.ldap.JNDIQueryExecutor.selectAllFromView(JNDIQueryExecutor.java:64) at fuego.directory.hybrid.ldap.Repository.selectAllFromView(Repository.java:54) at fuego.directory.hybrid.ldap.LDAPPollingEventGenerator.buildCurrentProxies(LDAPPollingEventGenerator.java:98) at fuego.directory.provider.notifiers.BasePollingEventGenerator.generateEvents(BasePollingEventGenerator.java:41) at fuego.directory.hybrid.HybridMultipleEventGenerator.generateEvents(HybridMultipleEventGenerator.java:43) at fuego.directory.provider.notifiers.DirectoryNotifier.notifyChanges(DirectoryNotifier.java:403) at fuego.server.service.DirectoryListener.updateEngineFromDirectoryImpl(DirectoryListener.java:309) at fuego.server.service.DirectoryListener$DirectoryPollingItem.execute(DirectoryListener.java:351) at fuego.server.execution.DefaultEngineExecution$AtomicExecutionTA.runTransaction(DefaultEngineExecution.java:304) at fuego.transaction.TransactionAction.startBaseTransaction(TransactionAction.java:470) at fuego.transaction.TransactionAction.startTransaction(TransactionAction.java:551) at fuego.transaction.TransactionAction.start(TransactionAction.java:212) at fuego.server.execution.DefaultEngineExecution.executeImmediate(DefaultEngineExecution.java:123) at fuego.server.execution.DefaultEngineExecution.executeAutomaticWork(DefaultEngineExecution.java:62) at fuego.server.execution.EngineExecution.executeAutomaticWork(EngineExecution.java:42) at fuego.ejbengine.ejb.EngineStartupBean.executeItem(EngineStartupBean.java:192) at fuego.ejbengine.ejb.EngineStartupBean.updateFromDirectory(EngineStartupBean.java:172) at fuego.ejbengine.ejb.engine_startup_bpmengine_wodkyx_ELOImpl.updateFromDirectory(engine_startup_bpmengine_wodkyx_ELOImpl.java:365) at fuego.ejbengine.servlet.SchedulerServlet$DirectoryPollingTask.runImpl(SchedulerServlet.java:269) at fuego.ejbengine.servlet.SchedulerServlet$ScheduledTask.run(SchedulerServlet.java:208) at java.util.TimerThread.mainLoop(Timer.java:512) at java.util.TimerThread.run(Timer.java:462) Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Function Not Implemented]; remaining name '' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3078) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2758) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1812) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1735) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248) at fuego.jndi.FaultTolerantDirContext.search(FaultTolerantDirContext.java:867) at fuego.directory.hybrid.ldap.JNDIQueryExecutor.select(JNDIQueryExecutor.java:190) ... 23 more
  -----------mapping conf file for Oracle LDAP---------
  <?xml version="1.0" encoding="UTF-8"?>
  <?fuego version="6.1 ALPHA" application="albpmenterprise"?>
  <!-- This file contains the propper attribute mapping for the FDI Generic Ldap Provider using Oracle Directory Service.          
  * Preference for group object
            <preference id="assignedParticipants.containsId" value="true"/>
            This preference is useful to speed up the provider and it can only be used if the assignedParticipant value is the dn of the user and the dn contains the participant id
            <preference id="assignedParticipants.containsId" value="true"/>
            This preference is useful to speed up the provider and it can only be used if the assignedGroup value is the dn of the group and the dn contains the group id
            <preference id="modifyTimeStamp.suffix" value="Z"/>
            This preference is useful when the suffix mofidyTimeStamp format of your ldap is not .OZ.
  -->
  <config>
       <object id="person">
            <object-filter>
                 <![CDATA[
                      (objectclass=inetOrgPerson)
                 ]]>
            </object-filter>
            <relative-dn>
                 <!-- the relative dn for person -->
            </relative-dn>
            <attribute id="id" value="uid"/>
            <attribute id="lastName" value="sn"/>
            <attribute id="firstName" value="givenname"/>
            <attribute id="accountLock" value="orclIsEnabled">
                 <attribute-comparator operation="EQUALS" compareTo="ENABLED"/>
                 <filter>
                      <![CDATA[
                           ($accountLock=ENABLED)
                      ]]>
                 </filter>
            </attribute>
            <attribute id="facsimileTelephoneNumber" value="facsimileTelephoneNumber"/>
            <attribute id="displayName" value="displayName"/>
            <attribute id="mail" value="mail"/>
            <attribute id="telephoneNumber" value="telephoneNumber"/>
            <attribute id="employeeId" value="employeeNumber"/>
            <attribute id="thumbnailPhoto" value="jpegPhoto"/>
            <attribute id="manager" value="manager"/>
            <attribute id="modifyTimeStamp" value="modifytimestamp"/>
       </object>
       <object id="group">
            <object-filter>
                 <![CDATA[
                      (objectclass=orclGroup)
                 ]]>
            </object-filter>
            <relative-dn>
                 <!-- the relative dn for group -->
  </relative-dn>
            <attribute id="id" value="dn"/>
            <attribute id="modifyTimeStamp" value="modifytimestamp"/>
            <attribute id="displayName" value="displayName"/>
            <attribute id="name" value="cn"/>
            <attribute id="description" value="description"/>
            <attribute id="assignedParticipants" value="uniquemember"/>
            <!--attribute id="assignedGroups" value="memberOf"/-->
            <attribute id="ou" value="uniquemember"/>
       </object>
       <object id="ou">
            <object-filter>
                 <![CDATA[
                      (objectclass=domain)
                 ]]>
            </object-filter>
            <relative-dn>
                 <!-- the relative dn for ous -->
  </relative-dn>
            <attribute id="name" value="orclsubscriberfullname"/>
            <attribute id="description" value="description"/>
       </object>
  </config>
  Edited by: Lemonice on 2009-3-30 上午2:08
  Edited by: Lemonice on 2009-3-30 下午7:01
  Edited by: Lemonice on 2009-3-30 下午8:43

  Hi,
  in my case, I am trying to configure the OBPM directory using ALUI and its native LDAP service.
  Now, I found that the first name and the last name in BPM are retrieved from the ALUI display name : provided we enter the display name in the format %first name% + %last name% we get them into BPM. But the display name is not always in this format...
  In addition, it's the portal telephone number information which is retrieved into BPM Telephone and Fax numbers.
  And, the email adress remains blank
  I have installed the latest patch for OBPM (Version: 10.3.1.0.0 Build: #97172)
  Would you have any documentation about creating a Profile Web Service in ALUI and specifying which LDAP attributes to map to which ALUI properties in the Profile Source ?
  Thanks !
  Edited by: vVince on May 6, 2009 3:46 PM

• Error after setting up direct LDAP

  Running iMS 5.2 and LDAP 4.1.6
  after making the changes to set up direct LDAP lookup I started getting the following error:
  4.0.0 temporary error returned by alias expansion
  While making the changes to set the server back to dirsync mode I noticed that the databases:
  aliasesdb.db and reversedb.db had been recreated but were significanly smaller than the originals.
  After changing the imta.cnf, option.dat,job_controller.cnf and mappings files back and replacing my db files I ran a imsimta cnbuild and a full dirsync and everything functioned normal again.
  Any ideas?
  Don

  Hi Roger and Jay,
  I followed the instructions exactly. I have restored my backups of the config files a couple times and started over again. I did catch the error that Roger pointed out and my line read exactly like his example (with my domain of course)
  This is my old mailserver. I have a new one working right now. I am trying to get the updates all working on this one before I mess up the production machine so there is no problem with it being down while I work the bugs out.
  Here is a clip from the ldap access log
  the last line shows an error 11 that I assume is the problem.
  [14/Dec/2004:15:44:29 -0700] conn=46 op=1 SRCH base="dc=sturgeon,dc=ab,dc=ca,o=Internet" scope=0 filter="(|(objectclass=inetDomain)(objectclass=inetdomainalias))"
  [14/Dec/2004:15:44:29 -0700] conn=46 op=1 RESULT err=0 tag=101 nentries=1 etime=0
  [14/Dec/2004:15:44:29 -0700] conn=46 op=2 SRCH base="o=sturgeon.ab.ca,o=ab.ca" scope=2 filter="(&(objectclass=groupOfUniqueNames)(objectclass=inetMailAdministrator))"
  [14/Dec/2004:15:44:29 -0700] conn=46 op=2 RESULT err=0 tag=101 nentries=1 etime=0
  [14/Dec/2004:15:44:29 -0700] conn=46 op=3 SRCH base="cn=Domain Administrators,ou=Groups,o=sturgeon.ab.ca,o=ab.ca" scope=0 filter="(objectclass=*)"
  [14/Dec/2004:15:44:29 -0700] conn=46 op=3 RESULT err=0 tag=101 nentries=1 etime=0
  [14/Dec/2004:15:44:29 -0700] conn=46 op=4 SRCH base="o=sturgeon.ab.ca,o=ab.ca" scope=2 filter="(uid=carlgren)"
  [14/Dec/2004:15:44:29 -0700] conn=46 op=4 RESULT err=0 tag=101 nentries=1 etime=0
  [14/Dec/2004:15:44:29 -0700] conn=47 fd=54 slot=54 connection from 192.168.0.12 to 192.168.0.12
  [14/Dec/2004:15:44:29 -0700] conn=47 op=0 BIND dn="uid=carlgren,ou=people,o=sturgeon.ab.ca,o=ab.ca" method=128 version=3
  [14/Dec/2004:15:44:29 -0700] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0
  [14/Dec/2004:15:44:29 -0700] conn=46 op=5 SRCH base="cn=Service Administrators,ou=Groups,o=ab.ca" scope=0 filter="(objectclass=groupOfUniqueNames)"
  [14/Dec/2004:15:44:30 -0700] conn=46 op=5 RESULT err=0 tag=101 nentries=1 etime=1
  [14/Dec/2004:15:44:30 -0700] conn=46 op=6 SRCH base="uid=carlgren,ou=people,o=sturgeon.ab.ca,o=ab.ca" scope=0 filter="(objectclass=*)"
  [14/Dec/2004:15:44:30 -0700] conn=46 op=6 RESULT err=0 tag=101 nentries=1 etime=0
  [14/Dec/2004:15:44:31 -0700] conn=48 fd=55 slot=55 connection from 192.168.0.12 to 192.168.0.12
  [14/Dec/2004:15:44:31 -0700] conn=48 op=0 BIND dn="uid=msg-admin-1,ou=People,o=sturgeon.ab.ca,o=ab.ca" method=128 version=3
  [14/Dec/2004:15:44:31 -0700] conn=48 op=0 RESULT err=0 tag=97 nentries=0 etime=0
  [14/Dec/2004:15:44:31 -0700] conn=48 op=1 SRCH base="ou=carlgren,ou=people,o=sturgeon.ab.ca,o=ab.ca,o=pab" scope=2 filter="(|(cn=*)(ou=*))"
  [14/Dec/2004:15:44:31 -0700] conn=48 op=1 RESULT err=0 tag=101 nentries=40 etime=0
  [14/Dec/2004:15:44:31 -0700] conn=48 op=2 SRCH base="ou=carlgren,ou=people,o=sturgeon.ab.ca,o=ab.ca,o=pab" scope=2 filter="(|(objectclass=pab)(objectclass=pabgroup))"
  [14/Dec/2004:15:44:31 -0700] conn=48 op=2 RESULT err=0 tag=101 nentries=2 etime=0
  [14/Dec/2004:15:44:31 -0700] conn=48 op=3 SRCH base="ou=carlgren,ou=people,o=sturgeon.ab.ca,o=ab.ca,o=pab" scope=2 filter="(memberofpab=AddressBook271b6af)"
  [14/Dec/2004:15:44:31 -0700] conn=48 op=3 RESULT err=0 tag=101 nentries=37 etime=0
  [14/Dec/2004:15:44:42 -0700] conn=38 op=3 SRCH base="o=sturgeon.ab.ca,o=ab.ca" scope=2 filter="(|([email protected])([email protected])([email protected]))"
  [14/Dec/2004:15:44:49 -0700] conn=38 op=3 RESULT err=11 tag=101 nentries=1 etime=7 notes=U
  If I put the machine back into dirsync mode then everything works fine. I must be missing something.
  In the morning I'll try again.
  Thanks for the help,
  Don

• Config UME with ABAP+LDAP datasource

  Hi all,
  We are implementing an EP installation. We want to reuse the abap role assignment for the portal roles and we require a SSO solution based on SPNego.
  Now we can implement each on it's own fine. The question is how we can connect the ume to use both abap and ldap datasource. I opened an OSS about it and they said it's possible, supported but I'm on my own when it comes to implementing it (or consulting offcourse).
  Anyone had experience with this configuration or can provide me with the datasource schema file?
  Thank in advance,
  Eric

  Try the following:
  1.     Download the SPNegoWizard_645.zip (for 7.0) SPNegoWizard_640 (for 6.40)from SAP Note 994791 and unzip it.
  2.     Adjust the user running the SAP system in Active Directory
  3.     Copy the EAR and XML Files from the SPNegoWizard.ZIP file to a temporary directory on the server.
  4.     Open up the Visual Administrator.  Logon with the admin ID.
  5.     SID ->Server -> Services -> Deploy
  6.     Open the Config Tool. (Yes to using DB settings)
  7.     Select UME LDAP Data
  8.     Browse to the XML file you copied earlier. (dataSourceConfiguration_ads_readonly_db_with_krb5.xml)
  Click the upload button.
  9.     Select the Configuration file you just uploaded.  Click OK on the Warning message.
  10.     Setup the Connection details as specified below:
  Server Name: xxxxxx
  Server Port: xxxxxxx
  User: SAPService<SID>@domain.com
  Password:  xxxxxx
  Use UME unique id with unique LDAP attribute (checked): samaccountname
  User Path: dc=<domain>,dc=com
  Group Path: ou=xxxxxx,ou=xxxx,dc=xxxx,dc=xxxx
  11.     Click the Test Connection button you should see:
  Click Close when done.
  12.     Click the Test Authentication button, enter NT user ID and NT password, and click the authenticate button and you should get a success message:
  13.     Select cluster-data   Global Server Configuration  services  com.sap.security.core.ume.service
  14.     Edit the ume.admin.addattrs.
  Add the values: krb5principalname;kpnprefix;dn
  Click the Set button. 
  15.     Click the Save button or File -> Apply.  
  16.     Close the Config tool and restart the JAVA engine.
  17.     After the engine is restarted, continue on with the Kerberos configuration.
  18.     Open up the SP Nego Wizard by going to the following URL: http://<server>:<port>/spnego
  19.     Logon with the Administrator user ID.
  20.     Select the check boxes for the u201CService user is created and configured in Active Directoryu201D and u201CUME configuration includes SPNego specific settingsu201D
  Click the Next button
  21.     Click the Add Kerberos Realm button and enter your domain name (e.g. company.com)
  22.     For the Realm Configurationu2019s KDCs (Key Distribution Centers) put in <KDC host> and 88 for the port (the port should already be filled in. 
  23.     In the KPN (Kerberos Principal Name) section enter the Service User Name & Password.
  Service User: SAPService<SID>          
  Password: xxxx
  Leave LDAP Host - blank
  24.     Click the Next button
  25.     Select Prefix Based for the Resolution Mode and Click Next
  26.     In Policy Configuration we want to create a new policy called spnego.  Tick Basic password Fallback (when SSO do not work) and tick SSO with Logon Tickets.  Click the Next button.
  27.     Click Finish on the Confirmation screen.
  28.     Close the browser and restart the engine.
  29.     After the engine has finished restarting, continue with the final steps.
  30.     Open up the Visual Administrator.  Logon as the Administrator ID.
  31.     SID  Server  Services  Security Provider
  32.     Go into change mode by clicking the change button.
  33.     On the Runtime tab  Policy Configurations tab  Select ticket from the Components list.
  34.     On the Authentication tab for the ticket component  select Authentication Template: spnego
  35.     Now go to the useradmin service (http://<server>:<port>/useradmin) to test the Kerberos SSO.  You should get signed on without entering a user name or password.
  You are done!

• Direct Ldap Issue

  Hi
  I am using messaging server 5.2. Previously we are using Dirsync in our messaging server , after migrating to direct Ldap we are receiving the the following error
  for some domain
  "5.1.1 unknown or illegal alias: [email protected]"
  i am attaching the output of /imsimta test -rewrite [email protected] for your reference
  forward channel = l
  channel description =
  channel user filter =
  dest channel filter =
  source channel filter =
  channel flags #0 = BIDIRECTIONAL MULTIPLE IMMNONURGENT NOSERVICEALL
  channel flags #1 = NOSMTP DEFAULT
  channel flags #2 = NOSENDPOST NOWARNPOST POSTHEADONLY HEADERINC NOEXPROUTE
  channel flags #3 = LOGGING NOGREY NORESTRICTED RETAINSECURITMULTIPARTS
  channel flags #4 = EIGHTBIT NOHEADERTRIM NOHEADERREAD RULES
  channel flags #5 =
  channel flags #6 = LOCALUSER REPORTHEADER
  channel flags #7 = NOSWITCHCHANNEL NOREMOTEHOST DATEFOUR DAYOFWEEK
  channel flags #8 = NODEFRAGMENT EXQUOTA REVERSE NOCONVERT_OCTET_STREAM
  channel flags #9 = NOTHURMAN INTERPRETENCODING USEINTERMEDIATE RECEIVEDFROM VALIDATELOCALSYSTEM NOTURN
  defaulthost = hathway.com hathway.com
  linelength = 1023
  channel env addr type = SOURCEROUTE
  channel hdr addr type = SOURCEROUTE
  channel official host = mhr.hathway.com
  channel queue 0 name = LOCAL_POOL
  channel queue 1 name = LOCAL_POOL
  channel queue 2 name = LOCAL_POOL
  channel queue 3 name = LOCAL_POOL
  channel after params =
  channel user name =
  urgentnotices = 1 2 4 7
  normalnotices = 1 2 4 7
  nonurgentnotices = 1 2 4 7
  channel rightslist ids =
  local behavior flags = %x7
  backward channel = l
  header To: address = [email protected]
  header From: address = [email protected]
  envelope To: address = [email protected] (route (mhr.hathway.com,mhr.hathway.com)) (host ol24.net)
  envelope From: address = [email protected]
  name =
  mbox = test
  Extracted address action list:
  [email protected]
  Extracted 733 address action list:
  [email protected]
  Address list expansion:
  0 expansion total.
  Expanded address:
  [email protected]
  Submitted address list:
  Address list error -- 5.1.1 unknown or illegal alias: [email protected]
  Submitted notifications list:
  Regards
  Prashant

  Prashant_wagh wrote:
  I am using messaging server 5.2. Previously we are using Dirsync in our messaging server , after migrating to direct Ldap we are receiving the the following error for some domain Please always provide the full version of Messaging Server (./imsimta version).
  "5.1.1 unknown or illegal alias: [email protected]"
  Was this address "working" prior to implementing direct-ldap?
  This issue usually occurs for two reasons:
  1) You have no user/group LDAP entry which has a mail:/mailalternateaddress:/mailequivalentaddress: of [email protected]
  2) You have more then one entry with a mail:/mailalternateaddress:/mailequivalentaddress: of [email protected]
  The old (and broken) dirsync mechanism would "handle" the second scenario. You can check to see whether you have (1) or (2) occurring by performing an ldap search e.g.
  ldapsearch -h <directory server> -b <user/group base> -D "cn=directory manager" -w <directory manager password> \
  "(|(mail=[email protected])(mailalternateaddress=[email protected])(mailequivalentaddress=[email protected]))" dn
  e.g.
  ldapsearch -h myserver.com -b o=isp -D "cn=directory manager" -w secretpass \
  "(|(mail=[email protected])(mailalternateaddress=[email protected])(mailequivalentaddress=[email protected]))" dnRegards,
  Shane.

• CE565/CE7325 with MS LDAP Auth - Problem

  Once again seems I am the first one to use a new product. I have a CE565 that I am trying to get to work with MS LDAP. Anyone had any luck doing this? Cisco TAC is having difficult time tracing down problem.
  ce565#sho ldap
  LDAP Configuration:
  LDAP Authentication is enabled
  Allow mode: disabled
  Base DN: DC=domain,DC=com
  Filter: <none>
  Retransmits: 2
  Timeout: 5 seconds
  UID Attribute: uid
  Group Attribute: memberOf
  Administrative DN: <none>
  Administrative Password: <none>
  LDAP version: 3
  LDAP port: 389
  Server Status
  192.168.99.7 primary
  <none> secondary
  ce565#debug authe http
  Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2498 ***pam_ldap: Begin
  Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2502 *** pam_ldap: Got username ralldread
  Apr 24 22:44:56 ce565 http_authmod: _pam_ldap_get_session:1977 *** pam_ldap: Begin
  Apr 24 22:44:56 ce565 http_authmod: _read_config:570 ***pam_ldap: Reading configuration
  Apr 24 22:44:56 ce565 http_authmod: ldap_server_validate:1928 ***pam_ldap: === Host[0] 192.168.99.7 ===
  Apr 24 22:44:56 ce565 http_authmod: ldap_server_isalive:1851 ***pam_ldap: Connecting...
  Apr 24 22:44:56 ce565 http_authmod: ldap_server_isalive:1867 ***pam_ldap: Socket timeout 5
  Apr 24 22:44:56 ce565 http_authmod: ldap_server_isalive:1891 ***pam_ldap: Connected to 192.168.99.7
  Apr 24 22:44:56 ce565 http_authmod: ldap_server_validate:1948 ***pam_ldap: ServerAlive [1] (up=1, down=0)
  Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2508 *** pam_ldap: Got session
  Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2519 *** pam_ldap: Do authentication
  Apr 24 22:44:56 ce565 http_authmod: _get_user_info:1672 *** pam_ldap: Begin user ralldread
  Apr 24 22:44:56 ce565 http_authmod: _connect_anonymously:1059 *** pam_ldap: Host 192.168.99.7
  Apr 24 22:44:56 ce565 http_authmod: _connect_anonymously:1063 *** pam_ldap: Open session
  Apr 24 22:44:56 ce565 http_authmod: _open_session:927 *** pam_ldap: Begin
  Apr 24 22:44:56 ce565 http_authmod: _connect_anonymously:1074 *** pam_ldap: Binding...
  Apr 24 22:44:56 ce565 http_authmod: _get_user_info:1676 *** pam_ldap: Connected anonymously
  Apr 24 22:44:56 ce565 http_authmod: _get_user_info:1699 *** pam_ldap: Filter (uid=ralldread)
  Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2522 *** pam_ldap: Done authentication FAILURE
  Any thoughts?

  I got it working. I did 2 things. One, I rebuilt the the server to make sure Active Directory was working correctly. Two, I changed the DC=domain to be dc=domain. I havent had a chance to test which one actually fixed it, but here it the config that I am using.
  ce565#sho run
  device mode content-engine
  hostname ce565
  http authentication header 407
  http authentication cache timeout 1
  http authentication cache max-entries 32000
  http proxy incoming 8888
  clock timezone EST -5 0
  ip domain-name demodomain
  https proxy incoming 8888
  interface GigabitEthernet 1/0
  ip address 10.10.220.71 255.255.255.0
  exit
  interface GigabitEthernet 2/0
  shutdown
  exit
  ip default-gateway 10.10.220.1
  primary-interface GigabitEthernet 1/0
  no auto-register enable
  ip name-server 10.10.220.80
  pre-load enable
  pre-load depth-level-default 2
  pre-load resume
  pre-load traverse-other-domains
  pre-load url-list-file ftp://ftpuser:[email protected]/ce-preload.txt
  transaction-logs enable
  transaction-logs log-windows-domain
  transaction-logs archive interval every-hour every 10
  transaction-logs sanitize
  transaction-logs export enable
  transaction-logs export interval every-hour every 10
  transaction-logs export ftp-server 10.10.220.80 ftpuser ftpuser /
  transaction-logs format extended-squid
  username admin password 1 bVmDmMMmZAPjY
  username admin privilege 15
  ldap server base "dc=demodomain"
  ldap server userid-attribute cn
  ldap server host 10.10.220.80 primary
  ldap server administrative-dn "cn=administrator,cn=users,dc=demodomain"
  ldap server administrative-passwd ****
  ldap server active-directory-group enable
  ldap server version 3
  ldap server enable
  authentication login local enable primary
  authentication configuration local enable primary
  url-filter http smartfilter enable
  cdm ip 10.10.220.70
  cms enable