IMS52 (with Direct LDAP Mode) Directory Failover
I would like to configure all components of iMS5.2 for Directory Server failover. That should include (Direct LDAP) MTA, Messaging Express, authentication, Personal Address Book, Delegated Administration, etc.
What are all the settings I need to configure for any of these components to failover to an alternate directory server?
Thanks,
Fred
./configutil -o local.ugldaphost -v "host.domain,host.domain,host.domain"
See the 5.2 Reference Manual, Chapter 4 for all of the configutil variables.
Similar Messages
-
What is direct ldap mode.
I wanna know about some people suugest that use direct ldap. I want to diffrences b/w default and direct ldap mode and how to enable it.
I'm going to quote from the engineers responsible for Direct LDAP, "Dirsync is the blackest kind of black magic. Direct LDAP is White Magic."
Basically, Dirsync is an old holdover from the days when Sun didn't have a high-performance Directory Server, but did have a high-performance mail server. Since the old Sun Directory Server (no relationship to the current product, purchased as part of Netscape), Dirsync was developed as a way to gather the entire contents of the old directory into the mail server.
Since the current Sun JES directory server, iPlanet Directory Server is a very high-performance product, this is no longer needed. Dirsync uses a directory server in a very non-optimal way, essentially. Every day, Dirsync goes to the directory, and says, "tell me all you know". Every 10 minutes, it says to the directory, "tell me all you've learned in the last 10 minutes". These queries are very difficult for a directory server to handle, especially in large deployments, and can crash a directory server.
Direct LDAP is different. It uses the directory server in the way that the directory server was designed to be used. Look up a single user, with an indexed search. Direct LDAP is well documented, while Dirsync was not. Direct LDAP uses advanced cache systems. Dirsync did not. Direct LDAP is undergoing development and fixes, while Dirsync is not. Dirsync has bugs, and will never be fixed.
Messaging 6.0 and later do not even include the Dirsync capability.
Direct LDAP proves to perform faster than Dirsync, in real deployments, too.
Hopefully, that answers the questions? -
Some things no longer work after switch to direct LDAP mode
Hi,
today i have tried switching to direct ldap mode following the documentation
now i can no longer send mail directed to hosts as
[email protected]
i always get a 5.1.1 unknown or illegal alias:
whereas email@{subdomain}.domain.com is ok, as long as the subdomain is known to the MTA, ie it is an alias object in the DC tree
also, some aliases defined in the file "aliases" are no longer recognized,
for convenience, i had some default forward lines likes
*@domain.com: @otherrelay:*@domain.com
which effectively acted like a smarthost, ie mail to addresses not known in domain.com were forwarded to "otherrelay"
now, probably i could solve the second problem either using a smarthost in the DC tree 's domain config
the first problem, however, puzzles me...it look like if it doesn't find a matching address, and the host is not known as a domain, then further rewrite rules are not applied ?i found the problem,
in option.dat, DOMAIN_UPLEVEL must be set to 0, in order to have the old behaviour (wildcards in aliasfile, and possibility to send mails directly to specified hosts)
i had set it to 1, in the hope the MTA would be more tolerant to find users (if [email protected] is not found, then maybe it exists at [email protected], so use this instead) as some of our users have quite problems addressing other users in the correct subdomain. -
Hi Jay,
I am having a problem with the switch to Direct LDAP. I am finally doing it on my production server. Using ldap 4.16 currently. Once I get this working I am upgrading to 5.2
We have a server that holds messages until a user releases them. This server is called ewall.mydomain.com.
They get a message in their inbox that allows them to click on a link to send the ewall server a message to release the held mail.
the link would look like this:
[email protected]
(all on one line)
This worked just fine in dirsync mode but after switching to Direct Ldap I get an 5.1.1 unknown or illegal alias when the user tries to send the message. If I switch back to dirsync mode it works fine again. Everything else is working fine.
Any ideas?
Thanks
DonWell, it means that for some reason, your [email protected]
user isn't being picked up in the direct ldap.
It could be that your domain is "mydomain.com", and the user is in "ewall.mydomain.com". dirsync assumes that subdomains are part of an overall domain
direct ldap doesn't, unless you set
domain_uplevel=3 in your option.dat, and recompile -
Tax issue with Direct Input mode of RFBIBL00
Hi, I have a problem using <b>RFBIBL00</b> (direct input mode) to create A/R invoices. There is no tax associated with the invoice, however, when I use direct input mode, instead of posting immediately, a batch input session is created. In the log, an <b>information</b> message: <i>'Specify a tax jurisdiction key'</i>. The BDC session is processed with no error.
When using Call transaction mode for RFBIBL00, the document is posted immediately but the requirement is to use Direct input mode.
There is no converted data in the BBTAX structure since the doc. does not need to post to tax account. Do I need to populate the Tax amount, Tax code and jurisdiction code in this structure and BBSEG in order to by pass the information message?
Any advice is appreciated.
- MinamiProblem solved. Just need to untie the relationship between the ITEM import structure and the BBTAX so the Direct Input program will not require a tax jurisdiction code.
-
Setup table Administration with Direct Delta mode
Hi guys,
I have a direct delta as update mode for my 2LIS_11_VAITM extractor in R/3.
I'd like to know if I have to manage the relative setup table (MC11VA0ITMSETUP) with this update mode also.
For instance, If I delete an ODS content and restart a new INIT on BW system, do I need to delete and then to fill the setup table?
In general, Do I need always to menage the setup table with each kind of update mode (direct delta, queued delta and V3 update)?
if you know the answers, please reply me direcly without insert link.
Many Thanks.yes, you do....the initial loads for lo datasources are completely independent of the delta loads and hence of the delta method...
/people/sap.user72/blog/2005/01/19/logistic-cockpit-delta-mechanism--episode-three-the-new-update-methods
M. -
Optimizing Mailing Lists with Direct LDAP
Hey all,
I've noticed performance issues with iMS 5.2p1 (with iDS 5.1) with respect to direct LDAP look up's, especially for large mailing lists. Even a 28 user list takes 10 minutes, where as with MS 4.1.5 it was practaically instance. We also have a dynamic group with everyone (4000 people or so) and it simply pegs the LDAP server @100% CPU and sits there for a day. It seems that there are a ton of ways to optimize the caches and LDAP lookups. Where should I start or what should I do? What settings should I look to fix on the LDAP server, IMTA, etc. to speed things up?
Thanks!
ChrisThis was an LDAP server optimization issue. I increased the memory for both the slapd cache and the database cache. I then added indexes for all the common items search for by the IMTA. I was watching the slapd access logs and saw that the IMTA searchs for a lot of imortant items that are not indexed by default. I added indexes for:
inetUserStatus
mailUserStatus
inetMailGroupStatus
mailEquivalentAddress
mailRoutingAddress
mailMsgMaxBlocks
mailQuota
mailMsgQuota
mailProgramDeliveryInfo
mailDeliveryFileURL
maildeliveryfile
mailConversionTag
mailDeliveryOption
vacationStartDate
vacationEndDate
mailForwardingAddress
memberURL
rfc822mailmember
mailAccessDomain
mailMessageStore
preferredLanguage
mailAllowedServiceAccess
Now a message to everyone that took 24 hours and never went through takes just over a minute to get to 4000 users on my little test server. Smaller dynamic lists are even faster. General performance of message delivery is also faster, as is SMTP response from the client prespective. -
Direct Ldap configuration mismatch....
I am running directory server 5.1 and messaging server 5.2.
I have one message store (msA.example.com) for users to retriew mail and it queries directory master server (dsA.exaple.com) with direct ldap configured.
I am configuring another messaging server (msB.example.com) with smtp authentication for same users to send mail through that and it queries another ldap consumer server (dsB.example.com).
dsB is replicated by dsA immediatly after any modification done to dsA. My present setup works fine if msB is configured on dirsync mode, but I want to configure it to use direct ldap from dsB.
When I try to send email via msB (with direct ldap enabled) it waits a long time after (smtp) authentication and then terminated with "server unexpectedly terminated the connection" message on outlook client. I can not see any message on mail.log_current.
All my direct ldap settings are correct and compiled properly.
Later I found that when I comment the
" $* $E$F$U%$[email protected]$V$H " line on imta.cnf file it works fine, ie. without any delay message is delivered.
(But this has to be uncomment with direct ldap mode according to the sun documentation)
Can anyone clarify this? I could see even without uncommenting the above line direct ldap works fine!Thanks for replys...
But I tried with the way that you mentioned, but still the problem persists.
No any message on DEBUG logs.
But I have some more thing to tell....
When I first install the messaging server (msB), I used the dsA as the ldap server. So after installation I got gelow results with configutil.
local.ugldaphost = dsA.example.com
local.ldaphost = dsA.example.com
local.service.pab.ldaphost = dsA.example.com
Since I want to use ldap queries from dsB, I change user lookups to dsB
Then the output was,
local.ugldaphost = dsB.example.com
local.ldaphost = dsA.example.com
local.service.pab.ldaphost = dsB.example.com
Do you think this cause thye error?
I can not use dsB for local.ldaphost since it causes the msB not usable. What I only need here is to get the user lookups from dsB. -
Hi, I am testing out features in 5.2 after an upgrade from NMS 4.15. I couldnt find any benefits of using Dirsync so I switched to direct LDAP mode. The main reason was that if I make a change in the directory I want the mail server to pick it up right away, just like it does in 4.15.
I have noticed that, even in direct LDAP mode, things like changing a users forwarding address or vacation message take about 15 minutes for the mail server to pick up. It does not seem like a direct lookup at all, there must be some type of caching. Has anyone else experienced this, or can someone explain it ?
Thanks,
MarkI have the same problem.
Did you get any answer for it ?
Vincent -
Aliases, mailforwardaddress,direct ldap, seeking clarification
Howdy,
We're running iMS 5.2p1 with IDS. We're still in dirsync mode and simply want to switch to direct ldap. The instructions are clear but I'm hesitating as I look into our aliases file and how to proceed. My questions are as follows -
1) yes or no: In direct ldap mode, the msg-instance/db/aliases file is NOT used ever?
2) if the answer to #1 is YES, then is the "solution" to create an ldap entry for a simple mail-id with a mailforwardaddress: attribute? Or if distributing to multiple users from a single mail-id, create a group/distribution list?
3) Is it possible to be in direct ldap mode AND still use an alias database?
We're not in the extreme on alias usage, maybe a few hundred. However when I start looking at adding a few hundred LDAP entries and then managing mailforwardaddresses: for something I used to do in one line in an alias file it becomes overkill. Perchance an ou=alias ldap entry could be thrown into the next version or maybe even gasp use the alias entry for all our Solaris servers which is already stored in LDAP?
It may be a case where performance vs. scalability vs. simplicity and I can accept that as a sound reason. Man alive though I love iMS and my aliases file! <smile>
Thanks for any feedback,
DougActually, I'd like to correct that.
) yes or no: In direct ldap mode, the
msg-instance/db/aliases file is NOT used ever?
The aliasesdb.db is referred to, in the case that
direct ldap lookup does not find anything (this is
what the "alias magic" setting in option.dat does).
2) if the answer to #1 is YES, then is the "solution"
to create an ldap entry for a simple mail-id with a
mailforwardaddress: attribute? Or if distributing to
multiple users from a single mail-id, create a
group/distribution list?
I"m not at all sure what you're trying to achieve.
We normally recommend REMOVING the old aliasesdb.db,
, unless there are things there you need to keep, or
are willing to maintain.
If you need a few aliases, there is a separate
aliases file. If you need alternate addresses, put
'em in the user's mailalternateaddress or
mailequivalentaddress attributes.This makes sense, I'll summarize more below.
>
3) Is it possible to be in direct ldap mode AND still
use an alias database?
Again, yes, but why would you want to do that? You'd
have to create the database, and maintain it. Bad
Idea.
We're not in the extreme on alias usage, maybe a few
hundred. However when I start looking at adding a few
hundred LDAP entries and then managing
mailforwardaddresses: for something I used to do in
one line in an alias file it becomes overkill.
Why forwarding addresses? This really doesn't make
sense.Sure it does, in my mind <smile> here's the situation. We're a college where students, staff and faculty will either graduate, move to another college nearby or move across country. When they do so, maintaining an entry in a file such as -
jsmith: [email protected]
Is pretty simple. This file can also be shared with other Sun servers or placed into the LDAP/NIS Alias entry. So the functionality extends beyond iMS a bit.
With a graduating class of say 400, with an email forwarding policy of 12 months after departure, these would accumulate in the LDAP database with no other iMS information than a mailforwardaddress needed. As we know, LDAP requires a tad more information to accept a record. Hence the perception on my part of the alias file. (I'm just afraid of change, bear with me!)
>
How do you do it NOW? What is it you're doing?We run in dirsync mode and rebuild the alias database. I also think I'm using the terms alias *file* and alias *database* interchangeably. I do understand that the DB gets built from the file.
>
>
Perchance an ou=alias ldap entry could be thrown into
the next version or maybe even *gasp* use the alias
entry for all our Solaris servers which is already
stored in LDAP?
It may be a case where performance vs. scalability
vs. simplicity and I can accept that as a sound
reason. Man alive though I love iMS *and* my aliases
file! <smile>
Again, what is it exactly that you want to do? Most
likely there's an easy way to do it.
Thanks for any feedback,Thank you, I appreciate the additional information. We also use the alias file to add quick addresses like for a department which only wants mail sent from one email address to many. No other functionality needed. For example -
summerconference2003: user1, user2, user3
A simple and quick "one to several" email address. Granted, for iMS I'd have to add the domain but the concept is the same.
Thanks again,
Doug -
[OBPM 10gR3]How to configer a hybrid directory with Oracle LDAP Server
Hey, guys,
Does anyone have experience on configering a hybrid directory with Oracle LDAP Server? How to config the mapping conf file for Oracle LDAP in the directory of \OraBPMwlHome\conf?
Here is my conf file. But I got some LDAP mapping errors. It's really weird OBPM doesn't support Oracle's self LDAP, at least it does not provide the conf file.
-----------errors------------
Exception [javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Function Not Implemented]; remaining name '']. Reason: [LDAP: error code 53 - Function Not Implemented] fuego.directory.DirectoryRuntimeException: Exception [javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Function Not Implemented]; remaining name '']. at fuego.directory.DirectoryRuntimeException.wrapException(DirectoryRuntimeException.java:85) at fuego.directory.hybrid.ldap.JNDIQueryExecutor.select(JNDIQueryExecutor.java:203) at fuego.directory.hybrid.ldap.JNDIQueryExecutor.selectAllFromView(JNDIQueryExecutor.java:84) at fuego.directory.hybrid.ldap.JNDIQueryExecutor.selectAllFromView(JNDIQueryExecutor.java:64) at fuego.directory.hybrid.ldap.Repository.selectAllFromView(Repository.java:54) at fuego.directory.hybrid.ldap.LDAPPollingEventGenerator.buildCurrentProxies(LDAPPollingEventGenerator.java:98) at fuego.directory.provider.notifiers.BasePollingEventGenerator.generateEvents(BasePollingEventGenerator.java:41) at fuego.directory.hybrid.HybridMultipleEventGenerator.generateEvents(HybridMultipleEventGenerator.java:43) at fuego.directory.provider.notifiers.DirectoryNotifier.notifyChanges(DirectoryNotifier.java:403) at fuego.server.service.DirectoryListener.updateEngineFromDirectoryImpl(DirectoryListener.java:309) at fuego.server.service.DirectoryListener$DirectoryPollingItem.execute(DirectoryListener.java:351) at fuego.server.execution.DefaultEngineExecution$AtomicExecutionTA.runTransaction(DefaultEngineExecution.java:304) at fuego.transaction.TransactionAction.startBaseTransaction(TransactionAction.java:470) at fuego.transaction.TransactionAction.startTransaction(TransactionAction.java:551) at fuego.transaction.TransactionAction.start(TransactionAction.java:212) at fuego.server.execution.DefaultEngineExecution.executeImmediate(DefaultEngineExecution.java:123) at fuego.server.execution.DefaultEngineExecution.executeAutomaticWork(DefaultEngineExecution.java:62) at fuego.server.execution.EngineExecution.executeAutomaticWork(EngineExecution.java:42) at fuego.ejbengine.ejb.EngineStartupBean.executeItem(EngineStartupBean.java:192) at fuego.ejbengine.ejb.EngineStartupBean.updateFromDirectory(EngineStartupBean.java:172) at fuego.ejbengine.ejb.engine_startup_bpmengine_wodkyx_ELOImpl.updateFromDirectory(engine_startup_bpmengine_wodkyx_ELOImpl.java:365) at fuego.ejbengine.servlet.SchedulerServlet$DirectoryPollingTask.runImpl(SchedulerServlet.java:269) at fuego.ejbengine.servlet.SchedulerServlet$ScheduledTask.run(SchedulerServlet.java:208) at java.util.TimerThread.mainLoop(Timer.java:512) at java.util.TimerThread.run(Timer.java:462) Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Function Not Implemented]; remaining name '' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3078) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2758) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1812) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1735) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248) at fuego.jndi.FaultTolerantDirContext.search(FaultTolerantDirContext.java:867) at fuego.directory.hybrid.ldap.JNDIQueryExecutor.select(JNDIQueryExecutor.java:190) ... 23 more
-----------mapping conf file for Oracle LDAP---------
<?xml version="1.0" encoding="UTF-8"?>
<?fuego version="6.1 ALPHA" application="albpmenterprise"?>
<!-- This file contains the propper attribute mapping for the FDI Generic Ldap Provider using Oracle Directory Service.
* Preference for group object
<preference id="assignedParticipants.containsId" value="true"/>
This preference is useful to speed up the provider and it can only be used if the assignedParticipant value is the dn of the user and the dn contains the participant id
<preference id="assignedParticipants.containsId" value="true"/>
This preference is useful to speed up the provider and it can only be used if the assignedGroup value is the dn of the group and the dn contains the group id
<preference id="modifyTimeStamp.suffix" value="Z"/>
This preference is useful when the suffix mofidyTimeStamp format of your ldap is not .OZ.
-->
<config>
<object id="person">
<object-filter>
<![CDATA[
(objectclass=inetOrgPerson)
]]>
</object-filter>
<relative-dn>
<!-- the relative dn for person -->
</relative-dn>
<attribute id="id" value="uid"/>
<attribute id="lastName" value="sn"/>
<attribute id="firstName" value="givenname"/>
<attribute id="accountLock" value="orclIsEnabled">
<attribute-comparator operation="EQUALS" compareTo="ENABLED"/>
<filter>
<![CDATA[
($accountLock=ENABLED)
]]>
</filter>
</attribute>
<attribute id="facsimileTelephoneNumber" value="facsimileTelephoneNumber"/>
<attribute id="displayName" value="displayName"/>
<attribute id="mail" value="mail"/>
<attribute id="telephoneNumber" value="telephoneNumber"/>
<attribute id="employeeId" value="employeeNumber"/>
<attribute id="thumbnailPhoto" value="jpegPhoto"/>
<attribute id="manager" value="manager"/>
<attribute id="modifyTimeStamp" value="modifytimestamp"/>
</object>
<object id="group">
<object-filter>
<![CDATA[
(objectclass=orclGroup)
]]>
</object-filter>
<relative-dn>
<!-- the relative dn for group -->
</relative-dn>
<attribute id="id" value="dn"/>
<attribute id="modifyTimeStamp" value="modifytimestamp"/>
<attribute id="displayName" value="displayName"/>
<attribute id="name" value="cn"/>
<attribute id="description" value="description"/>
<attribute id="assignedParticipants" value="uniquemember"/>
<!--attribute id="assignedGroups" value="memberOf"/-->
<attribute id="ou" value="uniquemember"/>
</object>
<object id="ou">
<object-filter>
<![CDATA[
(objectclass=domain)
]]>
</object-filter>
<relative-dn>
<!-- the relative dn for ous -->
</relative-dn>
<attribute id="name" value="orclsubscriberfullname"/>
<attribute id="description" value="description"/>
</object>
</config>
Edited by: Lemonice on 2009-3-30 上午2:08
Edited by: Lemonice on 2009-3-30 下午7:01
Edited by: Lemonice on 2009-3-30 下午8:43Hi,
in my case, I am trying to configure the OBPM directory using ALUI and its native LDAP service.
Now, I found that the first name and the last name in BPM are retrieved from the ALUI display name : provided we enter the display name in the format %first name% + %last name% we get them into BPM. But the display name is not always in this format...
In addition, it's the portal telephone number information which is retrieved into BPM Telephone and Fax numbers.
And, the email adress remains blank
I have installed the latest patch for OBPM (Version: 10.3.1.0.0 Build: #97172)
Would you have any documentation about creating a Profile Web Service in ALUI and specifying which LDAP attributes to map to which ALUI properties in the Profile Source ?
Thanks !
Edited by: vVince on May 6, 2009 3:46 PM -
Error after setting up direct LDAP
Running iMS 5.2 and LDAP 4.1.6
after making the changes to set up direct LDAP lookup I started getting the following error:
4.0.0 temporary error returned by alias expansion
While making the changes to set the server back to dirsync mode I noticed that the databases:
aliasesdb.db and reversedb.db had been recreated but were significanly smaller than the originals.
After changing the imta.cnf, option.dat,job_controller.cnf and mappings files back and replacing my db files I ran a imsimta cnbuild and a full dirsync and everything functioned normal again.
Any ideas?
DonHi Roger and Jay,
I followed the instructions exactly. I have restored my backups of the config files a couple times and started over again. I did catch the error that Roger pointed out and my line read exactly like his example (with my domain of course)
This is my old mailserver. I have a new one working right now. I am trying to get the updates all working on this one before I mess up the production machine so there is no problem with it being down while I work the bugs out.
Here is a clip from the ldap access log
the last line shows an error 11 that I assume is the problem.
[14/Dec/2004:15:44:29 -0700] conn=46 op=1 SRCH base="dc=sturgeon,dc=ab,dc=ca,o=Internet" scope=0 filter="(|(objectclass=inetDomain)(objectclass=inetdomainalias))"
[14/Dec/2004:15:44:29 -0700] conn=46 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[14/Dec/2004:15:44:29 -0700] conn=46 op=2 SRCH base="o=sturgeon.ab.ca,o=ab.ca" scope=2 filter="(&(objectclass=groupOfUniqueNames)(objectclass=inetMailAdministrator))"
[14/Dec/2004:15:44:29 -0700] conn=46 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[14/Dec/2004:15:44:29 -0700] conn=46 op=3 SRCH base="cn=Domain Administrators,ou=Groups,o=sturgeon.ab.ca,o=ab.ca" scope=0 filter="(objectclass=*)"
[14/Dec/2004:15:44:29 -0700] conn=46 op=3 RESULT err=0 tag=101 nentries=1 etime=0
[14/Dec/2004:15:44:29 -0700] conn=46 op=4 SRCH base="o=sturgeon.ab.ca,o=ab.ca" scope=2 filter="(uid=carlgren)"
[14/Dec/2004:15:44:29 -0700] conn=46 op=4 RESULT err=0 tag=101 nentries=1 etime=0
[14/Dec/2004:15:44:29 -0700] conn=47 fd=54 slot=54 connection from 192.168.0.12 to 192.168.0.12
[14/Dec/2004:15:44:29 -0700] conn=47 op=0 BIND dn="uid=carlgren,ou=people,o=sturgeon.ab.ca,o=ab.ca" method=128 version=3
[14/Dec/2004:15:44:29 -0700] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0
[14/Dec/2004:15:44:29 -0700] conn=46 op=5 SRCH base="cn=Service Administrators,ou=Groups,o=ab.ca" scope=0 filter="(objectclass=groupOfUniqueNames)"
[14/Dec/2004:15:44:30 -0700] conn=46 op=5 RESULT err=0 tag=101 nentries=1 etime=1
[14/Dec/2004:15:44:30 -0700] conn=46 op=6 SRCH base="uid=carlgren,ou=people,o=sturgeon.ab.ca,o=ab.ca" scope=0 filter="(objectclass=*)"
[14/Dec/2004:15:44:30 -0700] conn=46 op=6 RESULT err=0 tag=101 nentries=1 etime=0
[14/Dec/2004:15:44:31 -0700] conn=48 fd=55 slot=55 connection from 192.168.0.12 to 192.168.0.12
[14/Dec/2004:15:44:31 -0700] conn=48 op=0 BIND dn="uid=msg-admin-1,ou=People,o=sturgeon.ab.ca,o=ab.ca" method=128 version=3
[14/Dec/2004:15:44:31 -0700] conn=48 op=0 RESULT err=0 tag=97 nentries=0 etime=0
[14/Dec/2004:15:44:31 -0700] conn=48 op=1 SRCH base="ou=carlgren,ou=people,o=sturgeon.ab.ca,o=ab.ca,o=pab" scope=2 filter="(|(cn=*)(ou=*))"
[14/Dec/2004:15:44:31 -0700] conn=48 op=1 RESULT err=0 tag=101 nentries=40 etime=0
[14/Dec/2004:15:44:31 -0700] conn=48 op=2 SRCH base="ou=carlgren,ou=people,o=sturgeon.ab.ca,o=ab.ca,o=pab" scope=2 filter="(|(objectclass=pab)(objectclass=pabgroup))"
[14/Dec/2004:15:44:31 -0700] conn=48 op=2 RESULT err=0 tag=101 nentries=2 etime=0
[14/Dec/2004:15:44:31 -0700] conn=48 op=3 SRCH base="ou=carlgren,ou=people,o=sturgeon.ab.ca,o=ab.ca,o=pab" scope=2 filter="(memberofpab=AddressBook271b6af)"
[14/Dec/2004:15:44:31 -0700] conn=48 op=3 RESULT err=0 tag=101 nentries=37 etime=0
[14/Dec/2004:15:44:42 -0700] conn=38 op=3 SRCH base="o=sturgeon.ab.ca,o=ab.ca" scope=2 filter="(|([email protected])([email protected])([email protected]))"
[14/Dec/2004:15:44:49 -0700] conn=38 op=3 RESULT err=11 tag=101 nentries=1 etime=7 notes=U
If I put the machine back into dirsync mode then everything works fine. I must be missing something.
In the morning I'll try again.
Thanks for the help,
Don -
Config UME with ABAP+LDAP datasource
Hi all,
We are implementing an EP installation. We want to reuse the abap role assignment for the portal roles and we require a SSO solution based on SPNego.
Now we can implement each on it's own fine. The question is how we can connect the ume to use both abap and ldap datasource. I opened an OSS about it and they said it's possible, supported but I'm on my own when it comes to implementing it (or consulting offcourse).
Anyone had experience with this configuration or can provide me with the datasource schema file?
Thank in advance,
EricTry the following:
1. Download the SPNegoWizard_645.zip (for 7.0) SPNegoWizard_640 (for 6.40)from SAP Note 994791 and unzip it.
2. Adjust the user running the SAP system in Active Directory
3. Copy the EAR and XML Files from the SPNegoWizard.ZIP file to a temporary directory on the server.
4. Open up the Visual Administrator. Logon with the admin ID.
5. SID ->Server -> Services -> Deploy
6. Open the Config Tool. (Yes to using DB settings)
7. Select UME LDAP Data
8. Browse to the XML file you copied earlier. (dataSourceConfiguration_ads_readonly_db_with_krb5.xml)
Click the upload button.
9. Select the Configuration file you just uploaded. Click OK on the Warning message.
10. Setup the Connection details as specified below:
Server Name: xxxxxx
Server Port: xxxxxxx
User: SAPService<SID>@domain.com
Password: xxxxxx
Use UME unique id with unique LDAP attribute (checked): samaccountname
User Path: dc=<domain>,dc=com
Group Path: ou=xxxxxx,ou=xxxx,dc=xxxx,dc=xxxx
11. Click the Test Connection button you should see:
Click Close when done.
12. Click the Test Authentication button, enter NT user ID and NT password, and click the authenticate button and you should get a success message:
13. Select cluster-data Global Server Configuration services com.sap.security.core.ume.service
14. Edit the ume.admin.addattrs.
Add the values: krb5principalname;kpnprefix;dn
Click the Set button.
15. Click the Save button or File -> Apply.
16. Close the Config tool and restart the JAVA engine.
17. After the engine is restarted, continue on with the Kerberos configuration.
18. Open up the SP Nego Wizard by going to the following URL: http://<server>:<port>/spnego
19. Logon with the Administrator user ID.
20. Select the check boxes for the u201CService user is created and configured in Active Directoryu201D and u201CUME configuration includes SPNego specific settingsu201D
Click the Next button
21. Click the Add Kerberos Realm button and enter your domain name (e.g. company.com)
22. For the Realm Configurationu2019s KDCs (Key Distribution Centers) put in <KDC host> and 88 for the port (the port should already be filled in.
23. In the KPN (Kerberos Principal Name) section enter the Service User Name & Password.
Service User: SAPService<SID>
Password: xxxx
Leave LDAP Host - blank
24. Click the Next button
25. Select Prefix Based for the Resolution Mode and Click Next
26. In Policy Configuration we want to create a new policy called spnego. Tick Basic password Fallback (when SSO do not work) and tick SSO with Logon Tickets. Click the Next button.
27. Click Finish on the Confirmation screen.
28. Close the browser and restart the engine.
29. After the engine has finished restarting, continue with the final steps.
30. Open up the Visual Administrator. Logon as the Administrator ID.
31. SID Server Services Security Provider
32. Go into change mode by clicking the change button.
33. On the Runtime tab Policy Configurations tab Select ticket from the Components list.
34. On the Authentication tab for the ticket component select Authentication Template: spnego
35. Now go to the useradmin service (http://<server>:<port>/useradmin) to test the Kerberos SSO. You should get signed on without entering a user name or password.
You are done! -
Hi
I am using messaging server 5.2. Previously we are using Dirsync in our messaging server , after migrating to direct Ldap we are receiving the the following error
for some domain
"5.1.1 unknown or illegal alias: [email protected]"
i am attaching the output of /imsimta test -rewrite [email protected] for your reference
forward channel = l
channel description =
channel user filter =
dest channel filter =
source channel filter =
channel flags #0 = BIDIRECTIONAL MULTIPLE IMMNONURGENT NOSERVICEALL
channel flags #1 = NOSMTP DEFAULT
channel flags #2 = NOSENDPOST NOWARNPOST POSTHEADONLY HEADERINC NOEXPROUTE
channel flags #3 = LOGGING NOGREY NORESTRICTED RETAINSECURITMULTIPARTS
channel flags #4 = EIGHTBIT NOHEADERTRIM NOHEADERREAD RULES
channel flags #5 =
channel flags #6 = LOCALUSER REPORTHEADER
channel flags #7 = NOSWITCHCHANNEL NOREMOTEHOST DATEFOUR DAYOFWEEK
channel flags #8 = NODEFRAGMENT EXQUOTA REVERSE NOCONVERT_OCTET_STREAM
channel flags #9 = NOTHURMAN INTERPRETENCODING USEINTERMEDIATE RECEIVEDFROM VALIDATELOCALSYSTEM NOTURN
defaulthost = hathway.com hathway.com
linelength = 1023
channel env addr type = SOURCEROUTE
channel hdr addr type = SOURCEROUTE
channel official host = mhr.hathway.com
channel queue 0 name = LOCAL_POOL
channel queue 1 name = LOCAL_POOL
channel queue 2 name = LOCAL_POOL
channel queue 3 name = LOCAL_POOL
channel after params =
channel user name =
urgentnotices = 1 2 4 7
normalnotices = 1 2 4 7
nonurgentnotices = 1 2 4 7
channel rightslist ids =
local behavior flags = %x7
backward channel = l
header To: address = [email protected]
header From: address = [email protected]
envelope To: address = [email protected] (route (mhr.hathway.com,mhr.hathway.com)) (host ol24.net)
envelope From: address = [email protected]
name =
mbox = test
Extracted address action list:
[email protected]
Extracted 733 address action list:
[email protected]
Address list expansion:
0 expansion total.
Expanded address:
[email protected]
Submitted address list:
Address list error -- 5.1.1 unknown or illegal alias: [email protected]
Submitted notifications list:
Regards
PrashantPrashant_wagh wrote:
I am using messaging server 5.2. Previously we are using Dirsync in our messaging server , after migrating to direct Ldap we are receiving the the following error for some domain Please always provide the full version of Messaging Server (./imsimta version).
"5.1.1 unknown or illegal alias: [email protected]"
Was this address "working" prior to implementing direct-ldap?
This issue usually occurs for two reasons:
1) You have no user/group LDAP entry which has a mail:/mailalternateaddress:/mailequivalentaddress: of [email protected]
2) You have more then one entry with a mail:/mailalternateaddress:/mailequivalentaddress: of [email protected]
The old (and broken) dirsync mechanism would "handle" the second scenario. You can check to see whether you have (1) or (2) occurring by performing an ldap search e.g.
ldapsearch -h <directory server> -b <user/group base> -D "cn=directory manager" -w <directory manager password> \
"(|(mail=[email protected])(mailalternateaddress=[email protected])(mailequivalentaddress=[email protected]))" dn
e.g.
ldapsearch -h myserver.com -b o=isp -D "cn=directory manager" -w secretpass \
"(|(mail=[email protected])(mailalternateaddress=[email protected])(mailequivalentaddress=[email protected]))" dnRegards,
Shane. -
CE565/CE7325 with MS LDAP Auth - Problem
Once again seems I am the first one to use a new product. I have a CE565 that I am trying to get to work with MS LDAP. Anyone had any luck doing this? Cisco TAC is having difficult time tracing down problem.
ce565#sho ldap
LDAP Configuration:
LDAP Authentication is enabled
Allow mode: disabled
Base DN: DC=domain,DC=com
Filter: <none>
Retransmits: 2
Timeout: 5 seconds
UID Attribute: uid
Group Attribute: memberOf
Administrative DN: <none>
Administrative Password: <none>
LDAP version: 3
LDAP port: 389
Server Status
192.168.99.7 primary
<none> secondary
ce565#debug authe http
Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2498 ***pam_ldap: Begin
Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2502 *** pam_ldap: Got username ralldread
Apr 24 22:44:56 ce565 http_authmod: _pam_ldap_get_session:1977 *** pam_ldap: Begin
Apr 24 22:44:56 ce565 http_authmod: _read_config:570 ***pam_ldap: Reading configuration
Apr 24 22:44:56 ce565 http_authmod: ldap_server_validate:1928 ***pam_ldap: === Host[0] 192.168.99.7 ===
Apr 24 22:44:56 ce565 http_authmod: ldap_server_isalive:1851 ***pam_ldap: Connecting...
Apr 24 22:44:56 ce565 http_authmod: ldap_server_isalive:1867 ***pam_ldap: Socket timeout 5
Apr 24 22:44:56 ce565 http_authmod: ldap_server_isalive:1891 ***pam_ldap: Connected to 192.168.99.7
Apr 24 22:44:56 ce565 http_authmod: ldap_server_validate:1948 ***pam_ldap: ServerAlive [1] (up=1, down=0)
Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2508 *** pam_ldap: Got session
Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2519 *** pam_ldap: Do authentication
Apr 24 22:44:56 ce565 http_authmod: _get_user_info:1672 *** pam_ldap: Begin user ralldread
Apr 24 22:44:56 ce565 http_authmod: _connect_anonymously:1059 *** pam_ldap: Host 192.168.99.7
Apr 24 22:44:56 ce565 http_authmod: _connect_anonymously:1063 *** pam_ldap: Open session
Apr 24 22:44:56 ce565 http_authmod: _open_session:927 *** pam_ldap: Begin
Apr 24 22:44:56 ce565 http_authmod: _connect_anonymously:1074 *** pam_ldap: Binding...
Apr 24 22:44:56 ce565 http_authmod: _get_user_info:1676 *** pam_ldap: Connected anonymously
Apr 24 22:44:56 ce565 http_authmod: _get_user_info:1699 *** pam_ldap: Filter (uid=ralldread)
Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2522 *** pam_ldap: Done authentication FAILURE
Any thoughts?I got it working. I did 2 things. One, I rebuilt the the server to make sure Active Directory was working correctly. Two, I changed the DC=domain to be dc=domain. I havent had a chance to test which one actually fixed it, but here it the config that I am using.
ce565#sho run
device mode content-engine
hostname ce565
http authentication header 407
http authentication cache timeout 1
http authentication cache max-entries 32000
http proxy incoming 8888
clock timezone EST -5 0
ip domain-name demodomain
https proxy incoming 8888
interface GigabitEthernet 1/0
ip address 10.10.220.71 255.255.255.0
exit
interface GigabitEthernet 2/0
shutdown
exit
ip default-gateway 10.10.220.1
primary-interface GigabitEthernet 1/0
no auto-register enable
ip name-server 10.10.220.80
pre-load enable
pre-load depth-level-default 2
pre-load resume
pre-load traverse-other-domains
pre-load url-list-file ftp://ftpuser:[email protected]/ce-preload.txt
transaction-logs enable
transaction-logs log-windows-domain
transaction-logs archive interval every-hour every 10
transaction-logs sanitize
transaction-logs export enable
transaction-logs export interval every-hour every 10
transaction-logs export ftp-server 10.10.220.80 ftpuser ftpuser /
transaction-logs format extended-squid
username admin password 1 bVmDmMMmZAPjY
username admin privilege 15
ldap server base "dc=demodomain"
ldap server userid-attribute cn
ldap server host 10.10.220.80 primary
ldap server administrative-dn "cn=administrator,cn=users,dc=demodomain"
ldap server administrative-passwd ****
ldap server active-directory-group enable
ldap server version 3
ldap server enable
authentication login local enable primary
authentication configuration local enable primary
url-filter http smartfilter enable
cdm ip 10.10.220.70
cms enable
Maybe you are looking for
-
We installed the LabView7.0 on Windows XP pro. After we run the application and upon exit from LabView itself we are getting the error message saying: The instruction at "0x64480386" referenced memory at"0x00000004" . The memory could not be "read".
-
How do I add new single line in a WAD input layout?
Hello ervery one I had create a WAD ,and insert a input read query ,but I don't how to add a new line for this input read query on WAD can every one help me thanks very much regards wenlong
-
Check fields Responsabilities WBS and WBE
Hi, I d like to control a WBS and WBE with the responsible persons( PROJ-VERNR) and (PRPS_VERNR). Exactly a responsible persons "A" can only change (CJ02-CJ20n), change original budget (CJ30), display original budget of him WBE (CJ31) and not change
-
Not able to install or activate extensions
I installed CS4 side to side with CS3 and I migrated over my extensions. I had one I disabled because I wasn't using it. Ruby for Dreamweaver. Now when I go back to enable it, I receive a note saying I don't have permission. I have Vista (came with t
-
Firefox crashes PC when viewing online videos
Whenever viewing any video on any website my PC crashes and I need to hard reboot the PC to restore.