JNDI Support in Directory Server 5.1 and 5.2

Similar Messages

• Alias support in directory server 5

  Hi,
  Is alias dereferencing supported in Directory Server 5? (It is
  mentioned in this article that 4.1 did not support it:
  http://java.sun.com/products/jndi/tutorial/ldap/misc/aliases.html).
  I am trying to do a search using an alias and it does not seem to be
  working. I keep getting the alias entry rather than the referred
  entry. I tried setting the DEREF option to DEREF_ALWAYS but this does
  not seem to help (code fragment below). Do I need to do something to
  enable alias dereferencing on the server? Could it be the version of
  LDAP SDK for Java that I am using?
  LDAPConnection conn = new LDAPConnection();
  conn.connect( "XX.XX.XX.XX", 389 );
  conn.setOption( LDAPv2.DEREF, new Integer( LDAPv2.DEREF_ALWAYS )
  LDAPSearchResults results;
  String filter = "(cn=adminalias)";
  try {
  results = conn.search( "o=aliases,c=com",
  LDAPConnection.SCOPE_ONE, filter, null, false );
  while( results.hasMoreElements() )
  System.out.println( results.next() );
  Thanks,
  Len Takeuchi
  SalesCentrix.com

  Len Takeuchi wrote:
  Hi,
  Is alias dereferencing supported in Directory Server 5?No.
  (It is
  mentioned in this article that 4.1 did not support it:
  http://java.sun.com/products/jndi/tutorial/ldap/misc/aliases.html).
  I am trying to do a search using an alias and it does not seem to be
  working. I keep getting the alias entry rather than the referred
  entry. I tried setting the DEREF option to DEREF_ALWAYS but this does
  not seem to help (code fragment below). Do I need to do something to
  enable alias dereferencing on the server? Could it be the version of
  LDAP SDK for Java that I am using?
  LDAPConnection conn = new LDAPConnection();
  conn.connect( "XX.XX.XX.XX", 389 );
  conn.setOption( LDAPv2.DEREF, new Integer( LDAPv2.DEREF_ALWAYS )
  LDAPSearchResults results;
  String filter = "(cn=adminalias)";
  try {
  results = conn.search( "o=aliases,c=com",
  LDAPConnection.SCOPE_ONE, filter, null, false );
  while( results.hasMoreElements() )
  System.out.println( results.next() );
  Thanks,
  Len Takeuchi
  SalesCentrix.com

• Directory Server 5.0 and 5.1 - Triggers

  Does the previous versions of Sun Java Directory Server 5.0 and 5.1 support LDAP Triggers.
  I need to be clarified soon.

  Hi,
  You can set this in "iPlanet Diretory Server", to force the user to log off after particular time. For more info. check iPlanet Directory server guide.
  Regards,
  Dakshin.

• Active Directory - Server 2008 R2 and 2012 R2 (Server Formatting or not productive

  Hello guys, I come here to try to clarify a great doubts regarding Server Operating Systems, I will attempt to detail the most of my scenario.
  Suppose I have a Server 2008 R2 in production, and this is my Active Directory server (meudominio.local) and am managing through Group Policy settings my workstations that are around 60-70 computers, guys my doubts the thing is, if I need some time to format
  and perform a fresh installation of my server as it will be my Active Directory? Of course I will have lost my domain controller and I have to accomplish the placement of each workstation again that enters my domain one by one.
  I know there is the option of AD replication, so we call the Active Directory, even for another version of the Operating System, prátia already realized this, but it most often comes not functioning properly, done without replication problems Server 2003 to
  2008 R2.
  Guys like to know a solution to not having to put my plants in my domain network again one by one, is there any way to backup so that when I reinstalled the system and the AD again in my server stations return to "see" again that server as your domain
  controller, even me installing AD with the same domain name before this formatting stations do not respond to this driver in this case do the Network ID or add the station to the area again, so she creates a new user profile for example (Max.meudominio) while
  your old profile "guy" still remains on the machine, I adopted the practice of editing the record of this newly created profile and pointing him well for the old user folder which contains all data and settings, eg edit my key "ProfileImagePath"
  regedit logged in with the newly created profile (Max.meudominio) ->
  (switch "ProfileImagePath" C:\Users\Max.meudominio) thus pointing to the folder before replacing in the field again this season after formatted server, thus ->
  (Switch "ProfileImagePath" C:\Users\Max), detail that we give permission for all such user "C:\Users\Max" folder, after that restart the computer and he comes back with the user profile and all your settings.
  I wonder if there is another method to perform this procedure, do not know even a backup AD to not have to replace all the seasons again "meudominio.local".
  Thank you for your attention!
  Translation with Google translator! Sorry.
  Matias Duarte Coordenador de Suporte Dual Solucoes® | Soluções em tecnologia da informação

  As the practice of replication I know her mostly said she has some flaws when I do the replication of my domain to another server but it works correctly, so having a server "master" and the other ServidorBKP as "slave", in redundancy,
  the problem is when I say, and put the "ServidorBKP" being my primary domain controller and disabling my main controller, to disable or turn off my main controller the stations themselves are unable to login because it does not communicate with the
  my ServidorBKP "slave" even I put it as the main driver of course.
  Regarding the System State as far as I know this option existed in Server 2003.
  I also got some information, confer on the links below.
  http://msdn.microsoft.com/en-us/library/bb727048.aspx
  http://technet.microsoft.com/pt-br/library/cc758435(v=ws.10).aspx
  http://technet.microsoft.com/en-us/library/cc961934.aspx
  I'm still researching other ways, getting communicate any news to everyone. (Google Translate)
  Matias Duarte Coordenador de T.I. Dual Solucoes® | Soluções em tecnologia da informação http://www.matiasduarte.com.br

• PasswordPolicyControl support in Directory Server 5.2

  Hi,
  Does the SunOne Directory Server 5.2 support Password Policy Control (OID 1.3.6.1.4.1.42.2.27.8.5.1)?
  Thanks,
  ~AA
  Message was edited by:
  ambhaikar123

  No, this control will be supported in Directory Server 6.0.
  Regards,
  Ludovic

• Directory Server 5.1 and CMS 4.2 SP2

  There's a similar question on 16 January that didn't get answered.
  I realise I can configure CMS to publish certificates to an "external" DS 5.1 LDAP directory. However, I'd like to know whether there is a realistic method to make CMS use DS 5.1 for it's internal database (port 38900). I don't want to build a complex mixed-version environment unless there will be no alternative for (say) the next 6-9 months.
  I have a production user directory that is being upgraded from DS 4.12 to 5.1. Our CMS system is also in production, and was upgraded to 4.2 SP2 about 6 months ago.
  Does anyone have any experiences in this area that can help me decide on an optimal way forward?

  I recommened that you read the Release Notes of DS5.2, there are some notes on Replication between 5.1 and 5.2.
  ===
  In Directory Server 5.2, the schema file 11rfc2307.ldif has been altered to conform to rfc2307. If replication is enabled between 5.2 servers and 5.1 servers, the rfc2307 schema MUST be corrected on the 5.1 servers, or replication will not work correctly.
  Workaround
  To ensure correct replication between Directory Server 5.2 and Directory Server 5.1, perform the following tasks:
  * For zip installations, remove the 10rfc2307.ldif file from the 5.1 schema directory and copy the 5.2 11rfc2307.ldif file to the 5.1 schema directory. (5.1 Directory Server Solaris packages already include this change.)
  * Copy the following files from the 5.2 schema directory into the 5.1 schema directory, overwriting the 5.1 copies of these files:
  11rfc2307.ldif, 50ns-msg.ldif, 30ns-common.ldif, 50ns-directory.ldif, 50ns-mail.ldif, 50ns-mlm.ldif, 50ns-admin.ldif, 50ns-certificate.ldif, 50ns-netshare.ldif, 50ns-legacy.ldif, and 20subscriber.ldif.
  * Restart the Directory Server 5.1 server.
  * In the Directory Server 5.2 server, set the nsslapd-schema-repl-useronly attribute under cn=config to on.
  * Configure replication on both servers.
  * Initialize the replicas.
  ===
  Also search for "migrate" or "repl" or "5.1" in Release Notes and read the relevant information.
  http://docs.sun.com/source/817-7611/index.html
  Another guide is "Installation and Migration Guide"
  http://docs.sun.com/app/docs/doc/817-7608
  HTH.
  Gary

• Configure replication between directory server 5.1 and 5.2

  we have two directory servers running on different machine 5.1 and new 5.2. All database have been successfully backup and restore from 5.1 to new 5.2. In this scenario, we would like to setup 5.1 and new 5.2 D.S as multi-master replication.
  As described in the sun Documentation, we have copy few ldif file from new 5.2 to 5.1 so that both schema are up to date.
  The new instance of 5.2 is running fine. However, on the other hand, 5.1 has a problem to start the server as show in the following below.
  # ./start-slapd
  [31/May/2005:14:07:43 +0800] dse - The entry cn=schema in file /usr/iplanet/servers/slapd-ifpdev02/config/schema/50ns-admin.ldif is invalid, error code 21 (Invalid syntax) - object class nsAdminServer: Unknown required attribute type "nsServerID"
  [31/May/2005:14:07:43 +0800] dse - Please edit the file to correct the reported problems and then restart the server.
  Any help from you guys are greatly appreciated.

  I recommened that you read the Release Notes of DS5.2, there are some notes on Replication between 5.1 and 5.2.
  ===
  In Directory Server 5.2, the schema file 11rfc2307.ldif has been altered to conform to rfc2307. If replication is enabled between 5.2 servers and 5.1 servers, the rfc2307 schema MUST be corrected on the 5.1 servers, or replication will not work correctly.
  Workaround
  To ensure correct replication between Directory Server 5.2 and Directory Server 5.1, perform the following tasks:
  * For zip installations, remove the 10rfc2307.ldif file from the 5.1 schema directory and copy the 5.2 11rfc2307.ldif file to the 5.1 schema directory. (5.1 Directory Server Solaris packages already include this change.)
  * Copy the following files from the 5.2 schema directory into the 5.1 schema directory, overwriting the 5.1 copies of these files:
  11rfc2307.ldif, 50ns-msg.ldif, 30ns-common.ldif, 50ns-directory.ldif, 50ns-mail.ldif, 50ns-mlm.ldif, 50ns-admin.ldif, 50ns-certificate.ldif, 50ns-netshare.ldif, 50ns-legacy.ldif, and 20subscriber.ldif.
  * Restart the Directory Server 5.1 server.
  * In the Directory Server 5.2 server, set the nsslapd-schema-repl-useronly attribute under cn=config to on.
  * Configure replication on both servers.
  * Initialize the replicas.
  ===
  Also search for "migrate" or "repl" or "5.1" in Release Notes and read the relevant information.
  http://docs.sun.com/source/817-7611/index.html
  Another guide is "Installation and Migration Guide"
  http://docs.sun.com/app/docs/doc/817-7608
  HTH.
  Gary

• How do I bind to directory server with SSL and authentication?

  I'm running Lion Server 10.7.3, Open Directory master. In Open Directory/Settings/LDAP, I've checked the box to Enable SSL and selected a (self-signed) certificate. In Policies/Binding, I've checked the box to Enable Authenticated Directory Binding.
  Testing with a client computer on which Snow Leopard has been freshly installed and fully updated, I went to System Prefs/Accounts to bind to the new directory server. The good news is, the binding was successful, and when the client initiates an AFP connection with the server, it uses Kerberos, creating a ticket as expected. (Which doesn't work with Lion clients, alas, but that's a seperate matter.)
  Here are the problems:
  1) It looks like the binding did not use SSL. By which I mean that when I opened Directory Utility and examined the LDAPv3 entry, the SSL checkbox was not checked. (If I then check the box, everything looks fine until I restart the client, after which I have a red dot. So I'm guessing that checking the box does nothing until after restart, and that it breaks the binding.)
  2) I was never prompted to authenticate for the directory binding.
  So I get that literally I'm *enabling* SSL and Authenticated Directory Binding, but it seems like the defaults are to bind without SSL or authentication, and there's no obvious-to-me way to force the binding to use those things. How do I do that?
  What I'd really like to do is *require* SSL and Authenticated Directory Binding. I want this because my belief (correct me if I'm wrong) is that if authentication is required to bind to the server, no one will be able to bind to my server without my permission, and that SSL offers a more secure connection to my server than not-SSL. How do I require these things, or do I not really want to?
  Thank you.

  You cannot connect to databases via Muse at the moment. Please refer: http://forums.adobe.com/message/5090145#5090145
  Cheers,
  Vikas

• Single directory Server for Messaging and Portal

  We are trying to unify our directory services.
  At present, there two directory servers, one for iPlanet messaging 5.2 and another for Portal server 6.0.
  Messaging's Directory server is v5.1 and Portal's Directory server is v5.2. Their BaseDN is same.
  Now, What we are planning to do is as below.
  1. LDIF everything from Msgr Directory and import into Portal's Directory.
  2. Point Msg Server to the Portal's directory.
  But, we are not sure what to export or how to tell messaging server to look at the Portal's Directory. Any help will be greatly appreciated!!!
  Thanks
  Srini

  What you are trying to do is non-trivial.
  Setting the ldap server for user and groups on the mail server is easy enough -- look at the output of configutil and you will find the values of local.ugldap*
  define the values you need to change.
  e.g.:
  local.ugldapbasedn
  local.ugldapbindcred
  local.ugldapbinddn
  local.ugldaphost
  local.ugldapport
  etc.
  These are all listed in the messaging reference manual.
  You need to ensure that the schemas of the two apps. match. For example, if you are using schema 1 for mail and schema 2 for the portal (quite likely), there will be a lot more work to do on the directory than simply moving the user entries accross and merging them.
  Unless you have done this sort of thing before, or feel very comfortable and knowlegable about how the messaging server in partuicular works with LDAP, I would suggest that you seriously consider getting help from Sun Professonal Services.

• Sun Directory Server attribute userPassword and SSHA

  I am trying to write my own java code to validate an input plain text password against the corresponding encoded value as it appears on the Sun One directory server attribute 'userPassword'.
  For example the userPassword attribute value might look like this:
  {SSHA}...some-ssha-encoded-jibberish...
  Now what does the java code snippet look like that take as input a
  plain-text password String and encodes it to see if it matches the
  Sun One encoded attribute value??

  I know that doing an LDAP bind will accomplish the 'logical' equivlant of what I am after but for my application purposes I need to be able to validate the password string with my own code. In fact my problem goes beyond just the {SSHA} style hash I also need to be able to validate the {crypt} style has as well. I have solved the {SHA} style hash validation but the other two hashes are problematic thus far.

• Directory server 4.12 and 4.15 problem with Solaris 8

  Hi there,
  I have been having an ongoing problem with my read/write master
  directory server. It
  occasionally stops responding to bind attempts and queries. The current
  setup as is running
  on a Sunfire 280R with Solaris 8. Up until a few days ago I was running
  4.12, I upgraded this
  to 4.15 to see of the problem would go away. I am running several 4.13
  replicas on other
  Solaris 8 machines with no problems.
  The biggest problem is that this master directory server is needed for
  our Iplanet messaging
  server 5.1 implementation. Every time the directory fails you cannot log
  in to the messaging
  server. (there doesn't appear to be anyway of sending authentication to
  a read only server).
  Anyway I was just wanting to see if anyone else had the same problem or
  had fixed it and could
  provide some insight into how to fix it. Also any pointers on what to
  look for in the directory
  server error logs would be useful.
  I had an idea that it might have been running out of available
  connections so I set it to close idle
  connections after 300 seconds. Is there any docs on tuning the resources
  for the server or for
  identifying if you have a resource problem?
  Any help or ideas would be appreciated. Please contact me directly as
  well as to the newsgroup
  if possible.
  Thanks,
  Scott.
  Scott Lawson
  Systems Manager
  Department Of Information Services
  St. George's Hospital Medical School
  Tooting
  London SW17 0RE
  UK
  P: 44 (0)208 725 2896
  F: 44 (0)208 725 3583
  mailto:[email protected]
  http://www.sghms.ac.uk
  Your mouse has moved.
  Windows must be restarted for the change to take effect.
  Reboot now? [OK]
  __________________________________________________________________

  Scott Lawson <[email protected]> wrote in news:3BCAA419.E322F958
  @sghms.ac.uk:
  >
  I had an idea that it might have been running out of available
  connections so I set it to close idle
  connections after 300 seconds. Is there any docs on tuning the resources
  for the server or for
  identifying if you have a resource problem?4.15 hotfix solves a problem with FDs running out (apparently .... we are
  still testing0.
  /* Christopher Burke - Spam Mail to [email protected]
  |*
  \* Real mail to cburke(at)craznar(dot)com

• Directory Server 6.1 and 2005Q4

  We are current running JES 2005Q4 (JES4) Directory Server:
  Sun Java(TM) System Directory Server/5.2_Patch_5 B2007.093.0303
  ns-slapd: B2007.213.1401
  We are very interested in the Identity Synchronization for Windows
  which comes as part of JES5' Directory Server 6.1.
  We are wondering if this version of the Directory Server can be run
  with the JES4 messaging and calendaring servers?
  If yes, are there any gotchas we should watch out for? More important,
  is it a good idea? And/or does anyone have any suggestions?
  Thanks!
  -- Bob

  Hi,
  As long as you can run comm_dssetup.pl against the directory install to set up all of the relevant schema and indexes, it should be fine.
  Messaging & calendar server aren't fussy about the directory version - just the data structure and speed (i.e. schema & indexes).
  Regards,
  Shane.

• We are in the process of upgrading to Directory Server 5.1, and are currently using Netscape C SDK 4.0. Is it recommended (or required) that we update to the latest version (5.08) of the SDK as well?

   

  No it is not a requirement that your client application uses the latest version of the C-SDK. However some bugs have been fixed in the latest version of the C-SDK and also some new features are available... so I can only recommend you to use it.
  Regards,
  Ludovic.

• When will Directory Server support RFC 4511?

  I would like to know when Sun plans to support the new LDAP v3 suite of RFCs, including RFC 4511?

  Thanks Ludovic.
  So if a client wants to support the password policies that are currently implemented on Directory Server 5.2, and also the policies that will be implemented in 6.0, then the client needs to support both the "vchu" and "behera" Internet Drafts, correct? Just to make sure I understand the "vchu" draft, the client is NOT required to send a password policy request control to the server in order to get password policy information returned, correct? ALL the policy information comes either in the error string associated with the LDAPResult OR in the 2 new controls defined in "vchu" (for expiring and already-expired passwords). Is all that correct?
  Is that the extent of what the client would need to do for support of 5.2? Or are there other password policy issues the client would need to code for in addition to what's in "vchu"?
  Also, does the "behera" draft define the extent of Directory Server 6.0 support for password policies, or will there be additional things the client will have to be aware of and code for?
  Thanks,
  gil
  I'm also confused about the relationship between the shadowAccount object class attributes defined in RFC 2307 vs. the password policy supported by Directory Server 5.2 (and 6.0). Are these attributes needed in support of either the "old" or the "new" password policies? Are they obsoleted by either password policy? Do the shadowAccount and password policy attributes operate independently from each other? If so, what do the shadowAccount attributes do for you that the password policy attributes don't? I'm having a hard time sorting out whether I need both types of attributes or only one...
  Thanks,
  gil
  Message was edited by: Gil Geiman
  ggeiman

• Sun java directory server and Active Directory

  We are using two different directory servers Sun java directory server and active directory.
  My question is how we can have password synchronization between these two directory servers.
  I have checked Sun Java[TM] System Identity Synchronization for Windows 1 2004Q3
  http://www.sun.com/download/products.xml?id=41537425
  It seems that it's supported platforms is only for solaris and windows , but I have installed my Sun java directory server on linux and obviously it doesn't work for me.
  I would be grateful if anyone can suggest a solution to work around this situation.
  I have checked identity manager , I would like to know that if I can do this using this product.
  http://www.sun.com/software/products/identity_mgr/specs.jsp
  --regards.
  Sara

  Yes RHEL 4 is a supported OS with DSEE 6.0.
  Identity Synchronization for Windows is a part of DSEE that allows synchronization of users, passwords and groups between Sun Directory Server and Active Directory bi-directionally without altering the users environments, ie it does not require that users change their current habits.
  Identity Manager is a complete identity management solution that is targetting enterprise work flow when it comes to user provisioning and de-provisioning, but also allows to build authentication and password change forms that will provision the passwords to many different systems including Sun Directory Server and Active Directory but also IBM mainframes, legacy applications, databases...
  If you are implementing a complete identity management solution, then go with Identity Manager. If you need a lightweight and fast solution for just synchronizing users and passwords between Sun DS and MS AD, Identity Synchronization for Windows should be your choice.
  Regards,
  Ludovic.