LDAP External Authentication Multiple Search Base DNs question

Similar Messages

• Registry LDAP - Multiple search bases x single search base

  Hi all,
  I have a doubt, in my scenario I have two LDAP domains and isn't clear to me if I need to use the Oracle Registry configured to multiple search or single search. In the documentation the explanation is: To use single configuration when you have one single search base and to use multiple configuration when you hava multiple search bases, besides that, the Registry documentation says multiple search bases scenario it will looking for a user in all domains, in case a domain isn't specified by the user. The questions are what the diference between single and multiple configuration and what is a search base?
  Any idea,
  Afonso

  Hi BBCR,
  I'm not sure if the use of groups provides a solution to this requirement. One way to do it would be to define attribute access controls using a filter with substitution syntax. For example, you could have a filter for Modify access on a user's attributes defined like:
  (&(o=$o$)(admin=true))
  which means that anyone who has a value of the "o" attribute the same as the target user AND has a value of "true" for the admin attribute can write to those attributes. You can also add Self as a role so that users can view/modify their own attributes.
  The above filter means that instead of defining group membership and group admin membership, you manipulate attribute values in users profiles to say whether or not a user is an admin, and which users they administer (all users which share the same value of the "o" attribute, in the above case).
  Would something like this be an option?
  Regards,
  Colin

• Create multiple search bases in OAM

  Hi,
  can somebody please help me in resolving a issue with search base.
  I want to create a search base so that the administrator or owner of a group can search only his group's unique members & manage them. I tried creating a search base(UserManager-->Search base) but doing so none of the users of OAM are not able to "view" their own profile which violates the basic requirements(viewing profile).
  Thanks in advance.

  Hi BBCR,
  I'm not sure if the use of groups provides a solution to this requirement. One way to do it would be to define attribute access controls using a filter with substitution syntax. For example, you could have a filter for Modify access on a user's attributes defined like:
  (&(o=$o$)(admin=true))
  which means that anyone who has a value of the "o" attribute the same as the target user AND has a value of "true" for the admin attribute can write to those attributes. You can also add Self as a role so that users can view/modify their own attributes.
  The above filter means that instead of defining group membership and group admin membership, you manipulate attribute values in users profiles to say whether or not a user is an admin, and which users they administer (all users which share the same value of the "o" attribute, in the above case).
  Would something like this be an option?
  Regards,
  Colin

• External LDAP for authentication

  Hi All,
  I want to use external ldap for authentication purpose with Access Manager.
  I tried adding this external ldap as a secondary ldap but couldn�t succeed.
  If I add this ldap in the primary ldap along with the AM�s own ldap, this also fails to authenticate users from the external ldap.
  How can I achieve this?
  I read many topics in this forum regarding this but none of them explain how it can be achieved.
  Please suggest.
  Thanks in advance.

  This is what the amconsole log says:
  ERROR: ConsoleServletBase.onUncaughtException
  java.lang.NullPointerException
       at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.constructFilter(LDAPv3Repo.java:3126)
       at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.search(LDAPv3Repo.java:1996)
       at com.iplanet.am.sdk.AMDirectoryManager.search(AMDirectoryManager.java:1938)
       at com.sun.identity.idm.AMIdentityRepository.searchIdentities(AMIdentityRepository.java:221)
       at com.sun.identity.console.idm.model.EntitiesModelImpl.getEntityNames(EntitiesModelImpl.java:139)
       at com.sun.identity.console.idm.EntitiesViewBean.getEntityNames(EntitiesViewBean.java:222)
       at com.sun.identity.console.idm.EntitiesViewBean.beginDisplay(EntitiesViewBean.java:177)
       at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149)
       at jsps.console._idm._Entities_jsp._jspService(_Entities_jsp.java:86)
       at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
       at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:687)
       at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:459)
       at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:375)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
       at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:772)
       at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:471)
       at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:382)
       at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
       at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
       at com.sun.identity.console.base.AMViewBeanBase.forwardTo(AMViewBeanBase.java:133)
       at com.sun.identity.console.base.AMPrimaryMastHeadViewBean.forwardTo(AMPrimaryMastHeadViewBean.java:149)
       at com.sun.identity.console.idm.HomeViewBean.forwardTo(HomeViewBean.java:109)
       at com.sun.identity.console.realm.RealmPropertiesBase.nodeClicked(RealmPropertiesBase.java:90)
       at com.sun.web.ui.view.tabs.CCTabs.handleTabHrefRequest(CCTabs.java:129)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
       at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
       at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
       at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
       at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
       at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
       at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
       at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
       at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:787)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
       at com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:280)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
       at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)

• Cisco support LDAP Authentication - Multiple Domains

  Hi,
  I want to change the LDAP authentication as the multiple domains and my Windows AD environment is the child trust, that mean the root DC is the "abc.com", which have the two child DCs, e.g. "us.abc.com ", "uk.abc.com"
  Is it possible I just changed the LDAP auth. with user search space as the root DC is fine?
  OR
  I must use the "userPrincipalName" ?

  But it had the collision SAMAccountName, that would have the same account name between the us.abc.com and uk.abc.com. 
  If I changed the "userPrincipalName" LDAP sync to CM, how about the Jabber login?

• External Authentication with LDAP

  Has anyone integrated external authentication of Essbase with LDAP? I've searched discussion groups, websites with no luck, and of course, Essbase documentation doesn't help either. Any additional documentation will help.Thanks in advance!

  Thanks for the info. Is this sample code part of the default implementation that comes installed with the product (essldap.dll)? Or is this something completely different.Also, has anyone done anything similar in visual basic? We have a shortage of v c++ skills around here.Thanks again!

• Shared Services External Authentication using LDAP in 9.3.1

  Hi,
  I have installed Hyperion Shared Services with native directory. And now planning to setup external authentication using LDAP. I need some guidance to understanding how the external authentication works.
  Questions:
  1. Is it possible to setup Shared Services to use both Native and LDAP user directory? What I mean is some users will be able to login using Native directory, and some others will need to login using User Directory (external authentication).
  2. For User Directory (say we use LDAP), when the user is added into Shared Services, can they be assigned with Groups created in Native directory? We want to explore to use just the external authentication and define all of the groups within shared services.
  If not possible, can we manage the Groups of the User directory using shared services? How is the groups work with external authentication?
  Any feedback would be much appreciated.
  Thanks,
  Lian

  Hi,
  Yes you can use both Native and external authentication. When you add the external provider the native is left by defaut anyway.
  Yes you can add your external users to native groups. You can also provision the groups in the AD if you wish.
  Gee

• Cant Edit Ldap Search Base in Open Directory

  Greetings ,
  My ldap search base wrong in my open directory . I have tried converting the server to standalone and back to a directory master and it still retains the old search base. How do i get rid of this, as it is causing problems.
  Thanks In Advance

  Any resolution to this? I am trying to configure OD and it's NOT using our FQDN for the server as the search base... instead of server.domain.NET it is putting in server.domain.COM - pretty sure that will cause problems.
  I ran host <ip address> and checked our DNS settings on the server and everything is configured as .NET - cannot find this .COM anywhere. Am NOT in a position to do an uninstall and re-install as many folks have seemed to have done.
  Mike

• DHCP LDAP search base

  Hi,
  What setting should be put in the search base box in the LDAP tab of DHCP? I would like users to be able to access the OD database in tools such as the Address Book.
  (I currently have the dc=<name>,dc=<suffix> where these are the name.suffix of my domain). In this configuration, the users can not see the LDAP database.
  Thanks,
  Dave

  Hi Hiya,
  Thank you for taking the time to look at my question. Here's my problem. We're setting up a VOIP phone system and one of the questionnaire is to provide LDAP Search Base String of my AD. I'm not sure if I need
  to provide all this search base (DC, CN and OU) all I want to know is which of the element I should provide.
  I think my LDAP search base string is "OU=xxx,DC=mydomain,DC=local. (I'm still not sure but if you have an idea please help).
  Thank you.
  Jay
  aja

• External Authentication general-type questions

  Greetings all,
  I was recently shown how to get Oracle to allow Windows NT Authentication the way SQL 2005 etc. can. I was able to get it working. It's actually simple, you just have to have this line in your SQLNET.ORA file:
  SQLNET.AUTHENTICATION_SERVICES = (NTS)
  and make sure a couple initialization parameters are set (OS_AUTHENT_PREFIX to NULL and REMOTE_OS_AUTHENT to TRUE - the first can't be changed once the database is built!).
  My first question is does Oracle support external authentications to operating systems other than NT, i.e. SUN, UNIX, LDAP etc? And is it a similar architecture?
  Secondly, the only ways I've ever connected to Oracle are 1) through SQL*Plus, 2) Using OLE DB from Windows and 3) Using ODBC.
  Is external authentication supported when logging in any way other than through OLE DB? If so, how?
  Appreciating any general information!
  Thanks
  Joe

  1. The name of the product is SQL Server not SQL. SQL is a language.
  2. Oracle supports all major forms of internal and external authentication. The ones you listed and many more. The docs are at http://tahiti.oracle.com
  3. External authentication is support across the board. But you've got to be working with a database holding nothing more important than your mother's cookie recipes to think that operating system authentication in a Windows environment is secure: It is not.
  Your first responsibility, unless you are just playing games at home or in school, is to secure the data and that means an environment more secure than the one you've chosen.

• MMP using wrong search base when doing LDAP query.

  Hi all,
  I installed a new MMP (sun java communication suite v5 on Redhat linux x86).
  When an imap user connects to MMP, the MMP does an ldap query for attributes "MailHostAttrs mailHost".
  This query fails because the search base is
  SRCH base="dc=my,dc=domain,dc=com,o=my.domain.com"
  instead of simply "o=my.domain.com"
  When I ran 'configure' I specified the Organization DN to be o=my.domain.com
  And I've specified the following in the ImapProxyAService.cfg file:
  LdapUrl "ldap://ldap1.my.domain.com:389/o=my.domain.com"
  UserGroupDN "o=my.domain.com"
  DefaultDomain my.domain.com
  So why does it use "dc=my,dc=domain,dc=com,o=my.domain.com"?
  I must be missing something but I can't find it.

  Hi,
  kevin_sysadmin wrote:
  So why does it use "dc=my,dc=domain,dc=com,o=my.domain.com"?
  I must be missing something but I can't find it.The first step the MMP will do to resolve the base DN for a hosted domain is a directory search along the lines of (this is for schema 2 which is the default for a new install):
  [26/Oct/2007:16:46:23 +1000] conn=3152 op=1 msgId=2 - SRCH base="dc=aus,dc=sun,dc=com" scope=2 filter="(&(objectClass=sunManagedOrganization)(|(associatedDomain=aus.sun.com)(sunPreferredDomain=aus.sun.com)))" attrs=ALL
  So in my case I have default:LdapUrl "ldap://server.aus.sun.com/dc=aus,dc=sun,dc=com" and default:DefaultDomain aus.sun.com
  So you will probably find that you have a hosted domain configured under "dc=my,dc=domain,dc=com,o=my.domain.com" which got created during installation but not propagated with users.
  Regards,
  Shane.

• External authentication question

  Hello,
  I am running an apex app in a secured environment. The authentication is handled by the environment, and a username passed to apex pages in a server variable, which I am able to use to set apex_application.g_user. Now, the user is only able to access apex pages via the security proxies, which make sure that the user is authenticated, etc. All page requests go through these security proxy servers.
  Now, my question is this: I've set the g_user in a custom page sentry function. I don't know a whole lot about this stuff, and so just deleted all of the session-verification stuff from the function that I copied, and return true always. Because, I'm thinking, the security proxies take care of all that. Is that okay? Or should I set that value somewhere else, and leave things that I don't understand alone? If so, where?
  Here's my page_sentry function:
  create or replace FUNCTION custom_Page_Sentry_Func (p_htmldb_user VARCHAR2 DEFAULT 'APEX_PUBLIC_USER' )RETURN BOOLEAN AS
  l_authenticated_username VARCHAR2(256) := nvl(UPPER(OWA_UTIL.GET_CGI_ENV('HTTP_IV_USER')),'NOT_AF_AUTH');
  IS_USER NUMBER := 0;
  L_CURRENT_SID NUMBER;
  BEGIN
  --The server is behind the login system, so if the ApEx pages are shown, the login has succeeded (and we will find the cookie)
  -- If logged in user is not a user (doesn't exists in USERS table)
  -- THEN create a record in the table
  SELECT COUNT(*)
  INTO IS_USER
  FROM USERS
  WHERE USERNAME = l_authenticated_username ;
  IF IS_USER = 0 THEN
  INSERT INTO USERS (USERNAME,SSN) VALUES (l_authenticated_username,'111111111');
  END IF;
  apex_application.g_user := l_authenticated_username;
  RETURN TRUE;
  END custom_Page_Sentry_Func;
  Thanks, -warren

  I am setting g_user so that I can see auditing info in the DB, etc.
  The database won't be aware of that value unless you set it into a context, e.g., by using dbms_session.set_identifier or some such device. You would pass v('APP_USER') into such a call that you could run as the VPD block of your application (edit application securiyt attributes to find that field).
  But my apex "user" is APEX_PUBLIC_USER, same user for everyone. I'm not going to inadvertantly change that by calling the things that get called in the nmlt (or whatever it's called) page sentry function with my externally authenticated username, am I?
  Correct.
  Scott

• Server 3.1.2: Unable to locate search base: -1 Can't contact LDAP server

  Hello all—
  I've been getting repeated errors below in my system.log.  I'm running OS X 10.9.3 with Server version 3.1.2.  I've replaced my actual server name with "my.servername.net" in the log entries. Thanks for any advice!  —michael
  May 30 17:47:03 leo com.apple.launchd[1] (org.openldap.slapd): Throttling respawn: Will start in 7 seconds
  May 30 17:47:04 my.servername.net PasswordService[1345]: int pwsf_GetPublicKey(char *): ldap_search_ext_s cn=authdata for Public Key returned -1
  May 30 17:47:04 leo com.apple.launchd[1] (com.apple.PasswordService[1345]): Exited with code: 1
  May 30 17:47:04 leo com.apple.launchd[1] (com.apple.PasswordService): Throttling respawn: Will start in 10 seconds
  May 30 17:47:06 my.servername.net xscertd-helper[1351]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting
  May 30 17:47:06 leo com.apple.launchd[1] (com.apple.xscertd-helper[1351]): Exited with code: 1
  May 30 17:47:06 leo com.apple.launchd[1] (com.apple.xscertd-helper): Throttling respawn: Will start in 10 seconds
  May 30 17:47:09 my.servername.net xscertd[335]: Failed sending LookupCRLByCARecordName command to com.apple.xscertd.helper: The operation couldn’t be completed. (com.apple.certificateserver error 42005.)
  May 30 17:47:14 my.servername.net PasswordService[1363]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
  May 30 17:47:14 my.servername.net PasswordService[1363]: -[PasswordServerPrefsObject loadXMLData]: Unable to locate passwordserver config record's plist attribute: -1 Can't contact LDAP server
  May 30 17:47:14 my.servername.net PasswordService[1363]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
  May 30 17:47:14 my.servername.net PasswordService[1363]: -[PasswordServerPrefsObject saveXMLData]: ldap_modify_ext_s of the passwordserver config record's plist attribute: -1 Can't contact LDAP server
  May 30 17:47:14 leo com.apple.launchd[1] (org.openldap.slapd[1359]): Exited with code: 1
  May 30 17:47:14 leo com.apple.launchd[1] (org.openldap.slapd): Throttling respawn: Will start in 7 seconds
  May 30 17:47:14 my.servername.net PasswordService[1363]: int pwsf_GetPublicKey(char *): ldap_search_ext_s cn=authdata for Public Key returned -1
  May 30 17:47:14 leo com.apple.launchd[1] (com.apple.PasswordService[1363]): Exited with code: 1
  May 30 17:47:14 leo com.apple.launchd[1] (com.apple.PasswordService): Throttling respawn: Will start in 10 seconds
  May 30 17:47:16 my.servername.net xscertd-helper[1365]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting
  May 30 17:47:16 leo com.apple.launchd[1] (com.apple.xscertd-helper[1365]): Exited with code: 1
  May 30 17:47:16 leo com.apple.launchd[1] (com.apple.xscertd-helper): Throttling respawn: Will start in 10 seconds
  May 30 17:47:20 my.servername.net xscertd[335]: Failed sending LookupCRLByCARecordName command to com.apple.xscertd.helper: The operation couldn’t be completed. (com.apple.certificateserver error 42005.)
  May 30 17:47:24 my.servername.net PasswordService[1375]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
  May 30 17:47:24 my.servername.net PasswordService[1375]: -[PasswordServerPrefsObject loadXMLData]: Unable to locate passwordserver config record's plist attribute: -1 Can't contact LDAP server
  May 30 17:47:24 my.servername.net PasswordService[1375]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
  May 30 17:47:24 my.servername.net PasswordService[1375]: -[PasswordServerPrefsObject saveXMLData]: ldap_modify_ext_s of the passwordserver config record's plist attribute: -1 Can't contact LDAP server
  May 30 17:47:25 leo com.apple.launchd[1] (org.openldap.slapd[1371]): Exited with code: 1
  May 30 17:47:25 leo com.apple.launchd[1] (org.openldap.slapd): Throttling respawn: Will start in 7 seconds
  May 30 17:47:25 my.servername.net PasswordService[1375]: int pwsf_GetPublicKey(char *): ldap_search_ext_s cn=authdata for Public Key returned -1
  May 30 17:47:25 leo com.apple.launchd[1] (com.apple.PasswordService[1375]): Exited with code: 1
  May 30 17:47:25 leo com.apple.launchd[1] (com.apple.PasswordService): Throttling respawn: Will start in 10 seconds
  May 30 17:47:26 my.servername.net xscertd-helper[1377]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting
  May 30 17:47:26 leo com.apple.launchd[1] (com.apple.xscertd-helper[1377]): Exited with code: 1
  May 30 17:47:26 leo com.apple.launchd[1] (com.apple.xscertd-helper): Throttling respawn: Will start in 10 seconds
  May 30 17:47:30 my.servername.net xscertd[335]: Failed sending LookupCRLByCARecordName command to com.apple.xscertd.helper: The operation couldn’t be completed. (com.apple.certificateserver error 42005.)

  Unfortunately this problem wasn't solved this way.  After dragging the Server.app to the trash and then retrieving it ("Put Back") and launching it, and re-starting services, my problem still persists.
  Here are relevant system.log file entries. (Note the hostname is "leo"—I've changed the FQDN to leo.myservername.net):
  Jun  6 22:57:31 leo.myservername.net PasswordService[1011]: int pwsf_GetPublicKey(char *): ldap_search_ext_s cn=authdata for Public Key returned -1
  Jun  6 22:57:31 leo com.apple.launchd[1] (com.apple.PasswordService[1011]): Exited with code: 1
  Jun  6 22:57:31 leo com.apple.launchd[1] (com.apple.PasswordService): Throttling respawn: Will start in 10 seconds
  Jun  6 22:57:32 leo.myservername.net xscertd-helper[1014]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting
  Jun  6 22:57:32 leo com.apple.launchd[1] (com.apple.xscertd-helper[1014]): Exited with code: 1
  Jun  6 22:57:32 leo com.apple.launchd[1] (com.apple.xscertd-helper): Throttling respawn: Will start in 10 seconds
  Jun  6 22:57:34 leo.myservername.net xscertd[333]: Failed sending LookupCRLByCARecordName command to com.apple.xscertd.helper: The operation couldn’t be completed. (com.apple.certificateserver error 42005.)
  Jun  6 22:57:40 leo com.apple.launchd[1] (org.openldap.slapd[1016]): Exited with code: 1
  Jun  6 22:57:40 leo com.apple.launchd[1] (org.openldap.slapd): Throttling respawn: Will start in 7 seconds
  Jun  6 22:57:40 leo.myservername.net com.apple.SecurityServer[22]: Session 100004 created
  Jun  6 22:57:41 leo.myservername.net PasswordService[1024]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
  Jun  6 22:57:41 leo.myservername.net PasswordService[1024]: -[PasswordServerPrefsObject loadXMLData]: Unable to locate passwordserver config record's plist attribute: -1 Can't contact LDAP server
  Jun  6 22:57:41 leo.myservername.net PasswordService[1024]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
  Jun  6 22:57:41 leo.myservername.net PasswordService[1024]: -[PasswordServerPrefsObject saveXMLData]: ldap_modify_ext_s of the passwordserver config record's plist attribute: -1 Can't contact LDAP server
  Jun  6 22:57:41 leo.myservername.net PasswordService[1024]: int pwsf_GetPublicKey(char *): ldap_search_ext_s cn=authdata for Public Key returned -1
  Jun  6 22:57:41 leo com.apple.launchd[1] (com.apple.PasswordService[1024]): Exited with code: 1
  Jun  6 22:57:41 leo com.apple.launchd[1] (com.apple.PasswordService): Throttling respawn: Will start in 10 seconds
  Jun  6 22:57:42 leo.myservername.net xscertd-helper[1028]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting
  Jun  6 22:57:42 leo com.apple.launchd[1] (com.apple.xscertd-helper[1028]): Exited with code: 1
  Jun  6 22:57:42 leo com.apple.launchd[1] (com.apple.xscertd-helper): Throttling respawn: Will start in 10 seconds
  Jun  6 22:57:45 leo.myservername.net xscertd[333]: Failed sending LookupCRLByCARecordName command to com.apple.xscertd.helper: The operation couldn’t be completed. (com.apple.certificateserver error 42005.)
  Also, for what it's worth, "Open Directory" in the Server.app has no settings within it. Nor will it stay "on." I'm not using OD per se, and am happy to leave it off, but it's possible the errors above are preventing it from running.
  Thanks for any other solutions. —michael

• OID External Authentication Plugin - Conceptual question

  Hi-
  Does anyone know the answer to this: If I enable the External Authentication Plugin for OID (to AD) does that mean that if I have any accounts in OID which do not exist in AD, they won't be able to authenticate?
  Also, if anyone knows of some conceptual documentation on this, please let me know. All I could find was how to install it, but not how it works. (do I need to match users on CN or uid or what?)
  Thanks

  Hi,
  Once you are done with user accounts synchorinzation successfully using dipassistant tool from edirectory to OID. Inorder to update/flush the user accounts password that which are synchronized to OID, in such case OID eDirectory External Authenctiation plugin will be used (oidspediri.sh file) located under <ORACLE_HOME>ldap/admin. Provide th neccessary eDirectory Details.
  Regards,
  ABP

• Use of LDAP group external authentication in Essbase v7.16

  Hello Experts,
  One of my customer wants an answer for his query -
  They currently use LDAP external authentificaiton with userid only and would like to use LDAP groups. Is this supported in version 7.1.6 (Heard that It is a known limitation in version 7.x that LDAP / MSAD groups are not supported. MSAD groups are supported in System 9.x)
  My Research:
  I read in the Essbase v7 documentation the following 2 examples of using groups, under Essbase.CFG Configuration Settings > AUTHENTICATIONMODULE
  Can you explain how this works
  Thank you
  Example 1
  The entries in this example allow users in the group Engineers from domain yahoo.com to be authenticated on host Gorky, via port number 389, with a timeout period of 30 seconds.
  AuthenticationModule LDAP essldap.dll 30 cn=Engineers, ou=Groups, dc=yahoo, dc=com@Gorky:389
  Example 2
  The entries in this example allow users in the group Engineers from domain yahoo.com to be authenticated on host 129.63.140.122, via port number 389, with a timeout period of 45 seconds.
  AuthenticationModule MSAD essmsad.dll essmsad.lib 45 cn=Engineers, ou=Groups, dc=yahoo, dc=[email protected]:389
  Regards,
  Sonal
  Edited by: 637223 on Oct 23, 2009 7:16 PM

  I do not believe using LDAP groups is supported in 716.