LDAP question

Similar Messages

• Open Directory and LDAP questions/difficulties

  Hi, my company is about to try out OSX Server to replace our old Irix file server. In order to do this we need to run through a number of tests in order to validate the idea. Basically, the test setup is a PM G5 running OSX Server 10.4 and a connected Mac and/or PC on the G5's second ethernet port as test clients. The first ethernet port is connected to the local subnet (192.168.1.x) and, ideally, the OSX Server should have its own subnet on the second port and serve DHCP, AFP and SMB to that port only, along with an OD shared directory providing both authentication and home directories for users. (later on, if all is successful, it will serve those services on the company subnet). DNS is supplied by a separate server on the subnet (DNS caching server running tinydns)
  I've read my way through the OSX Server documentation, and gathered all the information the Worksheet requires. The problems started occuring because we installed OSX Server over an OSX Client and broke off the Server Assistent, because we were worried at the time that turning on a Windows PDC would collide with our current (and very flaky) Samba server running on the Irix machine, and that DHCP might also collide with our current dhcp server.
  As a consequence, we tried to set it up via the Server Admin Panel, Network Prefs, and the Workgroup Manager, after having connected the second ethernet port of the G5.
  Doing this, and setting the OD service to an OD Master, along with a Search base of dc=hostname, dc=domain, dc=tld has not exactly changed much. The problem is that the info panel says that LDAP is not running. This confuses me no end. I thought OD was based upon LDAP. The server name in the Server Admin panel is hostname.local. And now I get to my real questions (finally):
  1.Would it be better to just wipe the machine and start again using the Assistent, and set up the ODMaster that way?
  2.When is an ODMaster not a local directory and when is it a shared directory (the hostname.local worries me)
  3.What services exactly need to be running for the ODMaster to function properly
  3.How do I configure the local subnet on the second port (should I use the Gateway Assistent or do it by hand), and how do I only serve those services to that port (do I do it by setting the router/gateway for those services as the IP of the second port or as localhost).
  4.Do I need to simply enable LDAPv3 on the clients and set the search path to automatic to get the clients to Autheticate?
  5.Do user and groups added to the hostname.local become part of the OD Domain?
  I'm sorry if I come across as a total newbie. I'm used to doing most of this on the commandline in Linux (except for LDAP, which is new to me), and the GUI. I have managed to entangle myself quite nicely in all this and could really use some pointers.
  Thanks in advance
  Theo.
  PowerBook G4   Mac OS X (10.4.7)  

  1. Starting with a freshly installed OS X Server is recommended, but start no services at first, you need working DNS with reverse zone for the server IP to run OD Master (and other services). If the server domain is to be different from the existing network domain name setup DNS in OS X for the test domain.
  2. I'm not sure I understand the question. LDAP/OD can be used on the server to "house" the user accounts but you don't have to bind computers to it.
  If you don't use the more advanced possibilities with LDAP/OD I don't think the clients even need to have LDAP configured to be able to authenticate.
  hostname.local = hostname and the standard Bonjour domainname .local ?
  3a. DNS, so that reverse lookup works for the hostname before setting up OD Master. OD needs a "true" domainname Bonjour isn't sufficient. Setup/use something like mydomain.private.
  3b. You don't need to do NAT, you can also route between two subnets (you would need a static route in your Internet router too).
  If you want NAT you can use the GW assistant. The interface on the top of the list in Network config (where you can add more/alias interfaces) is the "main" interface used as the "WAN"/"Internet" interface.
  4. If the clients are "standalone" (not bound to the OD domain or not using server based homefolders and such) I think you only need LDAP if you want the clients to be able to search for info in OD/LDAP. Not needed for authentication.
  You can send out LDAP info with DHCP.
  5. If you mean you add/enter users and groups to OD/LDAP directory it just means you can have different servers/clients using a central repository(?) for authentication purposes.
  If you add (bind) machines to the domain you can to control what clients can do locally (priviledges), which applications they can run and so forth.
  In /etc/smb.conf you can say which interface to use för samba (don't remember what to enter though). And if using the firewall (you must if you want NAT) you can stop Bonjour (mDNS - multicasts) from entering the "old" network if you like/need.

• Configure LDAP question in Mail Preferences

  In trying to troubleshoot my question two posts down, I went to Mail Preferences to confirm I had checked the item that says to "Automatically complete addresses". It was checked. What does the toggle box next to it marked "Configure LDAP" do?
  many thx

  LDAP is a common directory service. It's typically used for accounts in network environments (e.g. a list of everyone's username and password), but it can also be used as a contact database.
  When auto-completing email addresses, Mail can query a LDAP server to find users email addresses - think of it as a central address book rather than your own personal one.
  It's more common in large organizations where you don't want hundreds of people having to remember everyone else's email address - add them once to the directory and everyone who's connected to that server will see them. For individual/personal use it's less useful.

• Password sync, activesync idm ad and ldap question

  Hi,
  can someone please clarify for me? We are trying to configure password sync between DSEE 6.3.1 and Active Directory.
  We are using IDM 8.1 as our Identity Manager.
  We have a JMS and the password sync plugin enabled on the IDM UNIX side. On the AD side we have the MSI file connector
  installed and communicating with the JMS.
  What I need to know in setting up the passwd sync, is what is required on the AD side encryption wise?
  No where in the Sun documentation does it mention about AD passwd encryption.
  What my question pertains to, is how does the IDM sync work against AD? Is there something special to do to
  make this work? We have encrypted passwords in the AD - I believe this is a one way encryption.
  If this is the case, how do we sync the password between AD, IDM and DSEE or does IDM not care?
  thanks!

  You'll need the IDM PasswordSync software installed and configured on every domain controller in your AD forest. As Alex indicated, it works as a password filter (via Microsoft APIs) that routes the clear text password to the IDM servers for synchronization.
  There are lots of configuration details you'll need to set (for instance, specifiying what resources should be synchronized, setting the JMS listener polling period, setting the threshold for ignoring password changes from AD, etc). Be sure to review the section in PasswordSync in the IDM Administration documentation.
  Jason

• LDAP DN String ?

  Hallo,
  in my current application i use LDAP authentication for the first time.
  I'm a bit confused with using the DN String. Imagine following ldap entries:
  cn=user1,ou=IT1,o=departments,dc=development,dc=company,dc=de
  cn=user2,ou=IT2,o=departments,dc=development,dc=company,dc=de
  If i specify
  cn=%LDAP_USER%,ou=IT1,o=departments,dc=development,dc=company,dc=de
  as the DN String user1 can successfully login but user2 can't.
  If i specify something else e.g.
  cn=%LDAP_USER%,o=departments,dc=development,dc=company,dc=de
  both users can't login.
  I know its more a ldap question, but what am i missing here ?
  Thanks,
  Jochen

  Well some better searching found me this:
  HOWTO: LDAP authentication with anonymous bind to DN
  I guess it is what i was looking for..

• Change Groupwise LDAP Server Settings

  Hi,
  When Groupwise was installed (many moons ago) I remember a dialog whereby it requested an LDAP server and needed this to install the domain and post office. We used a replica server for this information (IP address).
  We now wish to retire the server that it points to (it was not using a DNS name at that time unfortunately).
  Can anybody advise how we make this change - it is in Console One somewhere or in a config file. When we turn off the edir server that was used, it stop Groupwise from working (locks out users). I am assuming it is a setting somewhere that can be changed?
  Many thanks in advance,

  Hi,
  On 20.08.2012 17:26, elagrew wrote:
  >
  > It would be good to know more details.
  >
  > What is the OS version you are working with? Are there any GW services
  > on the server that is retiring? What is the version of GW? How many
  > domains/POs are in your system?
  >
  > So you have GW passwords separate from your eDir password? Remember,
  > there is a link between eDir and GW...especially with the older
  > versions. Oft times if eDir is not working properly, neither will your
  > GW work properly. so if you turn of the server and GW stops...it might
  > have more to do with eDir than GW...
  Groupwise doesn't care a single bit about eDir once it runs, *UNLESS* it
  is *specifically* configured to use LDAP authentication, which this
  system apparently isn't:
  "Hi,
  Connect to PRIDOM then Tools - Groupwse System Operations -> LDAP
  Servers
  At the moment this is blank (no entries)."
  (From the OPs second post)
  Also, the OP *specifically* stated that he's concerned about the LDAP
  question that occured *during* the installation. The *only* question
  about LDAP *during the install* is the one that the installer needs
  *ONCE* to create the eDir objects. This is nowhere stored and never
  again needed, it's for the install *only*.
  At no point in time does the installer ask about LDAP authentication
  settings for the PO or system, these *must* be configured after the fact
  in ConsoleOne, and we know through above quote that it isn't.
  Hence, there must be something else going on here. A 8F01 error too is
  in no way eDir related, but it indicates a problem with TCP/IP or the
  queues directories. You get this error for instance when the queue
  directory of the agents isn't accessible.
  This could indicate that possibly the queue directories of the PO
  possibly reside remote on the switched-off server. Which would be a
  truly unfortunate setup, but *is* possible.
  Whatever, this is *not* an edir related problem, Groupwise doesn't need
  eDir to run at all. It only needs it for administration, *or* for LDAP
  authentication. Never ever anywhere else, and eDir malfunctioning does
  not and can not influence GW.
  CU,
  Massimo Rosen
  Novell Knowledge Partner
  No emails please!
  http://www.cfc-it.de

• Directory services and windows 2003

  hello all i am new to the world of solaris. So the trouble is that we have a sunfire and i installed directory services 5.2 but windows 2003 refuse to join the domain at all... the sunfire box is in nat and there's an entry in the nat dns server. the question is: is it really possible for a win box to join the solaris ds? or only other solaris boxes can do it?

  Dear Andreas:
  I have read that:
  Hello together,
  I think I've got a solution for my
  Real-Time-LDAP-Password-Check. T was right there is a BSA package,
  which exectly do this but it is not available through the website
  or any download.
  For this you don't need a NTLM Server running or a reverse
  proxy for user authentication. It simply checks over the LDAP port
  to your LDAP server and
  returns if the login is granted through the LDAP password ior
  not.
  Yesterday I spoke to a Breeze dev. and he sent me these
  scripts. He said they will be already implemented into the next
  Breeze version but will also work with Breeze 6.
  When some is interested in this solution please send me pm
  with your email adress and I will send the zip file to you.
  Regards,
  Andreas
  We are an spanish company specilized in developing PDF forms
  and other type of applications and also involved with Adobe,
  specially in Connect.
  I will appreciate if you can send me the zip file to solve
  the LDAP question.
  My email is [email protected]
  Thanks in advance.
  Desirée

• Creating MS SQL Server 2005 Analysis Services OLAP connection

  Hello,
  I am trying to add an OLAP data source in BI Publisher (which is part of the OBIEE 11.1.1.5.0 suite I have installed). However, the connection never seems to create - I don't get an error or a success message when I test the connection. However, if I cancel out of the create connection screen, I get this error: "Your request was denied as you have no permission to access the data.". This is odd since the credentials I am using have admin rights to the OLAP cube I am attempting to connect to.
  SETUP
  OBIEE 11.1.1.5.0 x86_64 bit Linux
  MS SQL Server 2005 Analysis Services running on Windows Server Enterprise (32 bit) 2007 SP2
  Windows users are able to connect to the Windows/SQL server via Excel 2007 and its built-in Analysis Services "Other Data Sources" option. Authentication is done via Windows Active Directory LDAP
  QUESTIONS
  1) In the BI Publisher connection screen, can I enter my AD username/password, or because I am connecting from a Linux Server, do I need to authenticate via a different method?
  2) In the connection string, the initial catalog I am attempting to connect to has spaces in its name. Could this be an issue?
  3) Given the "no permission to access data" message I am getting, is it possible I am reaching the SQL Server but need to set up a local database, non-AD account to access the OLAP catalog?
  4) Are there any logs in the OBIEE server that I can check for more details?
  Thanks!

  Post Author: Sam Naghshineh
  CA Forum: Olap
  With the new productivity pack for Business Objects Enterprise XI R2 (Service Pack 2) you can access SSAS 2005 through the new OLAP tool called Voyager.  The productivity pack is due out sometime in the next few weeks.
  Hope this helps.

• How to batch update the person details in mail store

  I have a text file containing new person details. How can I add them into the mail store in iMS 5.2? Pls advise and thanks.

  As Chad says, this is more of an LDAP question.
  Best way to do it is by creating a batch script.
  Create a test user for your mail system.
  Determine what attributes this test user has in your directory by running an LDIF export.
  Then given a CSV file of users, write a script that populates an LDIF file with relevant attributes for each user.
  Then import the LDIF.

• Entitlements Server Policy Creation

  Hi
  Can any one please tell me whether the following cases are feasible
  Do the users need to be existing physically in DB(Admin Server) before creating a policy for the respective user ??
  (we were actually looking to for creation of policy with the userName by using a LDAP -- Question is whether the administration server sync up with the LDAP? )
  If there is any workaround or any earlier discussion on this please forward me
  Thanks
  Kish

  :/opt/SUNWappserver/domains/domain1/applications/j2ee.apps/epcis/-
  this should be j2ee-apps.
  i take it you rebooted the server then

• Questions on LDAP w.r.t XML Publisher 5.6.2

  Hi all,
  I have 2 questions on LDAP integration w.r.t XML P 5.6.2
  1) Is OID the only supported LDAP repository? I tried to set up a Iplanet directory server against XMLP, but could not. Did I miss something, or it is not supported?
  Other than OID, any other LDAP supported?
  2) Suppose, my use-case is: I want to show some values from the database, and also in the same report, print out the user attributes from the LDAP (like email id of the user, for example) who fired the report, then is this possible?
  Thanks,
  Ambarish,

  Ok. Question 1 - I have answered myself. I could not set up SunONE Directory server against XMLP :-(
  But I could set up against openldap. :-)
  I plan to contribute to the blog in 2/3 days time on how this can be done.
  But I still need some help on the question 2. How can I create a report which has all the data from both the backend database, and well as from the LDAP repository. For example, report like:
  Report Fired By:
  EMAIL id:
  Mobile:
  (data1, data2...)
  where data1, data2 comes from the database, and email id, mobile from the LDAP.

• LDAP design question for multiple sites

  LDAP design question for multiple sites
  I'm planning to implement the Sun Java System Directory Server 5.2 2005Q1 for replacing the NIS.
  Currently we have 3 sites with different NIS domains.
  Since the NFS over the WAN connection is very unreliable, I would like to implement as follows:
  1. 3 LDAP servers + replica for each sites.
  2. Single username and password for every end user cross those 3 sites.
  3. Different auto_master, auto_home and auto_local maps for three sites. So when user login to different site, the password is the same but the home directory is different (local).
  So the questions are
  1. Should I need to have 3 domains for LDAP?
  2. If yes for question 1, then how can I keep the username password sync for three domains? If no for question 1, then what is the DIT (Directory Infrastructure Tree) or directory structure I should use?
  3. How to make auto map work on LDAP as well as mount local home directory?
  I really appreciate that some LDAP experta can light me up on this project.

  Thanks for your information.
  My current environment has 3 sites with 3 different NIS domainname: SiteA: A.com, SiteB:B.A.com, SiteC:C.A.com (A.com is our company domainname).
  So everytime I add a new user account and I need to create on three NIS domains separately. Also, the password is out of sync if user change the password on one site.
  I would like to migrate NIS to LDAP.
  I want to have single username and password for each user on 3 sites. However, the home directory is on local NFS filer.
  Say for userA, his home directory is /user/userA in passwd file/map. On location X, his home directory will mount FilerX:/vol/user/userA,
  On location Y, userA's home directory will mount FilerY:/vol/user/userA.
  So the mount drive is determined by auto_user map in NIS.
  In other words, there will be 3 different auto_user maps in 3 different LDAP servers.
  So userA login hostX in location X will mount home directory on local FilerX, and login hostY in location Y will mount home directory on local FilerY.
  But the username and password will be the same on three sites.
  That'd my goal.
  Some LDAP expert suggest me the MMR (Multiple-Master-Replication). But I still no quite sure how to do MMR.
  It would be appreciated if some LDAP guru can give me some guideline at start point.
  Best wishes

• Question about backing up Portal LDAP

  I have a question I want to migrate my production Portal Profile
  Server(LDAP) to a test development enviroment
  And all i need is my ldap.ldif file...
  Has any one tried this?

  yes, u must have LDAP access to the profile server admin port (8900).
  Tore
  "James Karocki" <[email protected]> wrote in message
  news:9js8tk$[email protected]..
  I have a question I want to migrate my production Portal Profile
  Server(LDAP) to a test development enviroment
  And all i need is my ldap.ldif file...
  Has any one tried this?

• Two questions about of usage of LDAP  in SAP XI-context

  Hello!
  I would like to know whether an LDAP adapter is existing for SAP XI or not?
  It is important for the answer of the following two questions:
  <b>a) Does the solution have Active Directory integration for accessing employee information?      (Yes/No) 
  b)Does the solution have Active Directory integration for accessing employee hierarchy? (Yes/No)      </b>
  Can someone help me by answering the questions above.
  Thank you!
  Regards

  I do not think that there is a LDAP Adapter for XI.
  However, SAP NW has its own LDAP database. There are tools available integrating this LDAP with an external LDAP databse. For example, program RSLDAPSYNC_USER enables synchronizing the User information with the LDAP server.
  Transaction LDAP allows you to define which specific user information is to be integrated.
  I am not sure if there is an option to integrate employee hierarchy. You can check with the transaction LDAP.
  Note that none of this has anything specific to XI. It is available with the NetWeaver itself.
  Good Luck,
  Bhanu

• Question on LDAP integration & user deletion

  In the "Administration Console Help" Document it states:
  "You cannot invite user accounts that are mastered in an LDAP-based user directory; these accounts are created automatically when you synchronize the LDAP directory."
  Does this mean that after configuring a LDAP Realm, the users specified by the filter should be automatically pulled into OnTrack? I do not see ldap users when executing a blank search from the admin console. At this point, I also cannot log into OnTrack using a valid LDAP user. I was trying to see if OnTrack worked similar to UCM where the OnTrack user acct would be created once the user logs into the application.
  What I can do is go to "Create User" and enter the email address for a valid ldap user. then I see that user in the full search. that user can also log in successfully.
  I wanted to know what the expected behavior was: is there expected to be a required 'registry' of ldap users into ontrack before they can auth into the app? Is there some sync process that needs to be run to pull in the ldap users?
  Also, is there any current best practice of user deletion? I see in the admin console that there is a note that states: "Note: User deletion is not supported."
  As always, thanks for the info!
  Thanks,
  -ryan
  Ryan Sullivan | ECMconsultant
  http://www.ecmconsultant.net/

  Ryan,
  It sounds like you figured this out.
  There is NOT an explicit sync of users from LDAP into On Track. The On Track user object is created when the LDAP user first logs in (or when added to a Conversation by another user). After that point, the user will be visible in the admin console. (Note, however, that from the client, you can search for an LDAP user and add them to a Conversation's membership even if that user has not yet logged in to On Track. It does this by searching for the user in the LDAP directory, as well as in On Track's known users. This is a great way to "invite" other people in the organization to participate in On Track.
  As for your other questions:
  - The recommended way to "delete" a user is to mark the user "Disabled" in On Track. This will prevent that user from logging in and from showing up as a valid user in the client.
  - Once a user "[email protected]" exists, it should not be possible to create another "[email protected]" user, even if the first one is disabled, and regardless of which realm those users are in.
  --Dan