LDAP server as client to himself

Similar Messages

• Can an LDAP server be it's own client?

  In short yes, why would you want to do this? Many reasons, but mine is to be able to use ldap on laptops running Solaris and have them log into the machine with ldap credentials off the network. When we plug them back onto the network, I have a master server send any new data via one-way replication. I will give 2 separate ways to accomplish this. One is, to put it bluntly, a dirty hack to get it working. The second is much more elegant and it's the one I have stressed tested to verify that it works.
  Disclaimer: I have only used these methods on Solaris10 update 3 with Trusted Extensions using directory server 5.2 as well as the administration server. I have used a few different kinds of machines (all x86) and have not had a problem with it. I do not know if it will work on any other version or hardware. I haven't even looked at the source code, all assumptions made here are from observing the systems behavior while making minor changes.
  Now, the reasons why normally you can't be your own client (at least as far as I can tell) is because of the way the system boots and the dependencies that the ldap/client service needs to start up. If you boot a machine that is it's own client and ldap/client runs before the directory server starts, of course it will fail. The system boots the services first, then legacy init scripts. Directory Server 5.2 uses init scripts. Correct me if I am wrong, but that is the only real hurdle in your way.
  So the first way to get it 'working' (dirty hack) is to delay the ldap/client smf service from starting until the directory server is started. After you become a client of yourself (in this case the global zone) disable the ldap/client serrvice.
  svcadm disable ldap/clientThen enable it temporarily with the -t option
  svcadm enable -t ldap/clientWell if you were to reboot now it would not work because the service would not start at boot because it is set to be administratively down. Edit the S72directory script in /etc/rc2.d and after the start commands just add the svcadm enable -t ldap/client command and it will load right after directory server starts. Will this work? Yes, is it a clean way to do it? NO. I used this method just for testing the theory that the only reason I could not be my own client was because of the booting issue.
  Now the best way that I can see to accomplish this is to create your own smf services for the directory server and admin server. That way all you have to do is add a dependency to the ldap/client xml file to wait until the new directory server service is started before it starts. So in /var/svc/manifest/site create a folder called ldap (I put this in site because I didn't want to run into any issues of patching). In /var/svc/manifest/site/ldap/ create two xml files named:
  quick note: These are the first services I have created. There may be a much better way to make them. If you can re-code it better, please let me know so I can look at them. Also there is no restart command in here (actually I just noticed that) so adding one of those would be wise.
  ds_admin.xml and directory_server.xml.
  ds_admin.xml contains<?xml version="1.0"?>
  <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
  <!--
       Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
       Use is subject to license terms.
       ident     "@(#)client.xml     1.4     04/12/09 SMI"
       NOTE:  This service manifest is editable; its contents will not
       be overwritten by package or patch operations, including
       operating system upgrade.
  -->
  <service_bundle type='manifest' name='SUNWdsadmin:dsadmin'>
  <service
       name='site/ldap/ds_admin'
       type='service'
       version='1'>
       <create_default_instance enabled='false' />
       <single_instance />
       <dependency
           name='fs'
           grouping='require_all'
           restart_on='none'
           type='service'>
            <service_fmri value='svc:/system/filesystem/minimal' />
       </dependency>
       <dependency
           name='net'
           grouping='require_all'
           restart_on='none'
           type='service'>
            <service_fmri value='svc:/network/initial' />
       </dependency>
       <exec_method
           type='method'
           name='start'
           exec='/lib/svc/method/ds_admin start'
           timeout_seconds='120' >
            <method_context>
                 <method_credential user='root' group='sys' />
            </method_context>
       </exec_method>
       <exec_method
           type='method'
           name='stop'
           exec='/lib/svc/method/ds_admin stop'
           timeout_seconds='60' >
            <method_context>
                 <method_credential user='root' group='sys' />
            </method_context>
       </exec_method>
       <stability value='Unstable' />
       <template>
            <common_name>
                 <loctext xml:lang='C'>
                 LDAP Admin server      
                 </loctext>
            </common_name>
            <description>
                 <loctext xml:lang='C'>
  LDAP admin server
  Information Service lookups
                 </loctext>
            </description>
       </template>
  </service>
  </service_bundle>and directory_server.xml contains:
  <?xml version="1.0"?>
  <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
  <!--
       Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
       Use is subject to license terms.
       ident     "@(#)client.xml     1.4     04/12/09 SMI"
       NOTE:  This service manifest is editable; its contents will not
       be overwritten by package or patch operations, including
       operating system upgrade.
  -->
  <service_bundle type='manifest' name='SUNWds:ds'>
  <service
       name='site/ldap/directory_server'
       type='service'
       version='1'>
       <create_default_instance enabled='false' />
       <single_instance />
       <dependency
           name='usr'
           grouping='require_all'
           restart_on='none'
           type='service'>
            <service_fmri value='svc:/system/filesystem/minimal' />
       </dependency>
       <dependency
           name='net'
           grouping='require_all'
           restart_on='none'
           type='service'>
            <service_fmri value='svc:/network/initial' />
       </dependency>
    <dependency
              name='ds_admin'
              grouping='require_all'
              restart_on='none'
              type='service'>
                  <service_fmri
                      value='svc:/site/ldap/ds_admin' />
       </dependency>
       <exec_method
           type='method'
           name='start'
           exec='/lib/svc/method/directory_server start'
           timeout_seconds='120' >
            <method_context>
                 <method_credential user='root' group='sys' />
            </method_context>
       </exec_method>
       <exec_method
           type='method'
           name='stop'
           exec='/lib/svc/method/directory_server stop'
           timeout_seconds='60' >
            <method_context>
                 <method_credential user='root' group='sys' />
            </method_context>
       </exec_method>
       <stability value='Unstable' />
       <template>
            <common_name>
                 <loctext xml:lang='C'>
                 LDAP directory server      
                 </loctext>
            </common_name>
            <description>
                 <loctext xml:lang='C'>
  LDAP directory server
  Information Service lookups
                 </loctext>
            </description>
       </template>
  </service>
  </service_bundle>Now the start/stop scripts will be located in /lib/svc/method and are as followed:
  ds_admin
  #!/sbin/sh
  case "$1" in
       start)
            /usr/sbin/directoryserver start-admin
       stop)
            /usr/sbin/directoryserver stop-admin
            echo "Usage: $0 { start | stop }"
            exit 1
  esac
  exit 0simple yes.
  directory_server
  #!/sbin/sh
  HOST_NAME=`hostname`
  SERVER_ROOT=/var/opt/mps/serverroot
  DIRECTORY_SERVER_INSTANCE=slapd-${HOST_NAME}
  case "$1" in
       start)
            ${SERVER_ROOT}/${DIRECTORY_SERVER_INSTANCE}/start-slapd
       stop)
            ${SERVER_ROOT}/${DIRECTORY_SERVER_INSTANCE}/stop-slapd
            echo "Usage: $0 { start | stop }"
            exit 1
  esac
  exit 0The only thing left to do is modify the ldap/client smf file to wait until the directory server starts before it loads.
  So edit /var/svc/manifest/network/ldap/client.xml and right before the dependency for for /var/ldap/ldap_client_file add this
  <dependency
              name='directory_server'
              grouping='require_all'
              restart_on='none'
              type='service'>
                  <service_fmri
                          value='svc:/site/ldap/directory_server' />
          </dependency>
  Any changes made to the /ldap/client xml file must be made after ALL zones have been installed. If this file is copied to a zone it will never work as the directory_server service is not loaded in the zones.
  Now what? You must remove the legacy init scripts in /etc/rc2.d. Those would be S72directory and S73mpsadm. No need to keep them around, alternatively, you can just change the capital 'S' to lower case and they want start.
  You can now either use svccfg to validate and import the new services or you can reboot. Typically, I reboot and use the '-m verbose' option on boot to watch the services for any errors. I haven't had any lately but on different systems I always watch to see if it behaves different.
  That's it. I have rebooted all the machines many, many times without error. This of course does not address loading the directory server or adding users, tnrhdb file, etc... We have scripted most of loading out and once we get some error correction coded in I will post them.
  Also, if you find any errors or even a better way to accomplish this, please post it.

  This restriction is only in terms of implementing the Solaris support for LDAP as a naming service. If the Solaris OS is configured to use LDAP as a naming service, it can't use a LDAP server running on the same host.
  The reason is that the LDAP server makes naming service calls before it gets fully started up. If the OS wants to use the LDAP server for the naming service, then a deadlock happens, where the LDAP server's gethostbyname() call can't complete because the LDAP server isn't up.
  It is possible to configure the Solaris naming resolution to avoid this problem. I've got a system set up this way myself. Regardless, the official support channels won't support a system set up this way, so if you do this you do it at your own risk.

• Solaris 10 client - ldap_search: Can't connect to LDAP server

  Hello
  I have following configuration:
  - openLDAP server in Solaris 10 zone called ldap
  - native LDAP client in different Solaris 10 zone called mail on the same SPARC machine
  I can't get ldapsearch results after ldapclient initialization.
  [root@mail ~]# ldapsearch -b dc=pov,dc=pl objectclass=*
  ldap_search: Can't connect to the LDAP server - Connection refused
  But I am able to get data from LDAP server if address of the server is specified:
  [root@mail ~]# ldapsearch -b dc=pov,dc=pl -h 192.168.1.40 objectclass=*
  version: 1
  dn: ou=users,dc=pov,dc=pl
  objectClass: organizationalUnit
  ou: Users
  Here is ldapclient config:
  [root@mail ~]# ldapclient list
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_SERVERS= 192.168.1.40
  NS_LDAP_SEARCH_BASEDN= dc=pov,dc=pl
  NS_LDAP_AUTH= none
  NS_LDAP_CACHETTL= 0
  What am I missing?

  Hi, I'm no exprert but I will try to help you. Are you still working on this?
  This what my stuff looks like:
  # ldapclient list
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= uid=proxyagent,ou=People,dc=deathnote,dc=net
  NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
  NS_LDAP_SERVERS= 10.0.1.21:389
  NS_LDAP_SEARCH_BASEDN= dc=deathnote,dc=net
  NS_LDAP_AUTH= none
  NS_LDAP_CACHETTL= 0
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=deathnote,dc=net
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=deathnote,dc=net
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=deathnote,dc=net
  NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
  [root@light migration]# cat user00.ldif
  dn: uid=user00,ou=People,dc=deathnote,dc=net
  uid: user00
  cn: user00
  objectClass: account
  objectClass: posixAccount
  objectClass: shadowAccount
  objectClass: top
  loginShell: /bin/bash
  uidNumber: 805
  gidNumber: 501
  homeDirectory: /home/user00
  gecos: ldap user
  Also update you hosts file and add your server to the domain.
  I hope this helps.
  Edited by: CyberNinja on Oct 22, 2011 12:37 PM

• How to make sure a client will reboot if the LDAP server SLAPD isn't runnin

  What do I need to do to a Solaris 8 client to make sure that if SLAPD is down and something happened and the server rebooted, that it would come up even though the LDAP server slapd isn't running?
  thanks,
  Gary

  You need to be able to see that Find My Mac is turned off. That is all you need to ensure.

• LDAP (Directory service) server and client compatiblw with windows 7

  Hello Experts,
  Earlier we were using Netscape Server 4.0 and Console  in Windows XP for LDAP Integration testing with BRM.
  Now that Windows XP is soon going to be decommissioned and the software is incompatible with windows 7,I am looking for Directory service (both server and client) alternatives compatible with Windows 7.
  Has  anyone tried setting up a Directory service(or LDAP) in windows 7 Operating system ??
  Any help is appreciated. Thank you

  Hello Mr Thio,
  Basic cause for this type of error message is Generally permission issue.If you are using a domain account make sure it is added as local administrator in local machine.
  RK on setup.exe and select run as administrator
  Makes sure you copy installables on local drive and run setup from machine if your are running from CD directly avoid it.
  Below MS link has documented this error please go through the link properly
  http://support.microsoft.com/kb/2799534
  Please mark this reply as the answer or vote as helpful, as appropriate, to make it useful for other readers

• Ldap server & client

  Hi,
  I have doubting on how the best way to setup ldap server(sol 10) & ldap client(sol 10).
  I have installed DS 6.2 on ldap server but the questions now is how to auto mount /export/home to the client.
  I trying by configured using ldapclient init .. (manual method) on ldap client but when the user logging using their account,
  no response.Seems that ldap server not automatically mount the directory /export/home for users to access.
  Can anybody show/guide/share with me? Im still new with this implementation.
  I need to do it for my sunray users.Thanks.

  In this case, i have one scenario that still in research phase.Searching a variety of info on how to auto mount /export/home to enable users to have their own login
  but still not success.
  I give you a scenario:
  1 ldap server & 3 ldap clients (also become sunray servers) are been setup.
  Users will seen the welcome screen on their Sun Ray desktop(which also been as ldap client) & will keyin their username with password.
  Then users should get their JDS environment.
  Problem:
  When users keyin the username with password, no response.Still cannot get the JDS environment.
  Isn't possible to do this implementation. So far, i can authenticate ldap with system like SGD but how to integrate with Solaris OS itself?
  Hope you can guide me.

• ASA Remote Access Authentication with LDAP Server

  Thank you in advance for your help.
  I am configuring an ASA to authenticate with a ldap server for ipsec vpn access.  My customer has 3 networks that are to be accessed by remote users.  However they want to be able to say that one user can get to 2 of the networks and not the 3rd.  So basically they want control over what network behind the firewall each user can access.  This seems doable from my reading and I had planned to creating a group for each network that needs accessible and either do attribute maps to each group with a separate group created on the ldap server for authentication.  Basically a ldap group on the ldap server that will have the users name in the group in order for access.  I can restrict access via acl's or filtering to force my group to only be allowed access to a specific network.  Here is the problem I am having now.
  The ldap server has been created and seems to be working fine.  I have created my AAA groups and servers and I have done the ldap test with a test user vpntest and a password on the ldap server.  When I run the authentication test from the ADSM or command line I get a good authentication successful message.  So I configured a vpn client remotely and attempted to authenticate to this group and it says there is no user by that name.  Below is a paste of the debug.  The second part is when I did a successful test from the ASDM or CLI and it worked great.  The first part is when I attempted from the vpn client.  It all looks the same from the search criteria.  What am I missing here or does anyone more knowledgeable see anything that I am doing wrong.  Can this be done this way or should I try radius.  The customer was just adament about using ldap.
  extvpnasa5510#
  [243] Session Start
  [243] New request Session, context 0xd5713fe0, reqType = 1
  [243] Fiber started
  [243] Creating LDAP context with uri=ldaps://130.18.22.44:636
  [243] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
  [243] supportedLDAPVersion: value = 2
  [243] supportedLDAPVersion: value = 3
  [243] No Login DN configured for server 130.18.22.44
  [243] Binding as administrator
  [243] Performing Simple authentication for  to 130.18.22.44
  [243] LDAP Search:
          Base DN = [ou=employees,o=msues]
          Filter  = [uid=vpntest]
          Scope   = [SUBTREE]
  [243] User DN = [uid=vpntest,ou=employees,o=msues]
  [243] Talking to iPlanet server 130.18.22.44
  [243] No results returned for iPlanet global password policy
  [243] Fiber exit Tx=386 bytes Rx=414 bytes, status=-1
  [243] Session End
  extvpnasa5510#
  [244] Session Start
  [244] New request Session, context 0xd5713fe0, reqType = 1
  [244] Fiber started
  [244] Creating LDAP context with uri=ldaps://130.18.22.44:636
  [244] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
  [244] supportedLDAPVersion: value = 2
  [244] supportedLDAPVersion: value = 3
  [244] No Login DN configured for server 130.18.22.44
  [244] Binding as administrator
  [244] Performing Simple authentication for  to 130.18.22.44
  [244] LDAP Search:
          Base DN = [ou=employees,o=msues]
          Filter  = [uid=vpntest]
          Scope   = [SUBTREE]
  [244] User DN = [uid=vpntest,ou=employees,o=msues]
  [244] Talking to iPlanet server 130.18.22.44
  [244] Binding as user
  [244] Performing Simple authentication for vpntest to 130.18.22.44
  [244] Processing LDAP response for user vpntest
  [244] Authentication successful for vpntest to 130.18.22.44
  [244] Retrieved User Attributes:
  [244]   sn: value = test user
  [244]   givenName: value = vpn
  [244]   uid: value = vpntest
  [244]   cn: value = vpn test user
  [244]   objectClass: value = top
  [244]   objectClass: value = person
  [244]   objectClass: value = organizationalPerson
  [244]   objectClass: value = inetOrgPerson
  [244] Fiber exit Tx=284 bytes Rx=414 bytes, status=1
  [244] Session End

  Hi Larry,
  You can map AD group memberships to specific group policies on the ASA, you can find that configuration here:
  - http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
  Let me know if further assistance is required!
  Please proceed to rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• Sample connecting to LDAP Server in Java

  Hi,
  I am trying to establishing SSL from Java Application(via Netscape Directory SDK 4.0 - Java version) to the Directory Server(ADS) in a secure manner - i.e. LDAP over SSL.
  I am trying to run this code...
  LDAPConnection ld = null;
  LDAPModificationSet attrs = new LDAPModificationSet();
  attrs.add(LDAPModification.REPLACE,new LDAPAttribute("unicodePwd", "testpassword"));
  try
  LDAPSSLSocketFactory ssl = new LDAPSSLSocketFactory();
  ld = new LDAPConnection( ssl );
  /* Connect to server */
  ld.connect("10.10.10.7",636);
  /* Authenticate to the server as directory manager */
  ld.authenticate(adminDN,password);
  /* Now modify the entry in the directory */
  ld.modify( userDN, attrs );
  catch(Exception e)
  But I don't know where my program reads the Cert. info... I don't know
  if I have to import my internal CA via keytool or I have missed some
  special configuration ..
  When I run this code, the following error appears:
  netscape.ldap.LDAPException: Failed to create SSL socket (91); Cannot connect to the LDAP server
  at netscape.ldap.LDAPSSLSocketFactory.makeSocket(LDAPSSLSocketFactory.java:309)
  at edu.umassmed.chcf.security.ldap.LDAPHelper.setLDAPPassword(LDAPHelper.java:742)
  at edu.umassmed.chcf.security.administration.userhandler.UserHandlerBean.changePassword(User HandlerBean.java:628)
  at edu.umassmed.chcf.security.administration.userhandler.UserHandlerBean_37ncs1_ELOImpl.chan
  gePassword(UserHandlerBean_37ncs1_ELOImpl.java:409)
  at edu.umassmed.chcf.security.administration.userfacade.UserManagerBean.changePassword(UserM
  anagerBean.java:174)
  at edu.umassmed.chcf.security.administration.userfacade.UserManagerBean_3chmth_EOImpl.change
  Password(UserManagerBean_3chmth_EOImpl.java:501)
  at edu.umassmed.chcf.sbb.action.ChangePasswordAction.perform(ChangePasswordAction.java:114)
  at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)
  at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:510)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:265)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:200)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:24
  95)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2204)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  LDAPHelper - authenticateUser() - expLDAP.toString() netscape.ldap.LDAPException: Failed to create S
  SL socket (91); Cannot connect to the LDAP server
  Is this possible? If so, what hints can you give me to get started (any sample code would be greatly appreciated).
  Thanks in advance.
  With Regards,
  Gokul.

  hey guys .. i was struggling with the same thing - finally found this solution -
  use:
  import netscape.ldap.*;
  import netscape.ldap.factory.JSSESocketFactory;
  JSSESocketFactory fact = new JSSESocketFactory(null);
  //unless u wanna specify any specific ciphers in the constructor
  log("Factory created");
  LDAPConnection ld = new LDAPConnection(fact);
  log("Connection initialised");
  ld.connect(MY_HOST, MY_PORT);
  log("Connected");
  ld.authenticate(user, pwd);
  log("Authenticated!");
  Before running this, i used the "keytool" command line utility to import the SSL client certificate into my default trustStore .. as a trusted cert. Dont know if thats required.. but it worked :) Hope this helps.

• What should be done in certmap.conf for 2-way SSL support from a standalone Java application to an SSL enabled LDAP Server

  To support certficate based client authentication using 2-way SSL from a standalone java application which uses JNDI and JSSE1.0.2 to connect to an SSL enabled LDAP Server how do we configure the certmap.conf?Is there any additional setup required at the LDAP Server side apart from enablinf SSL with the option"Required Client Authentication" enabled.The 2 way SSL handshake goes through but the access log file (After configuring the certmap.conf for the issuer DN of the client certficate etc..)shows SSL failed to LDAP DN?But inspite of this access log error the Java client does get an SSL Connection object with which it is able to connect to the LDAP.IS the certmap.conf file being looked up by the LDAP Server at all?

  have you out.flush() and out.close() before you call connection.getInputStream()?

• Need help setting up LDAP server for Address Book

  I've set up Panther servers before for AFP which is pretty simple but now the office I work at wants me to setup an LDAP server so they can share the same contact information, probably about 2,000+ entries. I'm guessing that this will have to be entered in the LDAP server entry by entry.
  I need to know how to setup the server and what settings need to be on the clients' computers, such as in Address Book.
  The server is an older G4 tower and I've got 8 computers hooked up to it on a simple network. I don't think I'll need to make the LDAP server accessible from outside the network but it's something I'll have to worry about for the future.
  Thanks for any help you can offer.

  bump

• Can I use LDAP server's authentication mechanism rather than comparing password ?

  Hi All,
  The weblogic security and adminguide says that the user authencation can be of
  the following 3 types:
  1. Bind specifies that the LDAP security realm
  retrieves user data, including the password for
  the LDAP server, and checks the password in
  WebLogic Server.
  2. External specifies that the LDAP security
  realm authenticates a User by attempting to
  bind to the LDAP server with the username
  and password supplied by theWebLogic
  Server client. If you choose the External
  setting, you must also use the SSL protocol.
  3. Local specifies that the LDAP security realm
  authenticates a User by looking up the
  UserPassword property in the LDAP directory
  and checking it against the passwords in
  WebLogic Server.
  But say I want that my users should be authenticated by the LDAP server rather
  than picking up the password from LDAP and comparing at weblogic end. Then what
  should I do ?
  Because no. 2 is applicable only for ssl certificates, no.1 and no.3 picks up
  password using the login dn and password provided at the time of configuration
  of realm and compare with password given by user.
  And once gain there some issues on having picking up password and comparing it:
  1. Netscape directory server can store the password in oneway hashed form(and
  that is preferred , too). So when userpassword attribute is read , it's in one
  way hashed form. So how the comparison will go on ?
  2. Creating a user who has the access to user data along with userpassword attribute
  itself is a security threat, as if someone can crack that user's dn and password
  then he/she can do anything as userdata can be read.
  Any suggestion is welcome.
  TIA,
  Sudarson

  Thanks a lot Jerry.
  I got these stuff from weblogic 6.1 docs sets security.pdf and adminguide.pdf.
  I have another question, if that is the case (in Case of BIND), then why do we
  a require a dn of user and password who has the access to read the entire directory
  And at the same time, u specified this for Bind, what are the cases for other
  two-local and external ? And then what is actually difference between Bind and
  Local ?
  Pls help me.
  Thanks,
  Sudarson
  Jerry <[email protected]> wrote:
  Hi Sudarson,
  Whatever doc you were reading is at least partially incorrect, unfortunately...
  I know for sure that when you specify BIND, weblogic sends the username/password
  to your
  LDAP server in an attempt to bind to it.
  If the bind is successful, WLS determines that the username/password
  pair were correct.
  If the bind was unsuccessful, WLS determines that the username/password
  pairing is not
  valid.
  At all times, WebLogic is letting the LDAP server do the actual compare
  of
  username/password. WLS does not, at any time, retrieve a password from
  the LDAP server.
  I hope this helps,
  Joe Jerry
  sudarson wrote:
  Hi All,
  The weblogic security and adminguide says that the user authencationcan be of
  the following 3 types:
  1. Bind specifies that the LDAP security realm
  retrieves user data, including the password for
  the LDAP server, and checks the password in
  WebLogic Server.
  2. External specifies that the LDAP security
  realm authenticates a User by attempting to
  bind to the LDAP server with the username
  and password supplied by theWebLogic
  Server client. If you choose the External
  setting, you must also use the SSL protocol.
  3. Local specifies that the LDAP security realm
  authenticates a User by looking up the
  UserPassword property in the LDAP directory
  and checking it against the passwords in
  WebLogic Server.
  But say I want that my users should be authenticated by the LDAP serverrather
  than picking up the password from LDAP and comparing at weblogic end.Then what
  should I do ?
  Because no. 2 is applicable only for ssl certificates, no.1 and no.3picks up
  password using the login dn and password provided at the time of configuration
  of realm and compare with password given by user.
  And once gain there some issues on having picking up password and comparingit:
  1. Netscape directory server can store the password in oneway hashedform(and
  that is preferred , too). So when userpassword attribute is read ,it's in one
  way hashed form. So how the comparison will go on ?
  2. Creating a user who has the access to user data along with userpasswordattribute
  itself is a security threat, as if someone can crack that user's dnand password
  then he/she can do anything as userdata can be read.
  Any suggestion is welcome.
  TIA,
  Sudarson

• Problem with deleting object in LDAP server

  Hi,
  I am writing a Java Ldap client which performs object search/deletion/addition/modification.
  Now I can search the object via DN using the client program.
  When I try to delete, the program goes through without any exception. But the object
  still exists in the Ldap server.
  Did I miss anything in my program?
  BTW, I can use the same uid/passwd to delete the user from the Netscape Ldap console.
  But not from the client program.
  Here is the short program:
  try {
  Hashtable env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY,
  "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL, "ldap://localhost:389");
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  env.put(Context.SECURITY_PRINCIPAL, "uid=sysadmin, ou=Directory Administrators,
  o=abc.com");
  env.put(Context.SECURITY_CREDENTIALS, "sysadmin");
  DirContext ctx = new InitialDirContext(env);
  ctx.destroySubcontext("userId=steve, groupId=client, o=abc.com");
  System.out.println("Deletion successful");
  } catch (Exception e) {
  e.printStackTrace();
  System.exit(1);

  Use FM
  EPS_DELETE_FILE or CONVT_DELETE_FILES
  to delete file or you can use
  DELETE DATASET
  statement.
  rgds,
  TM.
  Please mark points if helpful.

• Connect Win Server 2008 R2 AD to linux ldap server

  I have the need to do the opposite of what I am finding most users doing. Instead of connecting a remote linux ldap client to a windows server 2008 Active Directory server I need to connect my windows server AD to my linux ldap server. Once this connection
  has been established I need for a user to be able to log in to the windows server and have their home directory on the linux box be mounted and available for the user to access their home directory and files.
  I have also heard there might need to be some changes done on the ldap schema on the linux server to satisfy the windows AD. Is this true?
  Does anyone have any information on how to configure the windows server (2008 R2) to do this? I am under the gun, time-wise, to get this implemented and working correctly. Any help would be GREATLY appreciated.

  Hello,
  please ask in your Linux LDAP forums to get these details.
  If you have an AD question then please ask it here.
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Microsoft Student
  Partner 2010 / 2011
  Microsoft Certified Professional
  Microsoft Certified Systems Administrator:
  Security
  Microsoft Certified Systems Engineer:
  Security
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Active Directory, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows 7, Configuring
  Microsoft Certified IT Professional: Enterprise
  Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

• Disabled future attempts to bind to [127.0.0.1] LDAP server

  Hi,
  Sometimes when a VPN client disconnect whatever he uses L2TP or PPTP under Mac or Windows, my server hangs up, the only solution is a hard reboot. Here is my system.log
  Mar 26 18:39:22 mail pppd[19096]: Connection terminated.
  Mar 26 18:39:22 mail pppd[19096]: PPTP disconnecting...\n
  Mar 26 18:39:22 mail pppd[19096]: PPTP disconnected\n
  Mar 26 18:39:22 mail vpnd[331]: --> Client with address = 192.168.2.249 has hungup\n
  Mar 26 18:39:23 mail DirectoryService[41]: Search connection failure: During an attempt to bind to [127.0.0.1] LDAP server.
  Mar 26 18:39:23 mail DirectoryService[41]: Search connection failure: Disabled future attempts to bind to [127.0.0.1] LDAP server for next 0 seconds.
  Any help appreciated.

  Hi Pierre
  Did you find a sollution to this problem? I have the same problem and tried everything that I can think of except for a complete reinstall. All services (AFP, DHCP, DNS, FTP, Web, Windows) works perfectly except for VPN.
  I have demoted from ODM to Standalone and back again restoring users from backup. I tried without restoring users just creating one single user to log in via VPN and it is just the same. I even tried unchecking "Enable directory binding" in Open Directory setup, just to see if that would help - but it didn't.
  Best Regards,
  Jesper

• HELP: Can not connect LDAP server with 64bit ldap csdk5.08 on Solaris10

  We are using 64bit ldap csdk5.08 on SunOS5.10. But it doesn't work.
  We wrote a simple client program that connects using ldap_simple_bind_s() function. When I run the code it gives an error saying 'Can't connect to the LDAP server - Connection refused' .
  At the same time using snoop to capture network packages on the ldap server , it shows no package received at all.
  But if we use 32bit ldap library, the program works well and no error is raised.
  And the 64bit ldap tool ldapsearch also works well, it can search data from the server successfully.
  The sample code:
  ==================================================
  #include <ldap.h>
  #include <stdio.h>
  int
  main( int argc, char **argv )
       LDAP *ld;
       int rc;
       /* Get a handle to an LDAP connection. */
       if ( (ld = ldap_init( "150.236.42.53", 38902)) == NULL )
            perror( "ldap_init" );
            return( 1 );
       /* Bind anonymously to the LDAP server. */
       rc = ldap_simple_bind_s( ld, NULL, NULL );
       if ( rc != LDAP_SUCCESS )
            ldap_perror(ld, "ldap_simple_bind_s:");
       return( 1 );
  }

  This looks like a mismatch between C-sdk libraries and Solaris native libraries.
  Are you sure your program loads the correct libraries ?
  Ludovic.