LDAP Server Signing requirements
Dear All,
Until now I have been running my two Windows Server 2008 R2 Active Directory domain controllers with the "Domain Controller: LDAP server signing requirements"
not defined (which is the same as None) due to the fact that they allowed authentication to our web server's content management system (Squiz Matrix if you need to know). I followed the instructions in
http://technet.microsoft.com/en-us/library/dd941856(v=ws.10).aspx
to enable logging of 2889 events (where the server allowed a client to LDAP bind without requiring signing and also sending the passwords in cleartext!). This showed that our CMS servers were indeed doing most of the unsigned binding as expected.
It seems that the preferred solution for this is to enable LDAP over SSL, which implies getting a certificate for each of the domain controllers, setting the "Domain
Controller: LDAP server signing requirements" to required, and configure the CMS to use LDAP over SSL. This prompts me to ask a couple of questions:
1) If only the CMS servers appear in the 2889 events, that would mean they are the only ones binding without signing; but so far I have not got LDAP over SSL enabled, and if none of the member servers and desktops in my domain appear there, how are
they signing, because they are not doing it against a certificate I have not created so far?
2) Would using a self-signed certificate in the domain controllers cause any problems?
Thank you for your help.
Yours,
FD
Hi,
Based on my research, using a self-signed certificate for LDAP signing will work, though it is not secure enough. It’s better to install a properly formatted certificate from either
a Microsoft certification authority (CA) or a non-Microsoft CA.
Here are some related links below I suggest you refer to:
How to enable LDAP over SSL with a third-party certification authority
http://support.microsoft.com/kb/321051
Windows Server 2008 - Enable LDAP over SSL
http://social.technet.microsoft.com/Forums/windowsserver/en-US/be63bfb5-6578-4590-8369-4488e9952750/windows-server-2008-enable-ldap-over-ssl?forum=winserverDS
LDAP Server Signing Requirement
http://social.technet.microsoft.com/Forums/en-US/e242fc9b-ed7e-4f78-b0b2-a1d9745e869e/ldap-server-signing-requirement
LDAP over SSL (LDAPS) Certificate
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
I hope this helps.
Amy Wang
Similar Messages
-
Authentication problem by external ldap server for WLS 7.0
Hi all,
I have configured iPlanet directory Server to serve as authentication security
provider for WLS 7.0.While doing so I have created a Test security realm and made
it as default.I have also configured the other default settings for the remaining
security providers for the realm.
Now, while I start the WLS with the default username and password, boot-error
comes as given below. As a matter of fact I have also created groups with relevant
username and pwd in the ldap server as specified bu the Bea documentation.
I have tried to remove the problem since last 4 days but all in fiasco.
If anybody has any pointer to the problem - it will be a great help.
The error :
* To start WebLogic Server, use a username and *
* password assigned to an admin-level user. For *
* server administration, use the WebLogic Server *
* console at http://[hostname]:[port]/console *
D:\bea\weblogic700\samples\server\config\petstore>"D:\bea\jdk131_03\bin\java"
-h
otspot -Xms32m -Xmx200m -Dpet.mode= - Dweblogic.management.discover=false -Dweblo
gic.Name=petstoreServer -Dbea.home="D:\bea" -Dweblogic.management.username=weblo
gic -Dweblogic.management.password=weblogic -Dweblogic.ProductionModeEnabled=tru
e -Djava.security.manager -Djava.security.policy=="D:\bea\weblogic700\server\lib
\weblogic.policy" weblogic.Server
Starting WebLogic Server...
<Nov 19, 2002 10:08:04 AM IST> <Notice> <Management> <140005> <Loading configura
tion D:\bea\weblogic700\samples\server\config\petstore\.\config.xml>
<Nov 19, 2002 10:08:21 AM IST> <Notice> <Security> <090082> <Security initializi
ng using realm RitTestRealm.>
<Nov 19, 2002 10:08:22 AM IST> <Critical> <WebLogicServer> <000364> <Server fail
ed during initialization. Exception:java.lang.SecurityException: User weblogic
i
s not permitted to boot the server
java.lang.SecurityException: User weblogic is not permitted to boot the server
at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
SecurityServiceManager.java:1076)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:1116)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)
>
Regards,
RitwikThanks Vijay - it has worked by creating the Administrator group in LDAP but Weblogic
documentation also states the creation of any group in Ldap server with the boot
username and pwd and then adding the group in the admin role of WLS7.0 - but this
did not work.
If there is any info regarding the same - pl. do let me know
Regards,
Ritwik
"Vijay" <[email protected]> wrote:
>
Ritwik,
I think WebLogic 7 requires a group called "Administrators" in the LDAP
server
and requires an user to be added to that group. I have this working in
one of
my projects. The group really doesnt need to be an LDAP administrative
group.
Can you provide any additional information. I might be able to help since
I got
this working only a coupla days back.
Vijay
"Ritwik Batabyal" <[email protected]> wrote:
Hi all,
I have configured iPlanet directory Server to serve as authentication
security
provider for WLS 7.0.While doing so I have created a Test security realm
and made
it as default.I have also configured the other default settings forthe
remaining
security providers for the realm.
Now, while I start the WLS with the default username and password, boot-error
comes as given below. As a matter of fact I have also created groups
with relevant
username and pwd in the ldap server as specified bu the Bea documentation.
I have tried to remove the problem since last 4 days but all in fiasco.
If anybody has any pointer to the problem - it will be a great help.
The error :
* To start WebLogic Server, use a username and *
* password assigned to an admin-level user. For *
* server administration, use the WebLogic Server *
* console at http://[hostname]:[port]/console *
D:\bea\weblogic700\samples\server\config\petstore>"D:\bea\jdk131_03\bin\java"
-h
otspot -Xms32m -Xmx200m -Dpet.mode= - Dweblogic.management.discover=false
-Dweblo
gic.Name=petstoreServer -Dbea.home="D:\bea" -Dweblogic.management.username=weblo
gic -Dweblogic.management.password=weblogic -Dweblogic.ProductionModeEnabled=tru
e -Djava.security.manager -Djava.security.policy=="D:\bea\weblogic700\server\lib
\weblogic.policy" weblogic.Server
Starting WebLogic Server...
<Nov 19, 2002 10:08:04 AM IST> <Notice> <Management> <140005> <Loading
configura
tion D:\bea\weblogic700\samples\server\config\petstore\.\config.xml>
<Nov 19, 2002 10:08:21 AM IST> <Notice> <Security> <090082> <Security
initializi
ng using realm RitTestRealm.>
<Nov 19, 2002 10:08:22 AM IST> <Critical> <WebLogicServer> <000364><Server
fail
ed during initialization. Exception:java.lang.SecurityException: User
weblogic
i
s not permitted to boot the server
java.lang.SecurityException: User weblogic is not permitted to bootthe
server
at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
SecurityServiceManager.java:1076)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:1116)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)
>
Regards,
Ritwik -
ok, maybe here its the right place to post my question:
i am trying to install sun one directory server, and othe ldaps as well, on my windows xp home edition notebook that uses a dsl connection, with no domain name, and i am having trouble doing so.
i installed the same server (and other ldaps) on my windows 2000 with no problem, but this 2000 machine is on a domain network.
maybe the domain is what is required. i am not sure though. i am new on ldap, please help.Typically, installing an ldap server will require a fully-qualified domain name and a static IP address.
You are probably using DHCP to obtain an IP address since you mention that you are at home and on DSL.
You should refer to the installation guide for Directory Server. Docs can be found at docs.sun.com, search on the product name, titles only and you should be able to find the right one for the version you are using.
If you are mainly doing this to evaluate tools and servers, you might want to try the new version of Sun Java Studio Enterprise (6 2004Q1), which bundles the directory server (and other useful Sun Java servers). This product will be released at the end of this month.
Watch this web site for an announcement soon (~ 3-29-04) http://wwws.sun.com/software/product_categories/application_development.html
The full product name is Sun Java Studio Enterprise 6 2004Q1 (although Windows XP Home edition is not
a supported platform). Typically, you would probably find Win XP Pro to have more of the networking features necessary for installing and using servers. -
Set or sign up at a LDAP Server
Hi all,
first off a happy new year to all readers - I´m just setting up a network with FileMaker Server and inside my network at home everything is going OK. In order to connect to the FileMaker Server - which is on my home G4 without steady IP - but I have internet address which constantly watches the changes and therefore is fixed - I have to sign up at a LDAP Server. Is that possible from inside my computer with 10.4.8. - can I be myself the LDAP server or do I need anything else? Can somebody maybe guide me to a page with a link?
Thanks in advance - Christoph
MDD G4 DP876 Mac OS X (10.4.8)Hi Christoph,
Best I can find is this...
http://www.padl.com/Articles/AdvancedOpenDirectoryConf.html
But also of interest may be...
http://www.udel.edu/topics/e-mail/macosxmail/index.html#TigerLDAP
http://docs.info.apple.com/article.html?artnum=32478
http://www.macosxhints.com/article.php?story=20040111075453713 -
Use of Lotus LDAP server for WLP 7 - LDAP experts required
Hi,
I'm looking for someone who has used the Lotus LDAP server for WLP7
authentication.
User and Groups are working fine, the membership of a user to a group is
not.
I assume that it's related to the parameters I use (especially the
membership.filter ?):
user.filter=(&(uid=%u)(objectclass=person));
user.dn=O=Apac;
membership.filter=(&(uniquemember=%M)(objectclass=groupOfNames));
group.filter=(&(cn=%g)(objectclass=groupOfNames));
server.host=jpgal01.apac.bea.com;
group.dn=
I know that this LDAP server supported, but id it could work at least
for some time, that would be great !
thanks for your help,
JP"JP" <[email protected]> wrote in message news:[email protected]..
Hi,
I'm looking for someone who has used the Lotus LDAP server for WLP7
authentication.
I connect my portal to the Domino LDAP, User and Groups are working
fine, but the membership of a user to a group is not.
I assume that it's related to the parameters I use (especially the
membership.filter ?):
"user.filter=(&(uid=%u)(objectclass=person));
user.dn=O=Apac;
membership.filter=(&(uniquemember=%M)(objectclass=groupOfNames));
group.filter=(&(cn=%g)(objectclass=groupOfNames));
server.host=jpgal01.apac.bea.com;
group.dn="
Any help would be appreciate, because I just don't where to look for.
Try setting the com.netscape.ldap.trace property.
\* When -D command line option is used, defining the property with
* no value will send the trace output to the standard error. If the
* value is defined, it is assumed to be the name of an output file.
* If the file name is prefixed with a '+' character, the file is
* opened in append mode.
This will create a ldap trace file of the requests that WLS is making on the
LDAP server. You can then see
where the filters are not returning the correct value for the group
membership. -
SAP HR to LDAP Server Integration
Dear Experts,
We are trying to integrate HR data from SAP ECC to an LDAP server using the built in LDAP connector settings in ECC.
It is working well with the exception that the KEY field from HR is being populated into one of the spare fields on Activie Directory. Is there anyway to prevent this. It is required in the LDAP Mapping synchronization but is not required in LDAP server.
We have tried the various combinations of import and export parameters but nothing works.
Many thanks in advance.
MarkHello Mark,
Check this link
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/06187a32-0a01-0010-709b-e664a61eab08?QuickLink=index&overridelayout=true
Also have a look at OSS notes
- 718383 - NetWeaver: Supported UME Data Sources and Change.
- 352295 - Microsoft Windows Single Sign-On options
regards, -
DSEE Server certificate required on client side?
I have DSEE 6.3 working in my environment but I am not sure it's configured as it should be....
I am using tls:simple and everything works, the certificate store is setup with
the CA and LDAP server certificates on both the LDAP servers and clients.
Questions:
- I was expecting the LDAP client to only require the CA certificate however that didn't work!?
- Shouldn't the server present the server certificate and the client would accept it by validating against the CA certificate? Why would it need to have the server certificate as well?
- If I deploy the LDAP server certificates to the clients will they all need to be replaced/updated when the server certificate expires?
Additional info:
My DSEE server is configured to NOT accept certificate based client authentication.
All my certificates are valid when I check them with certutil -V
Edited by: smorris@ on Jan 5, 2009 8:58 PMHi,
I ended up getting a certificate signed by my internal CA and it worked just as expected.
I can only assume my CA certificate wasn't actually a CA...
Checking the output of the commands you suggested clearly shows this - I must have been blind when I ran this last time (or looking at a different cert).
I guess my question should now be - why was the certificate I created not a valid CA?
Create CA:
CA.sh -newca
Create certdb:
/usr/sfw/bin/certutil -A -n test-ca -t TC,, -d . -i testca.pem
Certutil output on this CA:
/usr/sfw/bin/certutil -d . -L
test-ca CT,,
/usr/sfw/bin/certutil -V -e -l -u V -d . -n test-ca
test-ca : Issuer certificate is invalid.
/usr/sfw/bin/certutil -d . -L -n test-ca
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "<snip>"
Validity:
Not Before: Mon Dec 08 01:57:47 2008
Not After : Tue Dec 06 01:57:47 2016
Subject: "<snip>"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
<snip>
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Basic Constraints
Data: Is not a CA.
Name: Certificate Comment
Comment: "OpenSSL Generated Certificate"
Name: Certificate Subject Key ID
Data:
<snip>
Name: Certificate Authority Key Identifier
Key ID:
<snip>
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
<snip>
Fingerprint (MD5):
<snip>
Fingerprint (SHA1):
<snip>
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
Trusted Client CA
Email Flags:
Object Signing Flags:
Edited by: smorris@ fixed format -
How can we update data in LDAP server using PL/SQL.
Hi,
How can we update data in LDAP server using PL/SQL program.
Is there any sample code for refrence.
Thanks,
TarunHi Justin,
Thanks for your help. You got my correct requirements.
Tim's example returning all the attributes of current user which is admin user. Please correct me if I am wrong.
I have the following information:
the admin user and password,server info , port and ldap_base for admin.
I have uid and password for regular user, I am trying find the ldap_base for regular user, which may be different from adminuser.
Please help me.
Thanks,
Edited by: james. on Jan 12, 2009 5:39 PM -
ASA Remote Access Authentication with LDAP Server
Thank you in advance for your help.
I am configuring an ASA to authenticate with a ldap server for ipsec vpn access. My customer has 3 networks that are to be accessed by remote users. However they want to be able to say that one user can get to 2 of the networks and not the 3rd. So basically they want control over what network behind the firewall each user can access. This seems doable from my reading and I had planned to creating a group for each network that needs accessible and either do attribute maps to each group with a separate group created on the ldap server for authentication. Basically a ldap group on the ldap server that will have the users name in the group in order for access. I can restrict access via acl's or filtering to force my group to only be allowed access to a specific network. Here is the problem I am having now.
The ldap server has been created and seems to be working fine. I have created my AAA groups and servers and I have done the ldap test with a test user vpntest and a password on the ldap server. When I run the authentication test from the ADSM or command line I get a good authentication successful message. So I configured a vpn client remotely and attempted to authenticate to this group and it says there is no user by that name. Below is a paste of the debug. The second part is when I did a successful test from the ASDM or CLI and it worked great. The first part is when I attempted from the vpn client. It all looks the same from the search criteria. What am I missing here or does anyone more knowledgeable see anything that I am doing wrong. Can this be done this way or should I try radius. The customer was just adament about using ldap.
extvpnasa5510#
[243] Session Start
[243] New request Session, context 0xd5713fe0, reqType = 1
[243] Fiber started
[243] Creating LDAP context with uri=ldaps://130.18.22.44:636
[243] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
[243] supportedLDAPVersion: value = 2
[243] supportedLDAPVersion: value = 3
[243] No Login DN configured for server 130.18.22.44
[243] Binding as administrator
[243] Performing Simple authentication for to 130.18.22.44
[243] LDAP Search:
Base DN = [ou=employees,o=msues]
Filter = [uid=vpntest]
Scope = [SUBTREE]
[243] User DN = [uid=vpntest,ou=employees,o=msues]
[243] Talking to iPlanet server 130.18.22.44
[243] No results returned for iPlanet global password policy
[243] Fiber exit Tx=386 bytes Rx=414 bytes, status=-1
[243] Session End
extvpnasa5510#
[244] Session Start
[244] New request Session, context 0xd5713fe0, reqType = 1
[244] Fiber started
[244] Creating LDAP context with uri=ldaps://130.18.22.44:636
[244] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
[244] supportedLDAPVersion: value = 2
[244] supportedLDAPVersion: value = 3
[244] No Login DN configured for server 130.18.22.44
[244] Binding as administrator
[244] Performing Simple authentication for to 130.18.22.44
[244] LDAP Search:
Base DN = [ou=employees,o=msues]
Filter = [uid=vpntest]
Scope = [SUBTREE]
[244] User DN = [uid=vpntest,ou=employees,o=msues]
[244] Talking to iPlanet server 130.18.22.44
[244] Binding as user
[244] Performing Simple authentication for vpntest to 130.18.22.44
[244] Processing LDAP response for user vpntest
[244] Authentication successful for vpntest to 130.18.22.44
[244] Retrieved User Attributes:
[244] sn: value = test user
[244] givenName: value = vpn
[244] uid: value = vpntest
[244] cn: value = vpn test user
[244] objectClass: value = top
[244] objectClass: value = person
[244] objectClass: value = organizationalPerson
[244] objectClass: value = inetOrgPerson
[244] Fiber exit Tx=284 bytes Rx=414 bytes, status=1
[244] Session EndHi Larry,
You can map AD group memberships to specific group policies on the ASA, you can find that configuration here:
- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
Let me know if further assistance is required!
Please proceed to rate and mark as correct the helpful Post!
David Castro,
Regards, -
Sample connecting to LDAP Server in Java
Hi,
I am trying to establishing SSL from Java Application(via Netscape Directory SDK 4.0 - Java version) to the Directory Server(ADS) in a secure manner - i.e. LDAP over SSL.
I am trying to run this code...
LDAPConnection ld = null;
LDAPModificationSet attrs = new LDAPModificationSet();
attrs.add(LDAPModification.REPLACE,new LDAPAttribute("unicodePwd", "testpassword"));
try
LDAPSSLSocketFactory ssl = new LDAPSSLSocketFactory();
ld = new LDAPConnection( ssl );
/* Connect to server */
ld.connect("10.10.10.7",636);
/* Authenticate to the server as directory manager */
ld.authenticate(adminDN,password);
/* Now modify the entry in the directory */
ld.modify( userDN, attrs );
catch(Exception e)
But I don't know where my program reads the Cert. info... I don't know
if I have to import my internal CA via keytool or I have missed some
special configuration ..
When I run this code, the following error appears:
netscape.ldap.LDAPException: Failed to create SSL socket (91); Cannot connect to the LDAP server
at netscape.ldap.LDAPSSLSocketFactory.makeSocket(LDAPSSLSocketFactory.java:309)
at edu.umassmed.chcf.security.ldap.LDAPHelper.setLDAPPassword(LDAPHelper.java:742)
at edu.umassmed.chcf.security.administration.userhandler.UserHandlerBean.changePassword(User HandlerBean.java:628)
at edu.umassmed.chcf.security.administration.userhandler.UserHandlerBean_37ncs1_ELOImpl.chan
gePassword(UserHandlerBean_37ncs1_ELOImpl.java:409)
at edu.umassmed.chcf.security.administration.userfacade.UserManagerBean.changePassword(UserM
anagerBean.java:174)
at edu.umassmed.chcf.security.administration.userfacade.UserManagerBean_3chmth_EOImpl.change
Password(UserManagerBean_3chmth_EOImpl.java:501)
at edu.umassmed.chcf.sbb.action.ChangePasswordAction.perform(ChangePasswordAction.java:114)
at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:510)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:265)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:200)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:24
95)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2204)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
LDAPHelper - authenticateUser() - expLDAP.toString() netscape.ldap.LDAPException: Failed to create S
SL socket (91); Cannot connect to the LDAP server
Is this possible? If so, what hints can you give me to get started (any sample code would be greatly appreciated).
Thanks in advance.
With Regards,
Gokul.hey guys .. i was struggling with the same thing - finally found this solution -
use:
import netscape.ldap.*;
import netscape.ldap.factory.JSSESocketFactory;
JSSESocketFactory fact = new JSSESocketFactory(null);
//unless u wanna specify any specific ciphers in the constructor
log("Factory created");
LDAPConnection ld = new LDAPConnection(fact);
log("Connection initialised");
ld.connect(MY_HOST, MY_PORT);
log("Connected");
ld.authenticate(user, pwd);
log("Authenticated!");
Before running this, i used the "keytool" command line utility to import the SSL client certificate into my default trustStore .. as a trusted cert. Dont know if thats required.. but it worked :) Hope this helps. -
To support certficate based client authentication using 2-way SSL from a standalone java application which uses JNDI and JSSE1.0.2 to connect to an SSL enabled LDAP Server how do we configure the certmap.conf?Is there any additional setup required at the LDAP Server side apart from enablinf SSL with the option"Required Client Authentication" enabled.The 2 way SSL handshake goes through but the access log file (After configuring the certmap.conf for the issuer DN of the client certficate etc..)shows SSL failed to LDAP DN?But inspite of this access log error the Java client does get an SSL Connection object with which it is able to connect to the LDAP.IS the certmap.conf file being looked up by the LDAP Server at all?
have you out.flush() and out.close() before you call connection.getInputStream()?
-
Unable to connect remote LDAP server 2005Q1
To connect remote LDAP server with local mail server in iMS5.2, it was successful and very easy.
But, with Sun Java Messaging 2005Q1, I failed so many times when I configure mail server.
Only two things( LDAP and messaging ) are in the same machine, it was successful.
It's very weird.
In Install Guide, remote LDAP system has no problem to connect with local mail server.
Here is LDAP server version.
# ./monitor
version: 1
dn: cn=monitor
objectClass: top
objectClass: extensibleObject
cn: monitor
connectionpeak: 9
version: Sun Java(TM) System Directory Server/5.2_Patch_3 B2004.331.1125
Messaging server version is Sun Java Messaging 2005Q1.
================ Install Log ================
The following items for the product Messaging Server will be configured:
Product: Messaging Server
Location: /data/MailData
Space Required: 0 bytes
Message Transfer Agent
Message Store
Messenger Express
Ready to Configure
1. Configure Now
2. Start Over
3. Exit Configure Program
What would you like to do [1] {"<" goes back, "!" exits}?
Starting Task Sequence
===== Thu Apr 21 18:50:38 KST 2005 =====
Running /usr/sbin/groupadd mail
===== Thu Apr 21 18:50:38 KST 2005 =====
Running /usr/sbin/useradd -g mail -d / mailsrv
===== Thu Apr 21 18:50:38 KST 2005 =====
Running /usr/sbin/usermod -G mail mailsrv
===== Thu Apr 21 18:50:38 KST 2005 =====
Running /bin/rm -rf /opt/java05Q1/Mail/config /opt/java05Q1/Mail/data
===== Thu Apr 21 18:50:38 KST 2005 =====
Running /bin/chmod 600 /opt/java05Q1/Mail/lib/config-templates/Devsetup.
properties
===== Thu Apr 21 18:50:38 KST 2005 =====
Running /opt/java05Q1/Mail/lib/devinstall -l schema1:sepadmsvr:pkgcfg:config:
msg:msg_en:imta:msma:webmail:imta -v -m -i /opt/java05Q1/Mail/lib/config-
templates/config.ins /opt/java05Q1/Mail/lib/config-templates
/opt/java05Q1/Mail/lib/jars /opt/java05Q1/Mail/lib
===== Thu Apr 21 18:50:45 KST 2005 =====
Running /bin/sh -c /opt/java05Q1/Mail/sbin/imsimta clbuild -
image_file=IMTA_COMMAND_DATA IMTA_BIN:pmdf.cld
===== Thu Apr 21 18:50:46 KST 2005 =====
Running /bin/sh -c /opt/java05Q1/Mail/sbin/imsimta chbuild
===== Thu Apr 21 18:50:46 KST 2005 =====
Running /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/cfgdir23381 -c -
e /opt/java05Q1/Mail/config/cfgdir.ldif.rej -f /opt/java05Q1/Mail/config/cfgdir.
ldif
===== Thu Apr 21 18:50:46 KST 2005 =====
Running /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
e /opt/java05Q1/Mail/config/usergroup.ldif.rej -f
/opt/java05Q1/Mail/config/usergroup.ldif
===== Thu Apr 21 18:50:46 KST 2005 =====
Running /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
e /opt/java05Q1/Mail/config/dctree.ldif.rej -f /opt/java05Q1/Mail/config/dctree.
ldif
===== Thu Apr 21 18:50:46 KST 2005 =====
Running /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
e /opt/java05Q1/Mail/config/mid_dctree.ldif.rej -f
/opt/java05Q1/Mail/config/mid_dctree.ldif
===== Thu Apr 21 18:50:47 KST 2005 =====
Running /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
e /opt/java05Q1/Mail/config/last_dctree.ldif.rej -f
/opt/java05Q1/Mail/config/last_dctree.ldif
===== Thu Apr 21 18:50:47 KST 2005 =====
Running /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
e /opt/java05Q1/Mail/config/pab.ldif.rej -f /opt/java05Q1/Mail/config/pab.ldif
===== Thu Apr 21 18:50:47 KST 2005 =====
Running /bin/sh -c /opt/java05Q1/Mail/sbin/imsimta cnbuild
===== Thu Apr 21 18:50:47 KST 2005 =====
Running /bin/sh -c /bin/cp /opt/java05Q1/Mail/lib/config-
templates/madman_solaris.reg /etc/snmp/conf/ims.reg
===== Thu Apr 21 18:50:47 KST 2005 =====
Running /bin/sh -c /bin/cp /opt/java05Q1/Mail/lib/config-
templates/madman_solaris.acl /etc/snmp/conf/ims.acl
===== Thu Apr 21 18:50:47 KST 2005 =====
Running /bin/sh -c /usr/bin/crle
===== Thu Apr 21 18:50:47 KST 2005 =====
Running /bin/sh -c /usr/bin/crle -s /usr/lib/secure -s /opt/java05Q1/Mail/lib
===== Thu Apr 21 18:50:48 KST 2005 =====
Running /bin/sh -c /usr/bin/crle
===== Thu Apr 21 18:50:48 KST 2005 =====
Running /bin/sh -c /bin/cp -rpf /opt/java05Q1/Mail/lib/config-templates/html
/opt/java05Q1/Mail/config/
===== Thu Apr 21 18:50:57 KST 2005 =====
Running /bin/chown -Rh mailsrv /opt/java05Q1/Mail/config/html
===== Thu Apr 21 18:50:57 KST 2005 =====
Running /bin/chgrp -Rh mail /opt/java05Q1/Mail/config/html
===== Thu Apr 21 18:50:57 KST 2005 =====
Running /bin/sh -c /bin/cp -rpf /opt/java05Q1/Mail/config
/opt/java05Q1/Mail/install/configure_20050421184758
===== Thu Apr 21 18:51:08 KST 2005 =====
Running /bin/sh -c /bin/cp -p /opt/java05Q1/Mail/lib/config-templates/Devsetup.
properties /opt/java05Q1/Mail/install/configure_20050421184758/Devsetup.
properties
Sequence Completed
PASSED: /usr/sbin/groupadd mail : status = 9
PASSED: /usr/sbin/useradd -g mail -d / mailsrv : status = 0
PASSED: /usr/sbin/usermod -G mail mailsrv : status = 3
PASSED: /bin/rm -rf /opt/java05Q1/Mail/config /opt/java05Q1/Mail/data : status
= 0
PASSED: /bin/chmod 600 /opt/java05Q1/Mail/lib/config-templates/Devsetup.
properties : status = 0
FAILED: /opt/java05Q1/Mail/lib/devinstall -l schema1:sepadmsvr:pkgcfg:config:
msg:msg_en:imta:msma:webmail:imta -v -m -i /opt/java05Q1/Mail/lib/config-
templates/config.ins /opt/java05Q1/Mail/lib/config-templates
/opt/java05Q1/Mail/lib/jars /opt/java05Q1/Mail/lib : status = 1
PASSED: /bin/sh -c /opt/java05Q1/Mail/sbin/imsimta clbuild -
image_file=IMTA_COMMAND_DATA IMTA_BIN:pmdf.cld : status = 0
PASSED: /bin/sh -c /opt/java05Q1/Mail/sbin/imsimta chbuild : status = 0
FAILED: /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/cfgdir23381 -c -
e /opt/java05Q1/Mail/config/cfgdir.ldif.rej -f /opt/java05Q1/Mail/config/cfgdir.
ldif : status = 89
FAILED: /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
e /opt/java05Q1/Mail/config/usergroup.ldif.rej -f
/opt/java05Q1/Mail/config/usergroup.ldif : status = 89
FAILED: /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
e /opt/java05Q1/Mail/config/dctree.ldif.rej -f /opt/java05Q1/Mail/config/dctree.
ldif : status = 89
FAILED: /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
e /opt/java05Q1/Mail/config/mid_dctree.ldif.rej -f
/opt/java05Q1/Mail/config/mid_dctree.ldif : status = 89
FAILED: /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
e /opt/java05Q1/Mail/config/last_dctree.ldif.rej -f
/opt/java05Q1/Mail/config/last_dctree.ldif : status = 89
FAILED: /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
e /opt/java05Q1/Mail/config/pab.ldif.rej -f /opt/java05Q1/Mail/config/pab.ldif
: status = 89
PASSED: /bin/sh -c /opt/java05Q1/Mail/sbin/imsimta cnbuild : status = 0
PASSED: /bin/sh -c /bin/cp /opt/java05Q1/Mail/lib/config-
templates/madman_solaris.reg /etc/snmp/conf/ims.reg : status = 0
PASSED: /bin/sh -c /bin/cp /opt/java05Q1/Mail/lib/config-
templates/madman_solaris.acl /etc/snmp/conf/ims.acl : status = 0
PASSED: /bin/sh -c /usr/bin/crle : status = 0
PASSED: /bin/sh -c /usr/bin/crle -s /usr/lib/secure -s /opt/java05Q1/Mail/lib :
status = 0
PASSED: /bin/sh -c /usr/bin/crle : status = 0
PASSED: /bin/sh -c /bin/cp -rpf /opt/java05Q1/Mail/lib/config-templates/html
/opt/java05Q1/Mail/config/ : status = 0
FAILED: /bin/chown -Rh mailsrv /opt/java05Q1/Mail/config/html : status = 1
FAILED: /bin/chgrp -Rh mail /opt/java05Q1/Mail/config/html : status = 1
PASSED: /bin/sh -c /bin/cp -rpf /opt/java05Q1/Mail/config
/opt/java05Q1/Mail/install/configure_20050421184758 : status = 0
PASSED: /bin/sh -c /bin/cp -p /opt/java05Q1/Mail/lib/config-templates/Devsetup.
properties /opt/java05Q1/Mail/install/configure_20050421184758/Devsetup.
properties : status = 0
FAILURE: Number of task failed:9. Please check install log
/opt/java05Q1/Mail/install/configure_20050421184758.log
for further details.
Hit NEXT to continue
Configuration Details:
Product Result More Information
1. Messaging Server Failed Available
2. Done
Enter the number corresponding to the desired selection for more
information, or enter 2 to continue [2] {"!" exits}:
================
Any Good ADVICE would be welcomed.I already did what you advised - installing admin server on each machine. I tested throught connecting admin console,modifying ldap,mail config and adding users.
To say about running 'comm_dssetup.pl' script , if I didn't I could not even setup and configure mail server.
In a month, there is a chance to setup both mail and ldap servers on diferrent machines.
I am a little bit worry. What did I wrong?
welcomed... any words of advice.. -
Hello,
I am trying to connect to external domain via UPS Account having "Replicate Directory changes" permission on external domain while creating sync connection in UPSA.
I have checked below URLS :
http://social.technet.microsoft.com/Forums/en-US/1912bf88-8fec-4b5d-9d1e-a42db8318e33/ldap-server-is-unavailable-sharepoint-2010-user-synchronization?forum=sharepointadminprevious
http://social.technet.microsoft.com/Forums/en-US/6525d3aa-9197-42a2-aea0-190b84ac8356/the-ldap-server-is-unavailable?forum=sharepointadminprevious
And looks like its network connectivity issue - and hence I have verified that port 389 is open by infra team.
Note : I am able to connect to local AD , does it make sense that port is not open for external domain ?
Can anyone please let me know what can be the issue ?
Your help will be highly appreciated as I am struggling to fix this issue since quite long time but no luck yet.
Thank you in advance.
Kind regards,
Dipti ChhatrapatiHi Dipti,
If you have Two-Way trust relationship then not sure if you have tried below:
Create a folder on the SharePoint server
Go to Folder properties - Security tab
Try adding user of the external domain on the folder
Please let us know if you are able to add the user or not. If you are able to add then it means that the connection and trust is proper and you should be able to create sync connection in UPA without any issues or else there is some issue with the connectivity
or the trust which is configured.
Please also make sure that you have given permissions to sync account as per below TechNet:
http://technet.microsoft.com/en-us/library/hh296982(v=office.15).aspx
Replicate Directory changes permissions are also required on cn=configuration container, below are the steps:
Grant Replicate Directory Changes permission on the cn=configuration container
Use this procedure to grant Replicate Directory Changes permission on the cn=configuration container to an account.
To grant Replicate Directory Changes permission on the cn=configuration container
On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.
If the Configuration node is not already present, do the following:
In the navigation pane, click ADSI Edit.
On the Action menu, click Connect to.
In the Connection Point area of the Connection Settings dialog box, click Select
a well know Naming Context, select Configuration from the drop-down list, and then click OK.
Expand the Configuration node, right-click the CN=Configuration... node, and then click Properties.
In the Properties dialog box, click the Security tab.
In the Group or user names section, click Add.
Type the name of the synchronization account, and then click OK.
In the Group or user names section, select the synchronization account.
In the Permissions section, select the Allow check box next to the Replicating
Directory Changes (Replicate Directory Changes on Windows Server 2003) permission, and then click OK.
Kind regards,
Bhavik K Jain
Please ensure that you mark a question as Answered once you receive a satisfactory response. -
Can I use LDAP server's authentication mechanism rather than comparing password ?
Hi All,
The weblogic security and adminguide says that the user authencation can be of
the following 3 types:
1. Bind specifies that the LDAP security realm
retrieves user data, including the password for
the LDAP server, and checks the password in
WebLogic Server.
2. External specifies that the LDAP security
realm authenticates a User by attempting to
bind to the LDAP server with the username
and password supplied by theWebLogic
Server client. If you choose the External
setting, you must also use the SSL protocol.
3. Local specifies that the LDAP security realm
authenticates a User by looking up the
UserPassword property in the LDAP directory
and checking it against the passwords in
WebLogic Server.
But say I want that my users should be authenticated by the LDAP server rather
than picking up the password from LDAP and comparing at weblogic end. Then what
should I do ?
Because no. 2 is applicable only for ssl certificates, no.1 and no.3 picks up
password using the login dn and password provided at the time of configuration
of realm and compare with password given by user.
And once gain there some issues on having picking up password and comparing it:
1. Netscape directory server can store the password in oneway hashed form(and
that is preferred , too). So when userpassword attribute is read , it's in one
way hashed form. So how the comparison will go on ?
2. Creating a user who has the access to user data along with userpassword attribute
itself is a security threat, as if someone can crack that user's dn and password
then he/she can do anything as userdata can be read.
Any suggestion is welcome.
TIA,
SudarsonThanks a lot Jerry.
I got these stuff from weblogic 6.1 docs sets security.pdf and adminguide.pdf.
I have another question, if that is the case (in Case of BIND), then why do we
a require a dn of user and password who has the access to read the entire directory
And at the same time, u specified this for Bind, what are the cases for other
two-local and external ? And then what is actually difference between Bind and
Local ?
Pls help me.
Thanks,
Sudarson
Jerry <[email protected]> wrote:
Hi Sudarson,
Whatever doc you were reading is at least partially incorrect, unfortunately...
I know for sure that when you specify BIND, weblogic sends the username/password
to your
LDAP server in an attempt to bind to it.
If the bind is successful, WLS determines that the username/password
pair were correct.
If the bind was unsuccessful, WLS determines that the username/password
pairing is not
valid.
At all times, WebLogic is letting the LDAP server do the actual compare
of
username/password. WLS does not, at any time, retrieve a password from
the LDAP server.
I hope this helps,
Joe Jerry
sudarson wrote:
Hi All,
The weblogic security and adminguide says that the user authencationcan be of
the following 3 types:
1. Bind specifies that the LDAP security realm
retrieves user data, including the password for
the LDAP server, and checks the password in
WebLogic Server.
2. External specifies that the LDAP security
realm authenticates a User by attempting to
bind to the LDAP server with the username
and password supplied by theWebLogic
Server client. If you choose the External
setting, you must also use the SSL protocol.
3. Local specifies that the LDAP security realm
authenticates a User by looking up the
UserPassword property in the LDAP directory
and checking it against the passwords in
WebLogic Server.
But say I want that my users should be authenticated by the LDAP serverrather
than picking up the password from LDAP and comparing at weblogic end.Then what
should I do ?
Because no. 2 is applicable only for ssl certificates, no.1 and no.3picks up
password using the login dn and password provided at the time of configuration
of realm and compare with password given by user.
And once gain there some issues on having picking up password and comparingit:
1. Netscape directory server can store the password in oneway hashedform(and
that is preferred , too). So when userpassword attribute is read ,it's in one
way hashed form. So how the comparison will go on ?
2. Creating a user who has the access to user data along with userpasswordattribute
itself is a security threat, as if someone can crack that user's dnand password
then he/she can do anything as userdata can be read.
Any suggestion is welcome.
TIA,
Sudarson -
'authentication failed' using Microsoft ADSI version LDAP server
Hi All,
Now days i am facing some problem in authentication (i am using microsoft ADSI version LDAP Server) but am not able to authenticate the LDAP users.
I have configured my LDAP server in the same manner as u mentioned in this blog.
when I am trying to authenticate the user from the RPD itself i m gettig the following error:
“authentication failed” (actually i forgot the exact message but it mean is same as i referred here)
though i am able authenticate the bind user ( which i used to configure the LDAP Server)
Please help me in this as i already wasted a lot of time in doing R&D to make it work..
I have an urgent requirement to do the same..
Your help will highly appreciated…
thanks in advance
PS: I have checked the 'ADSI' box in advance tab:Hi,
Please have a look at the below link:
Unknown certificate error when testing LDAP SSL connection
Not sure whether it will help you. But have a look at it.
Regards,
Jithin
Maybe you are looking for
-
Merge query error in Where clause
Following error is coming when i execute the merge query. Anything wrong with this? I am using Oracle 9.2.0.1. Query: MERGE INTO incompletekalls ic USING live_small ls ON ((ls.callid = ic.callid) AND (ls.sdate = ic.sdate) AND
-
Corrupt 7.0.5 cannot uninstall
I've a corrupt Adobe Reader 7.0.5 that cannot be uninstalled because I also do not have the file ADobe Reader 7.0.msi on my system. (I suspect that file was deleted in a previous uninstall.) So updates do not run, attempting to download a PDF simply
-
Path to tcode MIGO and MIRO???
I can't find the path to tow tcodes MIGO and MIRO.Help me, please!!! Thank you for reading my post^^
-
Reposting unanswered questions
Got no hits Selling one of my G5s. Want to make sure I do this correctly so that I don't lose settings, comments, bpms, play count etc. I keep all my 60 gigs of music on a secondary internal (backed up to a couple of servers for protection) How do I
-
Help! Bw Statistics Problem
I install the BW Statistics follow the How to Dociment. But When I excute the step 9. I can't find the content of info package. How can I handle it? Help Me!