LDAP Server Signing requirements

Similar Messages

• Authentication problem by external ldap server for WLS 7.0

  Hi all,
  I have configured iPlanet directory Server to serve as authentication security
  provider for WLS 7.0.While doing so I have created a Test security realm and made
  it as default.I have also configured the other default settings for the remaining
  security providers for the realm.
  Now, while I start the WLS with the default username and password, boot-error
  comes as given below. As a matter of fact I have also created groups with relevant
  username and pwd in the ldap server as specified bu the Bea documentation.
  I have tried to remove the problem since last 4 days but all in fiasco.
  If anybody has any pointer to the problem - it will be a great help.
  The error :
  * To start WebLogic Server, use a username and *
  * password assigned to an admin-level user. For *
  * server administration, use the WebLogic Server *
  * console at http://[hostname]:[port]/console *
  D:\bea\weblogic700\samples\server\config\petstore>"D:\bea\jdk131_03\bin\java"
  -h
  otspot -Xms32m -Xmx200m -Dpet.mode= - Dweblogic.management.discover=false -Dweblo
  gic.Name=petstoreServer -Dbea.home="D:\bea" -Dweblogic.management.username=weblo
  gic -Dweblogic.management.password=weblogic -Dweblogic.ProductionModeEnabled=tru
  e -Djava.security.manager -Djava.security.policy=="D:\bea\weblogic700\server\lib
  \weblogic.policy" weblogic.Server
  Starting WebLogic Server...
  <Nov 19, 2002 10:08:04 AM IST> <Notice> <Management> <140005> <Loading configura
  tion D:\bea\weblogic700\samples\server\config\petstore\.\config.xml>
  <Nov 19, 2002 10:08:21 AM IST> <Notice> <Security> <090082> <Security initializi
  ng using realm RitTestRealm.>
  <Nov 19, 2002 10:08:22 AM IST> <Critical> <WebLogicServer> <000364> <Server fail
  ed during initialization. Exception:java.lang.SecurityException: User weblogic
  i
  s not permitted to boot the server
  java.lang.SecurityException: User weblogic is not permitted to boot the server
  at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
  SecurityServiceManager.java:1076)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:1116)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  >
  Regards,
  Ritwik

  Thanks Vijay - it has worked by creating the Administrator group in LDAP but Weblogic
  documentation also states the creation of any group in Ldap server with the boot
  username and pwd and then adding the group in the admin role of WLS7.0 - but this
  did not work.
  If there is any info regarding the same - pl. do let me know
  Regards,
  Ritwik
  "Vijay" <[email protected]> wrote:
  >
  Ritwik,
  I think WebLogic 7 requires a group called "Administrators" in the LDAP
  server
  and requires an user to be added to that group. I have this working in
  one of
  my projects. The group really doesnt need to be an LDAP administrative
  group.
  Can you provide any additional information. I might be able to help since
  I got
  this working only a coupla days back.
  Vijay
  "Ritwik Batabyal" <[email protected]> wrote:
  Hi all,
  I have configured iPlanet directory Server to serve as authentication
  security
  provider for WLS 7.0.While doing so I have created a Test security realm
  and made
  it as default.I have also configured the other default settings forthe
  remaining
  security providers for the realm.
  Now, while I start the WLS with the default username and password, boot-error
  comes as given below. As a matter of fact I have also created groups
  with relevant
  username and pwd in the ldap server as specified bu the Bea documentation.
  I have tried to remove the problem since last 4 days but all in fiasco.
  If anybody has any pointer to the problem - it will be a great help.
  The error :
  * To start WebLogic Server, use a username and *
  * password assigned to an admin-level user. For *
  * server administration, use the WebLogic Server *
  * console at http://[hostname]:[port]/console *
  D:\bea\weblogic700\samples\server\config\petstore>"D:\bea\jdk131_03\bin\java"
  -h
  otspot -Xms32m -Xmx200m -Dpet.mode= - Dweblogic.management.discover=false
  -Dweblo
  gic.Name=petstoreServer -Dbea.home="D:\bea" -Dweblogic.management.username=weblo
  gic -Dweblogic.management.password=weblogic -Dweblogic.ProductionModeEnabled=tru
  e -Djava.security.manager -Djava.security.policy=="D:\bea\weblogic700\server\lib
  \weblogic.policy" weblogic.Server
  Starting WebLogic Server...
  <Nov 19, 2002 10:08:04 AM IST> <Notice> <Management> <140005> <Loading
  configura
  tion D:\bea\weblogic700\samples\server\config\petstore\.\config.xml>
  <Nov 19, 2002 10:08:21 AM IST> <Notice> <Security> <090082> <Security
  initializi
  ng using realm RitTestRealm.>
  <Nov 19, 2002 10:08:22 AM IST> <Critical> <WebLogicServer> <000364><Server
  fail
  ed during initialization. Exception:java.lang.SecurityException: User
  weblogic
  i
  s not permitted to boot the server
  java.lang.SecurityException: User weblogic is not permitted to bootthe
  server
  at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
  SecurityServiceManager.java:1076)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:1116)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  >
  Regards,
  Ritwik

• Install ldap server problems

  ok, maybe here its the right place to post my question:
  i am trying to install sun one directory server, and othe ldaps as well, on my windows xp home edition notebook that uses a dsl connection, with no domain name, and i am having trouble doing so.
  i installed the same server (and other ldaps) on my windows 2000 with no problem, but this 2000 machine is on a domain network.
  maybe the domain is what is required. i am not sure though. i am new on ldap, please help.

  Typically, installing an ldap server will require a fully-qualified domain name and a static IP address.
  You are probably using DHCP to obtain an IP address since you mention that you are at home and on DSL.
  You should refer to the installation guide for Directory Server. Docs can be found at docs.sun.com, search on the product name, titles only and you should be able to find the right one for the version you are using.
  If you are mainly doing this to evaluate tools and servers, you might want to try the new version of Sun Java Studio Enterprise (6 2004Q1), which bundles the directory server (and other useful Sun Java servers). This product will be released at the end of this month.
  Watch this web site for an announcement soon (~ 3-29-04) http://wwws.sun.com/software/product_categories/application_development.html
  The full product name is Sun Java Studio Enterprise 6 2004Q1 (although Windows XP Home edition is not
  a supported platform). Typically, you would probably find Win XP Pro to have more of the networking features necessary for installing and using servers.

• Set or sign up at a LDAP Server

  Hi all,
  first off a happy new year to all readers - I´m just setting up a network with FileMaker Server and inside my network at home everything is going OK. In order to connect to the FileMaker Server - which is on my home G4 without steady IP - but I have internet address which constantly watches the changes and therefore is fixed - I have to sign up at a LDAP Server. Is that possible from inside my computer with 10.4.8. - can I be myself the LDAP server or do I need anything else? Can somebody maybe guide me to a page with a link?
  Thanks in advance - Christoph
  MDD G4 DP876   Mac OS X (10.4.8)  

  Hi Christoph,
  Best I can find is this...
  http://www.padl.com/Articles/AdvancedOpenDirectoryConf.html
  But also of interest may be...
  http://www.udel.edu/topics/e-mail/macosxmail/index.html#TigerLDAP
  http://docs.info.apple.com/article.html?artnum=32478
  http://www.macosxhints.com/article.php?story=20040111075453713

• Use of Lotus LDAP server for WLP 7 - LDAP experts required

  Hi,
  I'm looking for someone who has used the Lotus LDAP server for WLP7
  authentication.
  User and Groups are working fine, the membership of a user to a group is
  not.
  I assume that it's related to the parameters I use (especially the
  membership.filter ?):
  user.filter=(&(uid=%u)(objectclass=person));
  user.dn=O=Apac;
  membership.filter=(&(uniquemember=%M)(objectclass=groupOfNames));
  group.filter=(&(cn=%g)(objectclass=groupOfNames));
  server.host=jpgal01.apac.bea.com;
  group.dn=
  I know that this LDAP server supported, but id it could work at least
  for some time, that would be great !
  thanks for your help,
  JP

  "JP" <[email protected]> wrote in message news:[email protected]..
  Hi,
  I'm looking for someone who has used the Lotus LDAP server for WLP7
  authentication.
  I connect my portal to the Domino LDAP, User and Groups are working
  fine, but the membership of a user to a group is not.
  I assume that it's related to the parameters I use (especially the
  membership.filter ?):
  "user.filter=(&(uid=%u)(objectclass=person));
  user.dn=O=Apac;
  membership.filter=(&(uniquemember=%M)(objectclass=groupOfNames));
  group.filter=(&(cn=%g)(objectclass=groupOfNames));
  server.host=jpgal01.apac.bea.com;
  group.dn="
  Any help would be appreciate, because I just don't where to look for.
  Try setting the com.netscape.ldap.trace property.
  \* When -D command line option is used, defining the property with
  * no value will send the trace output to the standard error. If the
  * value is defined, it is assumed to be the name of an output file.
  * If the file name is prefixed with a '+' character, the file is
  * opened in append mode.
  This will create a ldap trace file of the requests that WLS is making on the
  LDAP server. You can then see
  where the filters are not returning the correct value for the group
  membership.

• SAP HR to LDAP Server Integration

  Dear Experts,
  We are trying to integrate HR data from SAP ECC to an LDAP server using the built in LDAP connector settings in ECC.
  It is working well with the exception that the KEY field from HR is being populated into one of the spare fields on Activie Directory. Is there anyway to prevent this. It is required in the LDAP Mapping synchronization but is not required in LDAP server.
  We have tried the various combinations of import and export parameters but nothing works.
  Many thanks in advance.
  Mark

  Hello Mark,
  Check this link
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/06187a32-0a01-0010-709b-e664a61eab08?QuickLink=index&overridelayout=true
  Also have a look at OSS notes
  - 718383 - NetWeaver: Supported UME Data Sources and Change.
  - 352295 - Microsoft Windows Single Sign-On options
  regards,

• DSEE Server certificate required on client side?

  I have DSEE 6.3 working in my environment but I am not sure it's configured as it should be....
  I am using tls:simple and everything works, the certificate store is setup with
  the CA and LDAP server certificates on both the LDAP servers and clients.
  Questions:
  - I was expecting the LDAP client to only require the CA certificate however that didn't work!?
  - Shouldn't the server present the server certificate and the client would accept it by validating against the CA certificate? Why would it need to have the server certificate as well?
  - If I deploy the LDAP server certificates to the clients will they all need to be replaced/updated when the server certificate expires?
  Additional info:
  My DSEE server is configured to NOT accept certificate based client authentication.
  All my certificates are valid when I check them with certutil -V
  Edited by: smorris@ on Jan 5, 2009 8:58 PM

  Hi,
  I ended up getting a certificate signed by my internal CA and it worked just as expected.
  I can only assume my CA certificate wasn't actually a CA...
  Checking the output of the commands you suggested clearly shows this - I must have been blind when I ran this last time (or looking at a different cert).
  I guess my question should now be - why was the certificate I created not a valid CA?
  Create CA:
  CA.sh -newca
  Create certdb:
  /usr/sfw/bin/certutil -A -n test-ca -t TC,, -d . -i testca.pem
  Certutil output on this CA:
  /usr/sfw/bin/certutil -d . -L
  test-ca CT,,
  /usr/sfw/bin/certutil -V -e -l -u V -d . -n test-ca
  test-ca : Issuer certificate is invalid.
  /usr/sfw/bin/certutil -d . -L -n test-ca
  Certificate:
  Data:
  Version: 3 (0x2)
  Serial Number: 0 (0x0)
  Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
  Issuer: "<snip>"
  Validity:
  Not Before: Mon Dec 08 01:57:47 2008
  Not After : Tue Dec 06 01:57:47 2016
  Subject: "<snip>"
  Subject Public Key Info:
  Public Key Algorithm: PKCS #1 RSA Encryption
  RSA Public Key:
  Modulus:
            <snip>
  Exponent: 65537 (0x10001)
  Signed Extensions:
  Name: Certificate Basic Constraints
  Data: Is not a CA.
  Name: Certificate Comment
  Comment: "OpenSSL Generated Certificate"
  Name: Certificate Subject Key ID
  Data:
  <snip>
  Name: Certificate Authority Key Identifier
  Key ID:
  <snip>
  Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
  Signature:
       <snip>
  Fingerprint (MD5):
  <snip>
  Fingerprint (SHA1):
  <snip>
  Certificate Trust Flags:
  SSL Flags:
  Valid CA
  Trusted CA
  Trusted Client CA
  Email Flags:
  Object Signing Flags:
  Edited by: smorris@ fixed format

• How can we update data in LDAP server using PL/SQL.

  Hi,
  How can we update data in LDAP server using PL/SQL program.
  Is there any sample code for refrence.
  Thanks,
  Tarun

  Hi Justin,
  Thanks for your help. You got my correct requirements.
  Tim's example returning all the attributes of current user which is admin user. Please correct me if I am wrong.
  I have the following information:
  the admin user and password,server info , port and ldap_base for admin.
  I have uid and password for regular user, I am trying find the ldap_base for regular user, which may be different from adminuser.
  Please help me.
  Thanks,
  Edited by: james. on Jan 12, 2009 5:39 PM

• ASA Remote Access Authentication with LDAP Server

  Thank you in advance for your help.
  I am configuring an ASA to authenticate with a ldap server for ipsec vpn access.  My customer has 3 networks that are to be accessed by remote users.  However they want to be able to say that one user can get to 2 of the networks and not the 3rd.  So basically they want control over what network behind the firewall each user can access.  This seems doable from my reading and I had planned to creating a group for each network that needs accessible and either do attribute maps to each group with a separate group created on the ldap server for authentication.  Basically a ldap group on the ldap server that will have the users name in the group in order for access.  I can restrict access via acl's or filtering to force my group to only be allowed access to a specific network.  Here is the problem I am having now.
  The ldap server has been created and seems to be working fine.  I have created my AAA groups and servers and I have done the ldap test with a test user vpntest and a password on the ldap server.  When I run the authentication test from the ADSM or command line I get a good authentication successful message.  So I configured a vpn client remotely and attempted to authenticate to this group and it says there is no user by that name.  Below is a paste of the debug.  The second part is when I did a successful test from the ASDM or CLI and it worked great.  The first part is when I attempted from the vpn client.  It all looks the same from the search criteria.  What am I missing here or does anyone more knowledgeable see anything that I am doing wrong.  Can this be done this way or should I try radius.  The customer was just adament about using ldap.
  extvpnasa5510#
  [243] Session Start
  [243] New request Session, context 0xd5713fe0, reqType = 1
  [243] Fiber started
  [243] Creating LDAP context with uri=ldaps://130.18.22.44:636
  [243] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
  [243] supportedLDAPVersion: value = 2
  [243] supportedLDAPVersion: value = 3
  [243] No Login DN configured for server 130.18.22.44
  [243] Binding as administrator
  [243] Performing Simple authentication for  to 130.18.22.44
  [243] LDAP Search:
          Base DN = [ou=employees,o=msues]
          Filter  = [uid=vpntest]
          Scope   = [SUBTREE]
  [243] User DN = [uid=vpntest,ou=employees,o=msues]
  [243] Talking to iPlanet server 130.18.22.44
  [243] No results returned for iPlanet global password policy
  [243] Fiber exit Tx=386 bytes Rx=414 bytes, status=-1
  [243] Session End
  extvpnasa5510#
  [244] Session Start
  [244] New request Session, context 0xd5713fe0, reqType = 1
  [244] Fiber started
  [244] Creating LDAP context with uri=ldaps://130.18.22.44:636
  [244] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
  [244] supportedLDAPVersion: value = 2
  [244] supportedLDAPVersion: value = 3
  [244] No Login DN configured for server 130.18.22.44
  [244] Binding as administrator
  [244] Performing Simple authentication for  to 130.18.22.44
  [244] LDAP Search:
          Base DN = [ou=employees,o=msues]
          Filter  = [uid=vpntest]
          Scope   = [SUBTREE]
  [244] User DN = [uid=vpntest,ou=employees,o=msues]
  [244] Talking to iPlanet server 130.18.22.44
  [244] Binding as user
  [244] Performing Simple authentication for vpntest to 130.18.22.44
  [244] Processing LDAP response for user vpntest
  [244] Authentication successful for vpntest to 130.18.22.44
  [244] Retrieved User Attributes:
  [244]   sn: value = test user
  [244]   givenName: value = vpn
  [244]   uid: value = vpntest
  [244]   cn: value = vpn test user
  [244]   objectClass: value = top
  [244]   objectClass: value = person
  [244]   objectClass: value = organizationalPerson
  [244]   objectClass: value = inetOrgPerson
  [244] Fiber exit Tx=284 bytes Rx=414 bytes, status=1
  [244] Session End

  Hi Larry,
  You can map AD group memberships to specific group policies on the ASA, you can find that configuration here:
  - http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
  Let me know if further assistance is required!
  Please proceed to rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• Sample connecting to LDAP Server in Java

  Hi,
  I am trying to establishing SSL from Java Application(via Netscape Directory SDK 4.0 - Java version) to the Directory Server(ADS) in a secure manner - i.e. LDAP over SSL.
  I am trying to run this code...
  LDAPConnection ld = null;
  LDAPModificationSet attrs = new LDAPModificationSet();
  attrs.add(LDAPModification.REPLACE,new LDAPAttribute("unicodePwd", "testpassword"));
  try
  LDAPSSLSocketFactory ssl = new LDAPSSLSocketFactory();
  ld = new LDAPConnection( ssl );
  /* Connect to server */
  ld.connect("10.10.10.7",636);
  /* Authenticate to the server as directory manager */
  ld.authenticate(adminDN,password);
  /* Now modify the entry in the directory */
  ld.modify( userDN, attrs );
  catch(Exception e)
  But I don't know where my program reads the Cert. info... I don't know
  if I have to import my internal CA via keytool or I have missed some
  special configuration ..
  When I run this code, the following error appears:
  netscape.ldap.LDAPException: Failed to create SSL socket (91); Cannot connect to the LDAP server
  at netscape.ldap.LDAPSSLSocketFactory.makeSocket(LDAPSSLSocketFactory.java:309)
  at edu.umassmed.chcf.security.ldap.LDAPHelper.setLDAPPassword(LDAPHelper.java:742)
  at edu.umassmed.chcf.security.administration.userhandler.UserHandlerBean.changePassword(User HandlerBean.java:628)
  at edu.umassmed.chcf.security.administration.userhandler.UserHandlerBean_37ncs1_ELOImpl.chan
  gePassword(UserHandlerBean_37ncs1_ELOImpl.java:409)
  at edu.umassmed.chcf.security.administration.userfacade.UserManagerBean.changePassword(UserM
  anagerBean.java:174)
  at edu.umassmed.chcf.security.administration.userfacade.UserManagerBean_3chmth_EOImpl.change
  Password(UserManagerBean_3chmth_EOImpl.java:501)
  at edu.umassmed.chcf.sbb.action.ChangePasswordAction.perform(ChangePasswordAction.java:114)
  at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)
  at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:510)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:265)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:200)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:24
  95)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2204)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  LDAPHelper - authenticateUser() - expLDAP.toString() netscape.ldap.LDAPException: Failed to create S
  SL socket (91); Cannot connect to the LDAP server
  Is this possible? If so, what hints can you give me to get started (any sample code would be greatly appreciated).
  Thanks in advance.
  With Regards,
  Gokul.

  hey guys .. i was struggling with the same thing - finally found this solution -
  use:
  import netscape.ldap.*;
  import netscape.ldap.factory.JSSESocketFactory;
  JSSESocketFactory fact = new JSSESocketFactory(null);
  //unless u wanna specify any specific ciphers in the constructor
  log("Factory created");
  LDAPConnection ld = new LDAPConnection(fact);
  log("Connection initialised");
  ld.connect(MY_HOST, MY_PORT);
  log("Connected");
  ld.authenticate(user, pwd);
  log("Authenticated!");
  Before running this, i used the "keytool" command line utility to import the SSL client certificate into my default trustStore .. as a trusted cert. Dont know if thats required.. but it worked :) Hope this helps.

• What should be done in certmap.conf for 2-way SSL support from a standalone Java application to an SSL enabled LDAP Server

  To support certficate based client authentication using 2-way SSL from a standalone java application which uses JNDI and JSSE1.0.2 to connect to an SSL enabled LDAP Server how do we configure the certmap.conf?Is there any additional setup required at the LDAP Server side apart from enablinf SSL with the option"Required Client Authentication" enabled.The 2 way SSL handshake goes through but the access log file (After configuring the certmap.conf for the issuer DN of the client certficate etc..)shows SSL failed to LDAP DN?But inspite of this access log error the Java client does get an SSL Connection object with which it is able to connect to the LDAP.IS the certmap.conf file being looked up by the LDAP Server at all?

  have you out.flush() and out.close() before you call connection.getInputStream()?

• Unable to connect  remote LDAP server 2005Q1

  To connect remote LDAP server with local mail server in iMS5.2, it was successful and very easy.
  But, with Sun Java Messaging 2005Q1, I failed so many times when I configure mail server.
  Only two things( LDAP and messaging ) are in the same machine, it was successful.
  It's very weird.
  In Install Guide, remote LDAP system has no problem to connect with local mail server.
  Here is LDAP server version.
  # ./monitor
  version: 1
  dn: cn=monitor
  objectClass: top
  objectClass: extensibleObject
  cn: monitor
  connectionpeak: 9
  version: Sun Java(TM) System Directory Server/5.2_Patch_3 B2004.331.1125
  Messaging server version is Sun Java Messaging 2005Q1.
  ================ Install Log ================
  The following items for the product Messaging Server will be configured:
  Product: Messaging Server
  Location: /data/MailData
  Space Required: 0 bytes
  Message Transfer Agent
  Message Store
  Messenger Express
  Ready to Configure
  1. Configure Now
  2. Start Over
  3. Exit Configure Program
  What would you like to do [1] {"<" goes back, "!" exits}?
  Starting Task Sequence
  ===== Thu Apr 21 18:50:38 KST 2005 =====
  Running /usr/sbin/groupadd mail
  ===== Thu Apr 21 18:50:38 KST 2005 =====
  Running /usr/sbin/useradd -g mail -d / mailsrv
  ===== Thu Apr 21 18:50:38 KST 2005 =====
  Running /usr/sbin/usermod -G mail mailsrv
  ===== Thu Apr 21 18:50:38 KST 2005 =====
  Running /bin/rm -rf /opt/java05Q1/Mail/config /opt/java05Q1/Mail/data
  ===== Thu Apr 21 18:50:38 KST 2005 =====
  Running /bin/chmod 600 /opt/java05Q1/Mail/lib/config-templates/Devsetup.
  properties
  ===== Thu Apr 21 18:50:38 KST 2005 =====
  Running /opt/java05Q1/Mail/lib/devinstall -l schema1:sepadmsvr:pkgcfg:config:
  msg:msg_en:imta:msma:webmail:imta -v -m -i /opt/java05Q1/Mail/lib/config-
  templates/config.ins /opt/java05Q1/Mail/lib/config-templates
  /opt/java05Q1/Mail/lib/jars /opt/java05Q1/Mail/lib
  ===== Thu Apr 21 18:50:45 KST 2005 =====
  Running /bin/sh -c /opt/java05Q1/Mail/sbin/imsimta clbuild -
  image_file=IMTA_COMMAND_DATA IMTA_BIN:pmdf.cld
  ===== Thu Apr 21 18:50:46 KST 2005 =====
  Running /bin/sh -c /opt/java05Q1/Mail/sbin/imsimta chbuild
  ===== Thu Apr 21 18:50:46 KST 2005 =====
  Running /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
  cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/cfgdir23381 -c -
  e /opt/java05Q1/Mail/config/cfgdir.ldif.rej -f /opt/java05Q1/Mail/config/cfgdir.
  ldif
  ===== Thu Apr 21 18:50:46 KST 2005 =====
  Running /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
  cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
  e /opt/java05Q1/Mail/config/usergroup.ldif.rej -f
  /opt/java05Q1/Mail/config/usergroup.ldif
  ===== Thu Apr 21 18:50:46 KST 2005 =====
  Running /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
  cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
  e /opt/java05Q1/Mail/config/dctree.ldif.rej -f /opt/java05Q1/Mail/config/dctree.
  ldif
  ===== Thu Apr 21 18:50:46 KST 2005 =====
  Running /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
  cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
  e /opt/java05Q1/Mail/config/mid_dctree.ldif.rej -f
  /opt/java05Q1/Mail/config/mid_dctree.ldif
  ===== Thu Apr 21 18:50:47 KST 2005 =====
  Running /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
  cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
  e /opt/java05Q1/Mail/config/last_dctree.ldif.rej -f
  /opt/java05Q1/Mail/config/last_dctree.ldif
  ===== Thu Apr 21 18:50:47 KST 2005 =====
  Running /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
  cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
  e /opt/java05Q1/Mail/config/pab.ldif.rej -f /opt/java05Q1/Mail/config/pab.ldif
  ===== Thu Apr 21 18:50:47 KST 2005 =====
  Running /bin/sh -c /opt/java05Q1/Mail/sbin/imsimta cnbuild
  ===== Thu Apr 21 18:50:47 KST 2005 =====
  Running /bin/sh -c /bin/cp /opt/java05Q1/Mail/lib/config-
  templates/madman_solaris.reg /etc/snmp/conf/ims.reg
  ===== Thu Apr 21 18:50:47 KST 2005 =====
  Running /bin/sh -c /bin/cp /opt/java05Q1/Mail/lib/config-
  templates/madman_solaris.acl /etc/snmp/conf/ims.acl
  ===== Thu Apr 21 18:50:47 KST 2005 =====
  Running /bin/sh -c /usr/bin/crle
  ===== Thu Apr 21 18:50:47 KST 2005 =====
  Running /bin/sh -c /usr/bin/crle -s /usr/lib/secure -s /opt/java05Q1/Mail/lib
  ===== Thu Apr 21 18:50:48 KST 2005 =====
  Running /bin/sh -c /usr/bin/crle
  ===== Thu Apr 21 18:50:48 KST 2005 =====
  Running /bin/sh -c /bin/cp -rpf /opt/java05Q1/Mail/lib/config-templates/html
  /opt/java05Q1/Mail/config/
  ===== Thu Apr 21 18:50:57 KST 2005 =====
  Running /bin/chown -Rh mailsrv /opt/java05Q1/Mail/config/html
  ===== Thu Apr 21 18:50:57 KST 2005 =====
  Running /bin/chgrp -Rh mail /opt/java05Q1/Mail/config/html
  ===== Thu Apr 21 18:50:57 KST 2005 =====
  Running /bin/sh -c /bin/cp -rpf /opt/java05Q1/Mail/config
  /opt/java05Q1/Mail/install/configure_20050421184758
  ===== Thu Apr 21 18:51:08 KST 2005 =====
  Running /bin/sh -c /bin/cp -p /opt/java05Q1/Mail/lib/config-templates/Devsetup.
  properties /opt/java05Q1/Mail/install/configure_20050421184758/Devsetup.
  properties
  Sequence Completed
  PASSED: /usr/sbin/groupadd mail : status = 9
  PASSED: /usr/sbin/useradd -g mail -d / mailsrv : status = 0
  PASSED: /usr/sbin/usermod -G mail mailsrv : status = 3
  PASSED: /bin/rm -rf /opt/java05Q1/Mail/config /opt/java05Q1/Mail/data : status
  = 0
  PASSED: /bin/chmod 600 /opt/java05Q1/Mail/lib/config-templates/Devsetup.
  properties : status = 0
  FAILED: /opt/java05Q1/Mail/lib/devinstall -l schema1:sepadmsvr:pkgcfg:config:
  msg:msg_en:imta:msma:webmail:imta -v -m -i /opt/java05Q1/Mail/lib/config-
  templates/config.ins /opt/java05Q1/Mail/lib/config-templates
  /opt/java05Q1/Mail/lib/jars /opt/java05Q1/Mail/lib : status = 1
  PASSED: /bin/sh -c /opt/java05Q1/Mail/sbin/imsimta clbuild -
  image_file=IMTA_COMMAND_DATA IMTA_BIN:pmdf.cld : status = 0
  PASSED: /bin/sh -c /opt/java05Q1/Mail/sbin/imsimta chbuild : status = 0
  FAILED: /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
  cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/cfgdir23381 -c -
  e /opt/java05Q1/Mail/config/cfgdir.ldif.rej -f /opt/java05Q1/Mail/config/cfgdir.
  ldif : status = 89
  FAILED: /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
  cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
  e /opt/java05Q1/Mail/config/usergroup.ldif.rej -f
  /opt/java05Q1/Mail/config/usergroup.ldif : status = 89
  FAILED: /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
  cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
  e /opt/java05Q1/Mail/config/dctree.ldif.rej -f /opt/java05Q1/Mail/config/dctree.
  ldif : status = 89
  FAILED: /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
  cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
  e /opt/java05Q1/Mail/config/mid_dctree.ldif.rej -f
  /opt/java05Q1/Mail/config/mid_dctree.ldif : status = 89
  FAILED: /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
  cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
  e /opt/java05Q1/Mail/config/last_dctree.ldif.rej -f
  /opt/java05Q1/Mail/config/last_dctree.ldif : status = 89
  FAILED: /opt/java05Q1/Mail/lib/ldapmodify -h love.daou.co.kr -p 389 -D
  cn=Directory Manager -j /opt/java05Q1/Mail/lib/config-templates/ugdir23382 -c -
  e /opt/java05Q1/Mail/config/pab.ldif.rej -f /opt/java05Q1/Mail/config/pab.ldif
  : status = 89
  PASSED: /bin/sh -c /opt/java05Q1/Mail/sbin/imsimta cnbuild : status = 0
  PASSED: /bin/sh -c /bin/cp /opt/java05Q1/Mail/lib/config-
  templates/madman_solaris.reg /etc/snmp/conf/ims.reg : status = 0
  PASSED: /bin/sh -c /bin/cp /opt/java05Q1/Mail/lib/config-
  templates/madman_solaris.acl /etc/snmp/conf/ims.acl : status = 0
  PASSED: /bin/sh -c /usr/bin/crle : status = 0
  PASSED: /bin/sh -c /usr/bin/crle -s /usr/lib/secure -s /opt/java05Q1/Mail/lib :
  status = 0
  PASSED: /bin/sh -c /usr/bin/crle : status = 0
  PASSED: /bin/sh -c /bin/cp -rpf /opt/java05Q1/Mail/lib/config-templates/html
  /opt/java05Q1/Mail/config/ : status = 0
  FAILED: /bin/chown -Rh mailsrv /opt/java05Q1/Mail/config/html : status = 1
  FAILED: /bin/chgrp -Rh mail /opt/java05Q1/Mail/config/html : status = 1
  PASSED: /bin/sh -c /bin/cp -rpf /opt/java05Q1/Mail/config
  /opt/java05Q1/Mail/install/configure_20050421184758 : status = 0
  PASSED: /bin/sh -c /bin/cp -p /opt/java05Q1/Mail/lib/config-templates/Devsetup.
  properties /opt/java05Q1/Mail/install/configure_20050421184758/Devsetup.
  properties : status = 0
  FAILURE: Number of task failed:9. Please check install log
  /opt/java05Q1/Mail/install/configure_20050421184758.log
  for further details.
  Hit NEXT to continue
  Configuration Details:
  Product Result More Information
  1. Messaging Server Failed Available
  2. Done
  Enter the number corresponding to the desired selection for more
  information, or enter 2 to continue [2] {"!" exits}:
  ================
  Any Good ADVICE would be welcomed.

  I already did what you advised - installing admin server on each machine. I tested throught connecting admin console,modifying ldap,mail config and adding users.
  To say about running 'comm_dssetup.pl' script , if I didn't I could not even setup and configure mail server.
  In a month, there is a chance to setup both mail and ldap servers on diferrent machines.
  I am a little bit worry. What did I wrong?
  welcomed... any words of advice..

• Why do I get error "The LDAP server is unavailable" while connecting to external domain via sync connection in SharePoint UPSA ?

  Hello,
  I am trying to connect to external domain via UPS Account having "Replicate Directory changes" permission on external domain while creating sync connection in UPSA.
  I have checked below URLS :
  http://social.technet.microsoft.com/Forums/en-US/1912bf88-8fec-4b5d-9d1e-a42db8318e33/ldap-server-is-unavailable-sharepoint-2010-user-synchronization?forum=sharepointadminprevious
  http://social.technet.microsoft.com/Forums/en-US/6525d3aa-9197-42a2-aea0-190b84ac8356/the-ldap-server-is-unavailable?forum=sharepointadminprevious
  And looks like its network connectivity issue - and hence I have verified that port 389 is open by infra team.
  Note : I am able to connect to local AD , does it make sense that port is not open for external domain ? 
  Can anyone please let me know what can be the issue ? 
  Your help will be highly appreciated as I am struggling to fix this issue since  quite long time but no luck yet.
  Thank you in advance.
  Kind regards,
  Dipti Chhatrapati

  Hi Dipti,
  If you have Two-Way trust relationship then not sure if you have tried below:
  Create a folder on the SharePoint server
  Go to Folder properties - Security tab
  Try adding user of the external domain on the folder
  Please let us know if you are able to add the user or not. If you are able to add then it means that the connection and trust is proper and you should be able to create sync connection in UPA without any issues or else there is some issue with the connectivity
  or the trust which is configured.
  Please also make sure that you have given permissions to sync account as per below TechNet:
  http://technet.microsoft.com/en-us/library/hh296982(v=office.15).aspx
  Replicate Directory changes permissions are also required on cn=configuration container, below are the steps:
  Grant Replicate Directory Changes permission on the cn=configuration container
  Use this procedure to grant Replicate Directory Changes permission on the cn=configuration container to an account.
  To grant Replicate Directory Changes permission on the cn=configuration container
  On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.
  If the Configuration node is not already present, do the following:
  In the navigation pane, click ADSI Edit.
  On the Action menu, click Connect to.
  In the Connection Point area of the Connection Settings dialog box, click Select
  a well know Naming Context, select Configuration from the drop-down list, and then click OK.
  Expand the Configuration node, right-click the CN=Configuration... node, and then click Properties.
  In the Properties dialog box, click the Security tab.
  In the Group or user names section, click Add.
  Type the name of the synchronization account, and then click OK.
  In the Group or user names section, select the synchronization account.
  In the Permissions section, select the Allow check box next to the Replicating
  Directory Changes (Replicate Directory Changes on Windows Server 2003) permission, and then click OK.
  Kind regards,
  Bhavik K Jain
  Please ensure that you mark a question as Answered once you receive a satisfactory response.

• Can I use LDAP server's authentication mechanism rather than comparing password ?

  Hi All,
  The weblogic security and adminguide says that the user authencation can be of
  the following 3 types:
  1. Bind specifies that the LDAP security realm
  retrieves user data, including the password for
  the LDAP server, and checks the password in
  WebLogic Server.
  2. External specifies that the LDAP security
  realm authenticates a User by attempting to
  bind to the LDAP server with the username
  and password supplied by theWebLogic
  Server client. If you choose the External
  setting, you must also use the SSL protocol.
  3. Local specifies that the LDAP security realm
  authenticates a User by looking up the
  UserPassword property in the LDAP directory
  and checking it against the passwords in
  WebLogic Server.
  But say I want that my users should be authenticated by the LDAP server rather
  than picking up the password from LDAP and comparing at weblogic end. Then what
  should I do ?
  Because no. 2 is applicable only for ssl certificates, no.1 and no.3 picks up
  password using the login dn and password provided at the time of configuration
  of realm and compare with password given by user.
  And once gain there some issues on having picking up password and comparing it:
  1. Netscape directory server can store the password in oneway hashed form(and
  that is preferred , too). So when userpassword attribute is read , it's in one
  way hashed form. So how the comparison will go on ?
  2. Creating a user who has the access to user data along with userpassword attribute
  itself is a security threat, as if someone can crack that user's dn and password
  then he/she can do anything as userdata can be read.
  Any suggestion is welcome.
  TIA,
  Sudarson

  Thanks a lot Jerry.
  I got these stuff from weblogic 6.1 docs sets security.pdf and adminguide.pdf.
  I have another question, if that is the case (in Case of BIND), then why do we
  a require a dn of user and password who has the access to read the entire directory
  And at the same time, u specified this for Bind, what are the cases for other
  two-local and external ? And then what is actually difference between Bind and
  Local ?
  Pls help me.
  Thanks,
  Sudarson
  Jerry <[email protected]> wrote:
  Hi Sudarson,
  Whatever doc you were reading is at least partially incorrect, unfortunately...
  I know for sure that when you specify BIND, weblogic sends the username/password
  to your
  LDAP server in an attempt to bind to it.
  If the bind is successful, WLS determines that the username/password
  pair were correct.
  If the bind was unsuccessful, WLS determines that the username/password
  pairing is not
  valid.
  At all times, WebLogic is letting the LDAP server do the actual compare
  of
  username/password. WLS does not, at any time, retrieve a password from
  the LDAP server.
  I hope this helps,
  Joe Jerry
  sudarson wrote:
  Hi All,
  The weblogic security and adminguide says that the user authencationcan be of
  the following 3 types:
  1. Bind specifies that the LDAP security realm
  retrieves user data, including the password for
  the LDAP server, and checks the password in
  WebLogic Server.
  2. External specifies that the LDAP security
  realm authenticates a User by attempting to
  bind to the LDAP server with the username
  and password supplied by theWebLogic
  Server client. If you choose the External
  setting, you must also use the SSL protocol.
  3. Local specifies that the LDAP security realm
  authenticates a User by looking up the
  UserPassword property in the LDAP directory
  and checking it against the passwords in
  WebLogic Server.
  But say I want that my users should be authenticated by the LDAP serverrather
  than picking up the password from LDAP and comparing at weblogic end.Then what
  should I do ?
  Because no. 2 is applicable only for ssl certificates, no.1 and no.3picks up
  password using the login dn and password provided at the time of configuration
  of realm and compare with password given by user.
  And once gain there some issues on having picking up password and comparingit:
  1. Netscape directory server can store the password in oneway hashedform(and
  that is preferred , too). So when userpassword attribute is read ,it's in one
  way hashed form. So how the comparison will go on ?
  2. Creating a user who has the access to user data along with userpasswordattribute
  itself is a security threat, as if someone can crack that user's dnand password
  then he/she can do anything as userdata can be read.
  Any suggestion is welcome.
  TIA,
  Sudarson

• 'authentication failed' using Microsoft ADSI version LDAP server

  Hi All,
  Now days i am facing some problem in authentication (i am using microsoft ADSI version LDAP Server) but am not able to authenticate the LDAP users.
  I have configured my LDAP server in the same manner as u mentioned in this blog.
  when I am trying to authenticate the user from the RPD itself i m gettig the following error:
  “authentication failed” (actually i forgot the exact message but it mean is same as i referred here)
  though i am able authenticate the bind user ( which i used to configure the LDAP Server)
  Please help me in this as i already wasted a lot of time in doing R&D to make it work..
  I have an urgent requirement to do the same..
  Your help will highly appreciated…
  thanks in advance
  PS: I have checked the 'ADSI' box in advance tab:

  Hi,
  Please have a look at the below link:
  Unknown certificate error when testing LDAP SSL connection
  Not sure whether it will help you. But have a look at it.
  Regards,
  Jithin