LDAP server?

Good afternoon folks:
Can anyone point me to where I find the directory server installation for solaris 10 x86? The install routine seemed to assume that I had purchased a copy or had the 90-day evaluation of Java Enterprise System, and the license I got via e-mail from Sun when I downloaded the Solaris 10 CD images indicated that I had license to use Java System Directory Server 5 for 200,000 entries gratis.
However, I can't find Directory Server 5 anywhere on the install media, and I'm a little confused about whether or not I need to install off of Java Enterprise System and ignore the 90-day evaluation license, or if the directory server lives elsewhere ...
Help?
Thanks.
-travis

Thanks Kevin ... that is where I thought it was supposed to be, at least according to the docs for Java Enterprise, however, I can't find any sign of directoryserver in /etc/init.d or in /usr/sbin. I did a full install for testing (I haven't worked with Solaris extensively since 8, so I figured a bloated installation would be good to start with) and seem to have a copy of openldap on the CCD disc, but no Java Directory Server at all.
Do I also need Java Enterprise? I was under the impression Directory Server was built in to Solaris 10.
Thanks again.
-travis

Similar Messages

How can we update data in LDAP server using PL/SQL.

Hi,
How can we update data in LDAP server using PL/SQL program.
Is there any sample code for refrence.
Thanks,
Tarun

Hi Justin,
Thanks for your help. You got my correct requirements.
Tim's example returning all the attributes of current user which is admin user. Please correct me if I am wrong.
I have the following information:
the admin user and password,server info , port and ldap_base for admin.
I have uid and password for regular user, I am trying find the ldap_base for regular user, which may be different from adminuser.
Please help me.
Thanks,
Edited by: james. on Jan 12, 2009 5:39 PM

Problem instaliing sun one LDAP server on windows server 2008 r2

Hi all ,
I am trying to install Ldap server (Sun ONE Directory Server) on windows server 2008
I am using apache-tomcat-7.0.28 and java jdk1.7.0_05
I am following this manual for installing :
https://blogs.oracle.com/marginNotes/entry/installing_directory_server_enterprise_edition1
I have a problem with the cacao agent and how to install it .
I've got this error message :
c:\Program Files\Sun\dsee7\bin>dsccsetup cacao-reg
Configuring Cacao...
## Failed to run "c:/Program Files/Sun/dsee7/ext/cacao_2/bin/cacaoadm.bat" set-
aram "jdmk-home=c:/Program Files/Sun/dsee7/lib/private"
#### Cannot create service for instance: [cacao.instance.name].
#### Cannot perform firstime inialisation and configuration.
## Exit code is 1
Failed to configure Cacao.
I stuck and with no other solutions . I hope if you could to help with this issue .
i will glad to know if there is any other ways to install this specific Ldap server ,
Thanks,
Alon

You most likely skipped the step of starting the installed server prior to trying to access admin URL. Please check this document:
http://docs.sun.com/source/817-1830-10/win.html
Relevant section is:
You can start the Administration Server in either of the following ways:
# Select Start Menu -> Programs -> Sun ONE Web Server, and choose Start Web Server Administration Server.
# From the Control Panel�s Services item.
HTH...

ASA Remote Access Authentication with LDAP Server

Thank you in advance for your help.
I am configuring an ASA to authenticate with a ldap server for ipsec vpn access. My customer has 3 networks that are to be accessed by remote users. However they want to be able to say that one user can get to 2 of the networks and not the 3rd. So basically they want control over what network behind the firewall each user can access. This seems doable from my reading and I had planned to creating a group for each network that needs accessible and either do attribute maps to each group with a separate group created on the ldap server for authentication. Basically a ldap group on the ldap server that will have the users name in the group in order for access. I can restrict access via acl's or filtering to force my group to only be allowed access to a specific network. Here is the problem I am having now.
The ldap server has been created and seems to be working fine. I have created my AAA groups and servers and I have done the ldap test with a test user vpntest and a password on the ldap server. When I run the authentication test from the ADSM or command line I get a good authentication successful message. So I configured a vpn client remotely and attempted to authenticate to this group and it says there is no user by that name. Below is a paste of the debug. The second part is when I did a successful test from the ASDM or CLI and it worked great. The first part is when I attempted from the vpn client. It all looks the same from the search criteria. What am I missing here or does anyone more knowledgeable see anything that I am doing wrong. Can this be done this way or should I try radius. The customer was just adament about using ldap.
extvpnasa5510#
[243] Session Start
[243] New request Session, context 0xd5713fe0, reqType = 1
[243] Fiber started
[243] Creating LDAP context with uri=ldaps://130.18.22.44:636
[243] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
[243] supportedLDAPVersion: value = 2
[243] supportedLDAPVersion: value = 3
[243] No Login DN configured for server 130.18.22.44
[243] Binding as administrator
[243] Performing Simple authentication for to 130.18.22.44
[243] LDAP Search:
        Base DN = [ou=employees,o=msues]
        Filter = [uid=vpntest]
        Scope   = [SUBTREE]
[243] User DN = [uid=vpntest,ou=employees,o=msues]
[243] Talking to iPlanet server 130.18.22.44
[243] No results returned for iPlanet global password policy
[243] Fiber exit Tx=386 bytes Rx=414 bytes, status=-1
[243] Session End
extvpnasa5510#
[244] Session Start
[244] New request Session, context 0xd5713fe0, reqType = 1
[244] Fiber started
[244] Creating LDAP context with uri=ldaps://130.18.22.44:636
[244] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
[244] supportedLDAPVersion: value = 2
[244] supportedLDAPVersion: value = 3
[244] No Login DN configured for server 130.18.22.44
[244] Binding as administrator
[244] Performing Simple authentication for to 130.18.22.44
[244] LDAP Search:
        Base DN = [ou=employees,o=msues]
        Filter = [uid=vpntest]
        Scope   = [SUBTREE]
[244] User DN = [uid=vpntest,ou=employees,o=msues]
[244] Talking to iPlanet server 130.18.22.44
[244] Binding as user
[244] Performing Simple authentication for vpntest to 130.18.22.44
[244] Processing LDAP response for user vpntest
[244] Authentication successful for vpntest to 130.18.22.44
[244] Retrieved User Attributes:
[244]   sn: value = test user
[244]   givenName: value = vpn
[244]   uid: value = vpntest
[244]   cn: value = vpn test user
[244]   objectClass: value = top
[244]   objectClass: value = person
[244]   objectClass: value = organizationalPerson
[244]   objectClass: value = inetOrgPerson
[244] Fiber exit Tx=284 bytes Rx=414 bytes, status=1
[244] Session End

Hi Larry,
You can map AD group memberships to specific group policies on the ASA, you can find that configuration here:
- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
Let me know if further assistance is required!
Please proceed to rate and mark as correct the helpful Post!
David Castro,
Regards,

How to change LDAP server setting in Access Manager 6.2

Hi,
We have initially set authentication as a SunONE Directory Server 5.1 (master DS1) in Sun Java System Access Manager 6.2. In both /etc/opt/SUNWam/config/serverconfig.xml
/etc/opt/SUNWam/config/AMConfig.properties
conf files, DS1 was set initially. Also on console's Service Configuration ->LDAP->Primary LDAP Server was set as "DS1"
Now the problem is that I am not able to change the DS1 to the other master "DS2". I set DS2 in both above conf files and also the Service Configuration page as Primary LDAP Server. I restarted the server. When I stopped the DS1, I couldn't login access manager console with any user. It looks like it is still trying to get authentication from DS1.
Does anybody know what I am missing here?
Regards,

After hopeless tries, I finally made it work;) The trick was actually updating the sunKeyValue attribute of the entry:
"dn:ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthLDAPService,ou=ser
vices,dc=company,dc=com" in one of the master DS I have.
Even though I set DS2 and loadBalancer hosts in all conf files and in Primary LDAP conf in amconsole's Service Configuration, it just didn't work until I inserted loadBalancer host in sunKeyValue attribute.
Hope it helps to someone....
-Bora

Getting HTTP 500 Error When Trying To Authenticate Against LDAP Server (Active Directory)

Hello,
I am currently facing an issue when I try and use LDAP authentication in my Apex application as I am getting a HTTP 500 Internal Server Error message. For my authentication scheme I have used the pre-configured option of how to connect to an LDAP server and in my development environment this seems to be working fine but now I have deployed my application to our staging environment and I am getting the error. If I switch to the Application Express Authentication scheme then I don't get the error.
I've had a look at the log file on the server and I see I am getting this error:
[#|2015-03-31T16:19:11.254+0100|SEVERE|glassfish3.1.2|null|_ThreadID=21;_ThreadName=Thread-2;|JDBCException [kind=UNAVAILABLE]
    at oracle.dbtools.common.jdbc.JDBCException.wrap(JDBCException.java:99)
    at oracle.dbtools.common.config.db.DatabaseConfig.getConnection(DatabaseConfig.java:81)
    at oracle.dbtools.common.jdbc.ora.OraPrincipal.connection(OraPrincipal.java:69)
    at oracle.dbtools.apex.ModApexContext.getConnection(ModApexContext.java:372)
    at oracle.dbtools.apex.OWA.getStatement(OWA.java:536)
    at oracle.dbtools.apex.OWA.init(OWA.java:308)
    at oracle.dbtools.apex.ModApex.doPost(ModApex.java:138)
    at oracle.dbtools.apex.ModApex.service(ModApex.java:303)
    at oracle.dbtools.rt.web.HttpEndpointBase.modApex(HttpEndpointBase.java:347)
    at oracle.dbtools.rt.web.HttpEndpointBase.service(HttpEndpointBase.java:130)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:770)
    at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1550)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
    at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
    at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
    at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
    at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:860)
    at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:757)
    at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1056)
    at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:229)
    at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
    at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
    at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
    at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
    at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
    at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
    at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
    at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
    at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
    at java.lang.Thread.run(Thread.java:662)
Caused by: java.sql.SQLException: Exception occurred while getting connection: oracle.ucp.UniversalConnectionPoolException: All connections in the Universal Connection Pool are in use
    at oracle.ucp.util.UCPErrorHandler.newSQLException(UCPErrorHandler.java:488)
    at oracle.ucp.util.UCPErrorHandler.throwSQLException(UCPErrorHandler.java:163)
    at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:928)
    at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:863)
    at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:855)
    at oracle.dbtools.common.config.db.DatabaseConfig.getConnection(DatabaseConfig.java:71)
    ... 33 more
Caused by: oracle.ucp.UniversalConnectionPoolException: All connections in the Universal Connection Pool are in use
    at oracle.ucp.util.UCPErrorHandler.newUniversalConnectionPoolException(UCPErrorHandler.java:368)
    at oracle.ucp.util.UCPErrorHandler.throwUniversalConnectionPoolException(UCPErrorHandler.java:49)
    at oracle.ucp.util.UCPErrorHandler.throwUniversalConnectionPoolException(UCPErrorHandler.java:80)
    at oracle.ucp.util.UCPErrorHandler.throwUniversalConnectionPoolException(UCPErrorHandler.java:131)
    at oracle.ucp.common.UniversalConnectionPoolImpl.borrowConnectionWithoutCountingRequests(UniversalConnectionPoolImpl.java:279)
    at oracle.ucp.common.UniversalConnectionPoolImpl.borrowConnection(UniversalConnectionPoolImpl.java:142)
    at oracle.ucp.jdbc.JDBCConnectionPool.borrowConnection(JDBCConnectionPool.java:157)
    at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:916)
    ... 36 more
So it seems that every time I try and use LDAP I hit this error. Also after awhile I have to re-start the Apex Listener for that domain. I have came across this thread: LDAP Authentication Question but I am not sure if the user got the problem solved or not.
Our infrastructure is as follows:
Database: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit
Apex Listener: 2.0.3.221.10.13
GlassFish Server Open Source Edition 3.1.2.2 (build 5)
If anybody has any idea what is causing this that would be great.
Cheers,
Paul.

Hi Colm,
Thanks for getting back to me on this. I have downloaded and created a new ORDS server with 2.0.10 and while I don't get the error:
Exception occurred while getting connection: oracle.ucp.UniversalConnectionPoolException: All connections in the Universal Connection Pool are in use
I am now getting the following (I have turned on the logging)
No more data to read from socket java.sql.SQLRecoverableException: No more data to read from socket
at oracle.jdbc.driver.T4CMAREngine.unmarshalUB1(T4CMAREngine.java:1157) at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:345)
at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:223) at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:531)
at oracle.jdbc.driver.T4CCallableStatement.doOall8(T4CCallableStatement.java:205)
at oracle.jdbc.driver.T4CCallableStatement.executeForRows(T4CCallableStatement.java:1043)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1336)
at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePreparedStatement.java:3612)
at oracle.jdbc.driver.OraclePreparedStatement.execute(OraclePreparedStatement.java:3713)
at oracle.jdbc.driver.OracleCallableStatement.execute(OracleCallableStatement.java:4755)
at oracle.jdbc.driver.OraclePreparedStatementWrapper.execute(OraclePreparedStatementWrapper.java:1378)
at sun.reflect.GeneratedMethodAccessor1991.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.ucp.jdbc.proxy.StatementProxyFactory.invoke(StatementProxyFactory.java:230)
at oracle.ucp.jdbc.proxy.PreparedStatementProxyFactory.invoke(PreparedStatementProxyFactory.java:124)
at oracle.ucp.jdbc.proxy.CallableStatementProxyFactory.invoke(CallableStatementProxyFactory.java:101)
at $Proxy432.execute(Unknown Source) at oracle.dbtools.apex.OWA.execute(OWA.java:145)
at oracle.dbtools.apex.ModApex.handleRequest(ModApex.java:201)
at oracle.dbtools.apex.ModApex.doPost(ModApex.java:152)
at oracle.dbtools.apex.ModApex.service(ModApex.java:303)
at oracle.dbtools.rt.web.HttpEndpointBase.modApex(HttpEndpointBase.java:350)
at oracle.dbtools.rt.web.HttpEndpointBase.service(HttpEndpointBase.java:132)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:770)
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1550)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:860)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:757)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1056)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:229)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:662)
I cant see anything glaring that is causing this. I have also increased the Minimum Connections to 30 and Maximum Connections to 100 with the administration part of Configuring ORDS via SQL Developer and it still has no desired effect.
The application works fine in our Development and Testing Environment but since I have ported it over to our production instance I am unable to log into it using my Active Directory credentials.
Cheers,
Paul.

How can portal use two different LDAP Server in UME

Hi,
My question is Can UME in portal be configured for multiple LDAP sources.Currently i have a setting in portal
as follows:
Server Name : Abcd
port : 1234
user : CN=" ",Ou=" ",Ou=" ",Dc=AD,Dc=my company,Dc=com
password :
user path : DC=AD,Dc=My company,Dc=Com
group Path : same as user path
I want to configure one more LDAP server to my portal UME,how can give values for that in above sttings.I even want these current settings to be enabled.
Do anyone have idea on this.
Thanks and Regards
Rani A

Hi again ,
I know it can be done. But how urgent is this for you.
I can get back to you in couple of days, me lil busy today.
cheers,
Anu...

How do I add an objectclass to existing LDAP server entry using an ldif file?

I am trying to fix an LDAP server that has been operating with schema check off. I need to add an objectclass to the groups so that some attributes that have been added to the groups will be "legal." From the documentation, the changetype: modify will allow the changing/adding of attributes that are already a part of the schema objects that define the entry. It does not look like I can add an objectclass with the modify operation.
If this is the case, then how do I add an objectclass to an existing entry? Using the GUI is not possible since the directory server in question is not being managed with an admin server. Please tell me that I do not have to delete the groups and import them again with an LDIF file that has the new objectclass added.
Kent

See this post:
http://softwareforum.sun.com/servlet/ProcessRequest?RHIVEID=181&RPAGEID=135&HOID=50B500000008000000636B0000&USEARCHCONTEXT_CATEGORY_0=_21_%24_7_&USEARCHCONTEXT_CATEGORY_S=0&UCATEGORY_0=_21_%24_7_&UCATEGORY_S=0

How to use company users on existing ldap server as EP6.0 sp2 Users?

Hi everybody
Our company user data is on a LDAP server we want to connect our EP6 UME to this existing LDAP server so that existing company users can access the Portal with their company id and password. What configuration we should do on the portal ?
thanks and regards
Rajendra

Hi!
Look at Admin Guide:
Administration Guide->Portal Platform->System Administration->User Management Configuration->Configuration of Data Sources Used for User Management->Defining an LDAP Directory as a Data Source
WBR, Lnk

Can an LDAP server be it's own client?

In short yes, why would you want to do this? Many reasons, but mine is to be able to use ldap on laptops running Solaris and have them log into the machine with ldap credentials off the network. When we plug them back onto the network, I have a master server send any new data via one-way replication. I will give 2 separate ways to accomplish this. One is, to put it bluntly, a dirty hack to get it working. The second is much more elegant and it's the one I have stressed tested to verify that it works.
Disclaimer: I have only used these methods on Solaris10 update 3 with Trusted Extensions using directory server 5.2 as well as the administration server. I have used a few different kinds of machines (all x86) and have not had a problem with it. I do not know if it will work on any other version or hardware. I haven't even looked at the source code, all assumptions made here are from observing the systems behavior while making minor changes.
Now, the reasons why normally you can't be your own client (at least as far as I can tell) is because of the way the system boots and the dependencies that the ldap/client service needs to start up. If you boot a machine that is it's own client and ldap/client runs before the directory server starts, of course it will fail. The system boots the services first, then legacy init scripts. Directory Server 5.2 uses init scripts. Correct me if I am wrong, but that is the only real hurdle in your way.
So the first way to get it 'working' (dirty hack) is to delay the ldap/client smf service from starting until the directory server is started. After you become a client of yourself (in this case the global zone) disable the ldap/client serrvice.
svcadm disable ldap/clientThen enable it temporarily with the -t option
svcadm enable -t ldap/clientWell if you were to reboot now it would not work because the service would not start at boot because it is set to be administratively down. Edit the S72directory script in /etc/rc2.d and after the start commands just add the svcadm enable -t ldap/client command and it will load right after directory server starts. Will this work? Yes, is it a clean way to do it? NO. I used this method just for testing the theory that the only reason I could not be my own client was because of the booting issue.
Now the best way that I can see to accomplish this is to create your own smf services for the directory server and admin server. That way all you have to do is add a dependency to the ldap/client xml file to wait until the new directory server service is started before it starts. So in /var/svc/manifest/site create a folder called ldap (I put this in site because I didn't want to run into any issues of patching). In /var/svc/manifest/site/ldap/ create two xml files named:
quick note: These are the first services I have created. There may be a much better way to make them. If you can re-code it better, please let me know so I can look at them. Also there is no restart command in here (actually I just noticed that) so adding one of those would be wise.
ds_admin.xml and directory_server.xml.
ds_admin.xml contains<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">

<service_bundle type='manifest' name='SUNWdsadmin:dsadmin'>
<service
     name='site/ldap/ds_admin'
     type='service'
     version='1'>
     <create_default_instance enabled='false' />
     <single_instance />
     <dependency
         name='fs'
         grouping='require_all'
         restart_on='none'
         type='service'>
          <service_fmri value='svc:/system/filesystem/minimal' />
     </dependency>
     <dependency
         name='net'
         grouping='require_all'
         restart_on='none'
         type='service'>
          <service_fmri value='svc:/network/initial' />
     </dependency>
     <exec_method
         type='method'
         name='start'
         exec='/lib/svc/method/ds_admin start'
         timeout_seconds='120' >
          <method_context>
               <method_credential user='root' group='sys' />
          </method_context>
     </exec_method>
     <exec_method
         type='method'
         name='stop'
         exec='/lib/svc/method/ds_admin stop'
         timeout_seconds='60' >
          <method_context>
               <method_credential user='root' group='sys' />
          </method_context>
     </exec_method>
     <stability value='Unstable' />
     <template>
          <common_name>
               <loctext xml:lang='C'>
               LDAP Admin server
               </loctext>
          </common_name>
          <description>
               <loctext xml:lang='C'>
LDAP admin server
Information Service lookups
               </loctext>
          </description>
     </template>
</service>
</service_bundle>and directory_server.xml contains:
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">

<service_bundle type='manifest' name='SUNWds:ds'>
<service
     name='site/ldap/directory_server'
     type='service'
     version='1'>
     <create_default_instance enabled='false' />
     <single_instance />
     <dependency
         name='usr'
         grouping='require_all'
         restart_on='none'
         type='service'>
          <service_fmri value='svc:/system/filesystem/minimal' />
     </dependency>
     <dependency
         name='net'
         grouping='require_all'
         restart_on='none'
         type='service'>
          <service_fmri value='svc:/network/initial' />
     </dependency>
<dependency
            name='ds_admin'
            grouping='require_all'
            restart_on='none'
            type='service'>
                <service_fmri
                    value='svc:/site/ldap/ds_admin' />
     </dependency>
     <exec_method
         type='method'
         name='start'
         exec='/lib/svc/method/directory_server start'
         timeout_seconds='120' >
          <method_context>
               <method_credential user='root' group='sys' />
          </method_context>
     </exec_method>
     <exec_method
         type='method'
         name='stop'
         exec='/lib/svc/method/directory_server stop'
         timeout_seconds='60' >
          <method_context>
               <method_credential user='root' group='sys' />
          </method_context>
     </exec_method>
     <stability value='Unstable' />
     <template>
          <common_name>
               <loctext xml:lang='C'>
               LDAP directory server
               </loctext>
          </common_name>
          <description>
               <loctext xml:lang='C'>
LDAP directory server
Information Service lookups
               </loctext>
          </description>
     </template>
</service>
</service_bundle>Now the start/stop scripts will be located in /lib/svc/method and are as followed:
ds_admin
#!/sbin/sh
case "$1" in
     start)
          /usr/sbin/directoryserver start-admin
     stop)
          /usr/sbin/directoryserver stop-admin
          echo "Usage: $0 { start | stop }"
          exit 1
esac
exit 0simple yes.
directory_server
#!/sbin/sh
HOST_NAME=`hostname`
SERVER_ROOT=/var/opt/mps/serverroot
DIRECTORY_SERVER_INSTANCE=slapd-${HOST_NAME}
case "$1" in
     start)
          ${SERVER_ROOT}/${DIRECTORY_SERVER_INSTANCE}/start-slapd
     stop)
          ${SERVER_ROOT}/${DIRECTORY_SERVER_INSTANCE}/stop-slapd
          echo "Usage: $0 { start | stop }"
          exit 1
esac
exit 0The only thing left to do is modify the ldap/client smf file to wait until the directory server starts before it loads.
So edit /var/svc/manifest/network/ldap/client.xml and right before the dependency for for /var/ldap/ldap_client_file add this
<dependency
            name='directory_server'
            grouping='require_all'
            restart_on='none'
            type='service'>
                <service_fmri
                        value='svc:/site/ldap/directory_server' />
        </dependency>
Any changes made to the /ldap/client xml file must be made after ALL zones have been installed. If this file is copied to a zone it will never work as the directory_server service is not loaded in the zones.
Now what? You must remove the legacy init scripts in /etc/rc2.d. Those would be S72directory and S73mpsadm. No need to keep them around, alternatively, you can just change the capital 'S' to lower case and they want start.
You can now either use svccfg to validate and import the new services or you can reboot. Typically, I reboot and use the '-m verbose' option on boot to watch the services for any errors. I haven't had any lately but on different systems I always watch to see if it behaves different.
That's it. I have rebooted all the machines many, many times without error. This of course does not address loading the directory server or adding users, tnrhdb file, etc... We have scripted most of loading out and once we get some error correction coded in I will post them.
Also, if you find any errors or even a better way to accomplish this, please post it.

This restriction is only in terms of implementing the Solaris support for LDAP as a naming service. If the Solaris OS is configured to use LDAP as a naming service, it can't use a LDAP server running on the same host.
The reason is that the LDAP server makes naming service calls before it gets fully started up. If the OS wants to use the LDAP server for the naming service, then a deadlock happens, where the LDAP server's gethostbyname() call can't complete because the LDAP server isn't up.
It is possible to configure the Solaris naming resolution to avoid this problem. I've got a system set up this way myself. Regardless, the official support channels won't support a system set up this way, so if you do this you do it at your own risk.

Error in authentication with ldap server with certificate

Hi,
i have a problem in authentication with ldap server with certificate.
here i am using java API to authenticate.
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
I issued the new certificate which is having the up to 5 years valid time.
is java will authenticate up to one year only?
Can any body help on this issue...
Regards
Ranga

sorry i am gettting ythe same error
javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
here when i am using the old certificate and changing the system date means i can get the authentication.
can you tell where we can concentrate and solve the issue..
where is the issue
1. need to check with the ldap server only
2. problem in java code only.
thanks in advance

Sample connecting to LDAP Server in Java

Hi,
I am trying to establishing SSL from Java Application(via Netscape Directory SDK 4.0 - Java version) to the Directory Server(ADS) in a secure manner - i.e. LDAP over SSL.
I am trying to run this code...
LDAPConnection ld = null;
LDAPModificationSet attrs = new LDAPModificationSet();
attrs.add(LDAPModification.REPLACE,new LDAPAttribute("unicodePwd", "testpassword"));
try
LDAPSSLSocketFactory ssl = new LDAPSSLSocketFactory();
ld = new LDAPConnection( ssl );
/* Connect to server */
ld.connect("10.10.10.7",636);
/* Authenticate to the server as directory manager */
ld.authenticate(adminDN,password);
/* Now modify the entry in the directory */
ld.modify( userDN, attrs );
catch(Exception e)
But I don't know where my program reads the Cert. info... I don't know
if I have to import my internal CA via keytool or I have missed some
special configuration ..
When I run this code, the following error appears:
netscape.ldap.LDAPException: Failed to create SSL socket (91); Cannot connect to the LDAP server
at netscape.ldap.LDAPSSLSocketFactory.makeSocket(LDAPSSLSocketFactory.java:309)
at edu.umassmed.chcf.security.ldap.LDAPHelper.setLDAPPassword(LDAPHelper.java:742)
at edu.umassmed.chcf.security.administration.userhandler.UserHandlerBean.changePassword(User HandlerBean.java:628)
at edu.umassmed.chcf.security.administration.userhandler.UserHandlerBean_37ncs1_ELOImpl.chan
gePassword(UserHandlerBean_37ncs1_ELOImpl.java:409)
at edu.umassmed.chcf.security.administration.userfacade.UserManagerBean.changePassword(UserM
anagerBean.java:174)
at edu.umassmed.chcf.security.administration.userfacade.UserManagerBean_3chmth_EOImpl.change
Password(UserManagerBean_3chmth_EOImpl.java:501)
at edu.umassmed.chcf.sbb.action.ChangePasswordAction.perform(ChangePasswordAction.java:114)
at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:510)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:265)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:200)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:24
95)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2204)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
LDAPHelper - authenticateUser() - expLDAP.toString() netscape.ldap.LDAPException: Failed to create S
SL socket (91); Cannot connect to the LDAP server
Is this possible? If so, what hints can you give me to get started (any sample code would be greatly appreciated).
Thanks in advance.
With Regards,
Gokul.

hey guys .. i was struggling with the same thing - finally found this solution -
use:
import netscape.ldap.*;
import netscape.ldap.factory.JSSESocketFactory;
JSSESocketFactory fact = new JSSESocketFactory(null);
//unless u wanna specify any specific ciphers in the constructor
log("Factory created");
LDAPConnection ld = new LDAPConnection(fact);
log("Connection initialised");
ld.connect(MY_HOST, MY_PORT);
log("Connected");
ld.authenticate(user, pwd);
log("Authenticated!");
Before running this, i used the "keytool" command line utility to import the SSL client certificate into my default trustStore .. as a trusted cert. Dont know if thats required.. but it worked :) Hope this helps.

Error while connecting to the LDAP server

In LDAP Server, i have configured OU with the following characteres.
OU=AdministraciÃÆÃÂ³n.
Now when i try to connect LDAP server from my application, am getting the following exception.
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0]
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0]
     at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
     at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
     at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
     at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
     at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
     at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
     at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
     at javax.naming.InitialContext.init(InitialContext.java:223)
     at javax.naming.InitialContext.<init>(InitialContext.java:197)
     at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
When i search for this, i got the this [link |http://esupport.trendmicro.com/solution/en-us/1037285.aspx/] saying some Accent characters are not converted correctly into 8-bit Unicode Transformation Format (UTF-8).
Here i have used URLEncoder.encode(mySearchbase, "UTF-8"); to encode the special characters into UTC-8.
I would like to know whether its a known issue with accent characters or anything else i missed here to handle those characters.
Thanks,
-Konanki

Well, if you're passing an array of bytes to that LDAP access code, then that isn't the right way to encode a String to an array of bytes in UTF-8 encoding. And anyway it's been a long time since I wrote LDAP access code, but I don't recall having to pass arrays of bytes to any of those JNDI classes, so that idea is probably wrong in any case.
I would suggest, if that page you linked to is actually relevant, that you just install the hot-fix it refers to. On the other hand if it doesn't actually apply to your situation, then you should just ignore it.
My guess is that UTF-8 or not, your OU value on the server is in fact not "Administración" -- that's based on the number of mis-encoded characters I see there. So perhaps what you are passing to the JNDI classes does in fact not match the server's value and it isn't an encoding issue at all.

"untrusted server cert chain" exception while connecting LDAP server

While connecting to LDAP server using JNDI over JSSE ..This is happening when trying to get the initial context
using
InitialDirContext initContext = new InitialDirContext(env);
where env is a hash table set with the default parametes.The certificate used for is a Novell CA certificate converted to X509 format and the key store is initialized with this

This got resolved when in the code the following
System.setProperty("javax.net.ssl.tmrustStore", CertFileName);
where cert file name is the filename with complete path.the file is a CA certificate of the LDAP server
in X509 format

What should be done in certmap.conf for 2-way SSL support from a standalone Java application to an SSL enabled LDAP Server

To support certficate based client authentication using 2-way SSL from a standalone java application which uses JNDI and JSSE1.0.2 to connect to an SSL enabled LDAP Server how do we configure the certmap.conf?Is there any additional setup required at the LDAP Server side apart from enablinf SSL with the option"Required Client Authentication" enabled.The 2 way SSL handshake goes through but the access log file (After configuring the certmap.conf for the issuer DN of the client certficate etc..)shows SSL failed to LDAP DN?But inspite of this access log error the Java client does get an SSL Connection object with which it is able to connect to the LDAP.IS the certmap.conf file being looked up by the LDAP Server at all?

have you out.flush() and out.close() before you call connection.getInputStream()?

Unable to Retrieve Attributes from LDAP Server

I have a problem. I was wondering if anyone can assist me. I am new to LDAP servers and JNDI. I cannot retrieve any attributes from the users listed in my data entry. Any assistance would be greatly appreciated! Thanks.
I created an entry in the LDAP server that looks like this:
�o=somedn�
|
�ou=people, o=somedn�
The �ou=people, o=somedn� entry contains fictitious users. The LDAP server is connected to a MySQL database. When I write Java code to read the attributes of a given user whose fullname (cn) is �Vinny Luigi�, as listed in the database, I receive an error that starts with the following:
javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'cn=Vinny Luigi,ou=people'
The code I used is based on the Sun JNDI tutorial. Sun�s code is at http://java.sun.com/products/jndi/tutorial/basics/directory/src/GetattrsAll.java. My version of the code is below:
* @(#)GetattrsAll.java     1.5 00/04/28
* Copyright 1997, 1998, 1999 Sun Microsystems, Inc. All Rights
* Reserved.
* Sun grants you ("Licensee") a non-exclusive, royalty free,
* license to use, modify and redistribute this software in source and
* binary code form, provided that i) this copyright notice and license
* appear on all copies of the software; and ii) Licensee does not
* utilize the software in a manner which is disparaging to Sun.
* This software is provided "AS IS," without a warranty of any
* kind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
* WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
* HEREBY EXCLUDED. SUN AND ITS LICENSORS SHALL NOT BE LIABLE
* FOR ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING,
* MODIFYING OR DISTRIBUTING THE SOFTWARE OR ITS DERIVATIVES. IN
* NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST
* REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL,
* CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER
* CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT
* OF THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS
* BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
* This software is not designed or intended for use in on-line
* control of aircraft, air traffic, aircraft navigation or aircraft
* communications; or in the design, construction, operation or
* maintenance of any nuclear facility. Licensee represents and warrants
* that it will not use or redistribute the Software for such purposes.
import javax.naming.*;
import javax.naming.directory.*;
import java.util.Hashtable;
* Demonstrates how to retrieve all attributes of a named object.
* usage: java GetattrsAll
class GetattrsAll
     static void printAttrs(Attributes attrs)
          if (attrs == null)
               System.out.println("No attributes");
          else
               /* Print each attribute */
               try
                    for (NamingEnumeration ae = attrs.getAll(); ae.hasMore();)
                         Attribute attr = (Attribute) ae.next();
                         System.out.println("attribute: " + attr.getID());
                         /* print each value */
                         for (NamingEnumeration e = attr.getAll(); e.hasMore(); System.out.println("value: " + e.next()) )
               } catch (NamingException e) {
                    e.printStackTrace();
     public static void main(String[] args) {
          // Set up the environment for creating the initial context
          Hashtable env = new Hashtable(100);
          env.put(Context.INITIAL_CONTEXT_FACTORY,
                    "com.sun.jndi.ldap.LdapCtxFactory");
          env.put(Context.PROVIDER_URL, "ldap://localhost:10389/o=somedn");
          try {
               // Create the initial context
               DirContext ctx = new InitialDirContext(env);
               // Get all the attributes of named object
               System.out.println("About to use ctx.getAttributes()");
               Attributes answer = ctx.getAttributes("cn=Vinny Luigi,ou=people");
               // Print the answer
               printAttrs(answer);
               // Close the context when we're done
               ctx.close();
          } catch (Exception e) {
               e.printStackTrace();
The primary key of the database is id_pk. Below is a copy of the mapping.xml file which maps the LDAP server entry to the database:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapping PUBLIC "-//Penrose/DTD Mapping 1.2//EN" "http://penrose.safehaus.org/dtd/mapping.dtd">
<mapping>
<entry dn="o=somedn">
<oc>organization</oc>
<oc>top</oc>
<at name="o" rdn="true">
<constant>somedn</constant>
</at>
<aci>
<permission>rs</permission>
</aci>
</entry>
<entry dn="ou=people,o=somedn">
<oc>inetOrgPerson</oc>
<oc>organizationalPerson</oc>
<oc>organizationalUnit</oc>
<oc>person</oc>
<oc>top</oc>
<at name="cn">
<constant>"fullname"</constant>
</at>
<at name="ou" rdn="true">
<constant>people</constant>
</at>
<at name="sn">
<constant>"lastname"</constant>
</at>
</entry>
<entry dn="id_pk=...,ou=people,o=somedn">
<oc>inetOrgPerson</oc>
<oc>organizationalPerson</oc>
<oc>person</oc>
<oc>top</oc>
<at name="Position_">
<variable>usertable9.Position_</variable>
</at>
<at name="id_pk" rdn="true">
<variable>usertable9.id_pk</variable>
</at>
<at name="fullname">
<variable>usertable9.fullname</variable>
</at>
<at name="lastname">
<variable>usertable9.lastname</variable>
</at>
<at name="cn">
<variable>usertable9.fullname</variable>
</at>
<at name="sn">
<variable>usertable9.lastname</variable>
</at>
<source name="usertable9">
<source-name>usertable9</source-name>
<field name="Position_">
<variable>Position_</variable>
</field>
<field name="id_pk">
<variable>id_pk</variable>
</field>
<field name="fullname">
<variable>cn</variable>
</field>
<field name="lastname">
<variable>sn</variable>
</field>
</source>
</entry>
</mapping>
Thanks.

The complete name (Distinguished Name) of the user you're searching is 'cn=Vinny Luigi,ou=people,o=somedn'.
Regards,
Ludovic.

LDAP server?

Similar Messages

Maybe you are looking for