Leopard with LDAP/NFS

Similar Messages

• EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility

  Hello everyone,
  Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
  Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
  I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
  Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
  However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
  This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
  Here's what happens:
  1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
  2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
  3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
  4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
  5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
  Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
  http://discussions.apple.com/thread.jspa?messageID=5967023
  http://discussions.apple.com/message.jspa?messageID=5982070
  these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
  If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
  Thanks,
  Andrew

  Hard to tell what is happening without looking at the application
  source, knowing what OS & hardware you're using etc. You might want to
  try running with different JVM versions to see if it's actually the VM
  that is the problem. If you have a support contract with BEA you could
  ask support to help you diagnose this.
  Regards,
  /Helena
  Ayub Khan wrote:
  I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
  application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
  seems to happen on loading the machine..the performance progressively gets worse
  and after a couple of seconds, all the threads stop responding. I checked the
  heap, cpu and the idle threads in the execute queue and there is nothing there
  to trigger alarms...there are quite a few idle threads still and the heap and
  the cpu utilization seem OK. On doing a thread dump, Is see that all the other
  threads seem to be in a state where they are waiting for data from LDAP and it
  is basically read only data that they are waiting on.
  Does anyone know what it is going on and help point me in the right direction.
  -Ayub

• Untrusted server cert chain - while connecting with ldap

  Hi All,
  I am getting the following error while running a standalone java program in windows 2000+jdk1.3 environment to connect with LDAP.
  javax.naming.CommunicationException: hostname:636 [Root exception is ja
  vax.net.ssl.SSLException: untrusted server cert chain]
  javax.naming.CommunicationException: hostname:636. Root exception is j
  avax.net.ssl.SSLException: untrusted server cert chain
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA12275)
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(DashoA12
  275)
  at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA12275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
  at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA12275)
  at java.io.OutputStream.write(Unknown Source)
  at com.sun.jndi.ldap.Connection.<init>(Unknown Source)
  at com.sun.jndi.ldap.LdapClient.<init>(Unknown Source)
  at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
  at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
  at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
  at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
  at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
  at javax.naming.InitialContext.init(Unknown Source)
  at javax.naming.InitialContext.<init>(Unknown Source)
  at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
  at Test2.getProxyDirContext(Test2.java:66)
  at Test2.main(Test2.java:40)
  Any help would be appreciated
  Thanks in Advance
  Somu

  This got resolved when in the code the following
  System.setProperty("javax.net.ssl.tmrustStore", CertFileName);
  where cert file name is the filename with complete path.the file is a CA certificate of the LDAP server
  in X509 format

• I have a 2008 iMac 21.5" 10.6.8 Snow Leopard with 4.1.3 VMWare and windows 7.Mountain Lion initially refused to down load as I had back up on the HD. this was removed and installation was accepted but froze in the initial stages with 33 mins to go.

  I have a 2008 iMac 21.5" using 10.6.8 Snow Leopard with VM Ware 4.1.3 supporting Windows 7. Initially ML OSX refused to install due to Back up on HD which I removed to trash.It then proceeded but froze up in the initial stages with 33 mins remaining. I was lucky enough to quit and restart using 10.6.8. With all the problems on this chat line, it appears it may be best to leave Mountain Lion well alone, and cut losses rather than tempt fate.Has anybody anything positive to say or help with?

  Welcome to Apple Communities
  1. Open Disk Utility and repair permissions
  2. Open Finder, go to your user's folder > Library > Caches and delete everything
  3. Verify disk
  4. See if your apps are compatible with OS X 10.8 > http://www.roaringapps.com
  You can also do a backup and create a DVD or USB drive to install OS X > http://arstechnica.com/apple/2012/07/how-to-create-a-bootable-backup-mountain-li on-install-disk/ When you start in 10.8 installer, open Disk Utility, select your volume and erase the drive, and install

• Problem with LDAP in BEA Portal

  Problem with LDAP in BEA Portal
  I have a list of 50 user which should be cerated in portal staging(devlopment) machine and should be transfered to
  production machine using LDAP
  Steps which i followed to create Users
  1.Create User Profile with 2 parameters branch and Role
  2.I have list user in the Xls file with Username,password ,branch and Role
  3.Write a java File which will read the Xls File
  4.The users are created in the staging machine for the portal
  Steps which i followed in LDAP to tranfer the created User form Devlopment to Production
  1.Export the created user from Devlopment (which was moved as .DAT in my local directory)
  2.import the user from local direcory to production machine
  The Users are imported in the production machine with username and password but the role and branch values are empty
  We need a solution for importing the user with role and branch corresponding to each user.
  Thanks in Adv
  Suresh

  In Portal 8.1, user name and password in stored in LDAP where as user profile values are stored in database. That is the reason you are not able to see the user profile values.
  Check once again whether you can see these values through admin tool. In case,it is not(after confirmation again),you might have to use APIs to do this for you incase you dont want to manage through Admin Tool.
  Thanks,
  Prashanth Bhat.

• Old computer I had is OSX Snow Leopard with Entourage. New one is OSX Mavericks. Using Mail where are my addresses and old address book. Transferred old computer backup by Time Machine and other things work? Can't see a symbol for address book.

  Old computer I had is OSX Snow Leopard with Entourage. New one is OSX Mavericks. Using Mail where are my addresses and old address book. Transferred old computer backup by Time Machine and other things work? Can;t see a symbol for address book.

  Where are addresses kept on MAIL?  I don;t like the new format at all. Frances
  Begin forwarded message:
  From: Frances Topping <[email protected]>
  Subject: Re: - Old computer I had is OSX Snow Leopard with Entourage. New one is OSX Mavericks. Using Mail where are my addresses and old address book. Transferred old computer backup by Time Machine and other things work? Can't see a symbol for address book.
  Date: August 25, 2014 at 9:46:01 AM EDT
  To: discussions-replies <[email protected]>
  Old Entourage is POP and new Mavericks MAIL  is IMAP I believe. I don;t know how to export in the forms you mention. Frances

• How can I do a clean install of Snow Leopard with out losing iLife applications?

  I bought my Macbook pro in 2009 and am currently running the Leopard software. I want to do a clean install of Snow Leopard, but I do not want to lose my iLife applications.  I lost the DVD's that came with the computer. Is there any way I can do a clean install of Snow Leopard with out losing my iLife applications?
  Will a regular installation of Snow Leopard allow the App store to recognize that my computer has iLife and mark it as a purchased item in my account. If it can, then would I be able to do a clean install and re-download the apps for free.
  Any help would be appreciated!

  1. Install Snow Leopard normally; this will keep the applications intact. An actual clean installation involves either erasing the partition or creating a blank one, and neither of those will carry the applications over.
  2. The previous iLife installation won't carry over to the Mac App Store, and the Mac App Store versions are incompatible with Snow Leopard.
  (97485)

• Error in authentication with ldap server with certificate

  Hi,
  i have a problem in authentication with ldap server with certificate.
  here i am using java API to authenticate.
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
  I issued the new certificate which is having the up to 5 years valid time.
  is java will authenticate up to one year only?
  Can any body help on this issue...
  Regards
  Ranga

  sorry i am gettting ythe same error
  javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
  here when i am using the old certificate and changing the system date means i can get the authentication.
  can you tell where we can concentrate and solve the issue..
  where is the issue
  1. need to check with the ldap server only
  2. problem in java code only.
  thanks in advance

• Problem with users in portal - login conflict with LDAP.

  Hi.
  Let me describe our problem:
  We've a EP5 portal with LDAP conected to a central LDAP server, users access with the same user and password to all the different systems.
  The problem happens to users who have theyr passwords expired. We already set to 0 the password expiration days to avoid future problems but that didn't applied to the already expired ones.
  This affected users cannot change the password due to problems with the connection rights to LDAP server.
  We're trying to find the place there it's set that the user is in some kind of "password expired" status, directly in a database table if neccesary, to change the status manually, as system does not allow os to set it by user administration in portal.
  Any suggestions would be appreciated.

  Restoring expired Portal passwords
  Solved

• LDAP/AD Role group user login issue in sharepoint 2010 FBA with LDAP

  Hi.
  I created sharepoint 2010 site with LDAP FBA.If I add the AD user as form based user and try to login to my site its working very well but if I add a AD Group in to my site and try to login with one of the AD user of this group its say "Access
  Denied".
  In my project we want add AD group in sharepoin Groups not a individual AD users.
  Can anyone help me with this please its urgant?

  I added both LDAP membership and LDAP Role provider.And I can also find groups in people picker in my Central Admin and FBA Web app site colleciton.  
  <add name="ADMembers"
  type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
  server="company.com"
  port="389"
  useSSL="false"
  userNameAttribute="sAMAccountName"
  userContainer="DC=company,DC=com"
  userObjectClass="person"
  userFilter="(|(ObjectCategory=group)(ObjectClass=person))"
  userDNAttribute="distinguishedName"
  scope="Subtree"
  enableSearchMethods="true"
  otherRequiredUserAttributes="sn,givenname,cn"
  />
  <add name="ADRoles"
  type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="Company.com"
  port="389"
  useSSL="false"
  groupContainer="DC=Company,DC=com"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="sAMAccountName"
  dnAttribute="distinguishedName"
  groupFilter="(ObjectClass=group)"
  userFilter="(ObjectClass=person)"
  scope="Subtree" />

• Just done a fresh install of Snow Leopard with all updates,iMac 5.1 behaves strange, sometimes I start Google Chrome and look at youtube videos the computer freezes and shuts down immediately, I believe its  related to overheating ?

  Just done a replacement of the pata DVD drive (its new and is working ok),  and a fresh clean  install of Snow Leopard with all updates, iMac 5.1 behaves strange, sometimes I start Google Chrome and look at youtube videos the computer freezes and shuts down immediately,
  I believe its  related to overheating ?
  iStat Pro shows GPU diode temp at 66 C, CPU at 48 C,  Fan rpms is around 1000
  Any ideas somebody ?
  The hard disk has been previously checked with state of the art techniques that have confirmed that the hard disk drive is in perfect condition.

  1.5-3 minute boot up as opposed to 15-20 seconds
  And
  why it takes a long time to load a lot of things.
  I have restored this
  from a time machine partition.
  TimeMachine is only a backup and restore, it won't fix issues in software and according to your information, doesn't even optimize the restore for best performance on boot hard drives.
  What you need to do to regain your speed is to understand how your machine works
  Why is my computer slow?
  Fix any and all issues in software following this list of fixes
  ..Step by Step to fix your Mac
  Then follow this defrag method I've outlined
  How to safely defrag a Mac's hard drive
  Most commonly used backup methods
  There shouldn't be need to reinstall OS X fresh unless your having file structure issues which if they are should appear when in the Steps, which then a zero erase and install will cure as well as any bad sector issues, the defrag step wouldn't be necessarry on a freshly installed system obviously as the files are written all together, not in portions all over the drive.
  Hope this assists.

• I have upgraded Snow Leopard with Combo 10.6.8, the supplemental update and fixed permissions, but still can't open app store to upgrade to Mountain Lion. I am on the Cayman Islands. Thanks for the help!

  I have upgraded Snow Leopard with Combo 10.6.8, the supplemental update and fixed permissions, but still can't open app store to upgrade to Mountain Lion. I am on the Cayman Islands. Thanks for the help!

  Don't be afraid to bump this topic. There's also an App Store forum where you might repost this question, but give some of these details in your post.  I'd rephrase the topic to something like "Can't use App Store to upgrade." (Instead of can't "open".) Then give the details.
  https://discussions.apple.com/community/mac_app_store/using_mac_apple_store

• IMac 10.6.8, Snow Leopard with iTunes 11.0.1. loss of wifi speed when connecting a Bose Sound System via bluetooth

  Hello, I have an iMac 10.6.8, Snow Leopard with iTunes 11.0.1. When connecting my Bose Sound System via bluetooth the wifi downloadspeed goes from snappy to a crawl, disconnecting the bluetooth connection, the downloadspeed goes up again. Don't have this problems with the Sound System when connecting it to my iPad. I like to mention too, that the downloadspeed of my iPad is always better than of my iMac. Are there any experiences concerning this problem? Thank you in advance.

  UPDATE - PROBLEM SOLVED!!!!!!
  You can thank me later - after an hour on the phone, I finally got through to a Senior Engineer.
  Apperently the issues lies with GRID VIEW.
  Open your Itunes, Click on TV SHOWS, then quickly change your view from GRID VIEW (Defaults to this) to List View and Viola!
  We tested it out on the phone just minutes ago, my problem is solved and I suspect if you guys try this yours will be too.

• Issue with LDAP login authentication in CMC console

  We have a existing issues with Business Objects BOE XIR2 SP2 and LDAP authentication with the BOE CMC Console.
  We use websphere as the application server and it is installed on the same machine (Solaris) as BOE.
  We have this issue on both our production and our recently rebuilt development environment to duplicate the issue.
  Both environment have configured LDAP over SSL and we can login to BOE Infoview Reports with LDAP and we can map groups and users if we login to CMC but we can not login to CMC with secLDAP.
  The specific error still being shown is "Security plugin error: Failed to set parameters on plugin".
  Both environments (DEV and PROD) are fresh installs of BOE XIR2 SP2.
  Any ideas are much appreciated
  Thankyou

  The CMC in XIR2 used com components for the SSL (rather than java like infoview) and I'm betting the WAS deployment is not finding them. Is WAS on a seperate server or is BOE installed there as well?
  I'm not familiar with any regular fixes for an issue like this. If no other replies I'd recommend opening a case with either deployment(WAS on "nix") or authentication(WAS on windows) to see if they can trace down the problem.
  Regards,
  Tim

• Automatic upload of roles from ECC to portal (UME with LDAP)

  Hi experts,
  This thread reopen the question asked on the following message : automatic upload of roles from BI to portal
  However, it concerns this time "UME with LDAP".
  Problematic :
  SAP Library 04s tells us that is not yet possible to automate role replication (or role assigment replication) from ABAP Based back-end to Netweaver Portal. Only manual process for initial upload is possible.
  Source = http://help.sap.com/saphelp_nw04s/helpdata/en/41/5e4d40ecf00272e10000000a155106/frameset.htm
  Questions :
  1 - Did anyone ever try to implement such an automatic tool ?
  2 - What if I'm not able to write on the Active Directory ? I am still able, at least, to automate role assignment replication from ABAP Based back-end to Netweaver Portal (ie. UME with LDAP) ? Directly from SAP R/3 to EP through UME, without passing through Active Directory since the group field is not maintained in AD.
  Many thanks for your inputs
  Alexis MARTIN

  Hello,
  As I did not read the previous thread I don't know what exactly you are trying to achieve, but I can tell you about what we have done - as far as it is not too late yet.
  We use the portal with integration to a BI system. In the ABAP stack we have lots of roles with menu items for hundreds of reports. We want the users to see these roles in the portal.
  First we have used the role migration tool of the portal to upload these roles. There is a Java API for executing role uploads from code. You need to create a webservice in the java stack to call this api, and can call the webservice from ABAP.
  However it is just a question of time and role size until this will not work at all. Standard role migration is more or less crap, stability is a problem. It also creates a lot of logs in the PCD and thus fills the database with trash. (After a few OSS messages there is now a program for deleting logs + you can turn of logging.) Also upload of larger roles takes up to an hour, and you alwasy have the problem that your portal roles are not up to date during the day.
  When I got completely fed up, I have implemented an own navigation connector. When you log on to the portal it will connect to the ABAP stack via RFC, load the role, and generate the portal menu from it. It uses caching, but on every logon it checks whether the role has been updated in ABAP since the last time it was loaded. It is up to date, faster then PCD navigation, and you need absoluetely no periodical synching at all. I cant even understand why this is not offered by SAP per standard!
  Drawback is that it will of course only work for the menu items, and only menu items with an "URL-type" are supported. I'm prettry sure however that it would be possible to implement a few other types as well.
  Let me know if you are interested in the solution, I can give you a few additional details: oliverDOTsvisztATwienerbergerDOTcom
  Oliver