OAM and Directory Server Interaction

Similar Messages

• Installing Iplanet web server and directory server behind a firewall

  When installing iplanet web server and directory server behind a firewall - should the interal ip address be used or the external ip address?

  Hello,
  When you are installing iplanet web server behind a firewall,you should use the internal ip address in the firewall.
  1. The external ip address connection to the Internet. The type of IP address used?dynamic (commonly used for standard
  modems) or static (commonly used for cable modems) is dictated by the ISP to which you connect and the type of service it provides.
  2. The internal ip adress connection. This connection must be a static IP assignment, and it must be assigned by you.
  obviously it depends on the type of firewall setup you have.
  Thanks
  Selva

• Directory Server 6.3.1 and Directory Server 7.0 agent module

  Hello Folks-
  I am having a strange issue with my directory servers. I had three directory server replicas and they were all on 6.3.1 installed with the zip distribution. One of the directory server was a vmware virtual machine running on Solaris Update 8 and after a power failure I could not start or recover the Virtual Machine itself. Long story short, I ended up installing a new DS with 7.0 version (with zip distribution). The installation went very smoothly, had no problems starting the server and creating an initial instance, top level baseDN, etc.
  I somehow unregistered the older non-working Directory Server from first server's DSCC and wanted to include this new one. So in my Directory Servers tab in DSCC, I have all three listed like this: notice the third one
  Server
  ldap1:389
  ldap2:389
  ldap3:389 (server not registered)
  So having the same host name and same instance, when I try to register an "existing server", I get the following error:
  " The DSCC agent module is not registered on host ldap3. Verify that the agent module is installed using the command dsccsetup status on host ldap3. If the agent module is installed register it using the command dsccsetup cacao-reg"
  So I went to the third host and did the following:
  # dsccsetup status
  DSCC Agent is registered in Cacao
  Cacao uses a custom port number 21162
  DSCC Registry has been created
  Path of DSCC registry is /jes/ds/dsee7/var/dscc/ads
  Port of DSCC registry is 3998
  # dsccsetup cacao-reg
  DSCC Agent is already registered.
  So what is the problem? Why cant I register my new server and create replication agreements with the others?
  Please let me know if you have more information
  Thanks.
  Deniz.

  Anybody??? I really need help with this....

• Unable to use SSL between Access Manager and Directory Server

  I am trying to set up Access Manager to use SSL when communicating with Directory Server. Access Manager 7 is running under Sun Web Server 6.1. I have configured Directory Server to use SSL using a Self-Signed CA and have imported the CA certificate into the certificate database for Web Server. When I change the Access Manager configuration as specified in the Admin Guide to use SSL and restart the Web Server, Access Manager fails with the message
  (among many others)
  netscape.ldap.LDAPException: SSL connection to
  eauth1.arc.nasa.gov:636, SSL_ForceHandshake failed: (-8157) Certificate extension not found. (91); Cannot
  connect to the LDAP server
  I am able to connect to the Directory Server instanc with JXplorer using SSL (with a complaint about an unknown CA). Can someone explain the error message so that I can fix the problem or work around it?
  Thanks

  in the initial part of AMConfig.properties, you'll find an entry similar to trustSSLCerts . This, by default, is set to false. Trying setting it to true (AM web server instance will need a restart). This lets AM continue with SSL handshaking inspite of errors. Am not sure if this affects AM to DS connectivity as well. It sure affects AM to AM communication (in a multiple server configuration).
  Naturally, it is not recommended that you use this feature when you are ready for production, but atleast it'll let you be sure that apart from the cert issue, everything else is okay.
  Hope this helps.

• CRL and Directory server

  We are running Web Proxy server (Iplanet) with reverse proxy option on Solaris 8.This will give our staff access to applications inside.
  Access is based on certificates.
  Certificates are under own control using Windows 2000 certificate server.
  We want to be able to use either the CRL or issued certificates with ACL on Proxy server.Therefore installed Directory server 5.1 (Solaris 8) to act as LDAP.
  Any ideas how I can use the CRL info for this?
  Downloading and installing CRL is possible and working.
  Main question is : How can I use of the CRL info in combination with ACL on Proxy or Directory server ?
  Thanks.

  Anybody??? I really need help with this....

• PORTAL SERVER 6.0 and Directory Server 5.1 existing

  I have one istance on sunone directory server 5.1 . I want install secure portal server 6.0 and i want use this directory server? . In the installation manual there are't this procedure.
  When I install the portal I select the installation with existing ldap and the portal server is installed . When I started the portal server this don't work.
  Thank's

  Go to Identity Server v5.1 documentation. It's well documented there. In two words, after you installed it this way, you have to apply 'existing.ldif' file to create ACIs and roles, then to create all services.
  Please check existing.ldif before you will apply it. Depending on your DIT, it may be quite broken. Don't forget to change ums.xml to match your schema.

• Java and Directory server

  Dear members,
  I am recently going to start a project that will require a browser to authenticate with a directory server (Radius server). I am doing research about feasibility.
  I would like suggestions from you guys about the protocol to be used and the resources to be utilized. Please let me know any online resources if you have created or you know.
  Thanks,
  Di Ke.

  Hi,
  could you please explain, what you expect from authenticate against Sun Java Directory Server?
  IYou do not need openldap libraries, you can link with libldap Solaris implementation, libinconv and openssl.
  Stefan

• Installing Access Manager and Directory Server

  Can I install the Access Manager 2005Q4 without installing the directory server?
  The products selected for installation have dependency requirements or installation options as indicated below.
  Sun Java(TM) System Directory Server 5 2005Q4
  ------------------------------------------------------------------------

  Everytime I click the Access Manager in the JES 2005Q4installer the directory server would click itself. Unchecking this prompted me for a remote repository which worked.
  I wasn't able to get the install to complete with the state file, it stopped before configuring access manager.

• Using iws4.1 and Directory Server 5.0 for authentication, is  there a way to force a log off ?

   

  Hi,
  You can set this in "iPlanet Diretory Server", to force the user to log off after particular time. For more info. check iPlanet Directory server guide.
  Regards,
  Dakshin.

• Setting up Access Manager and Directory Server for Failover.

  I'm setting up 2 Access Managers AM1,AM2 and 2 Directory Servers DS1 and DS2 for failover. I've connected AM1 and AM2 to DS1. Suffixes of DS1 is replicated to DS2. Any change made to AM1 is replicated to AM2 as expected. I just patched AM1 with Access Manager patch 1 and the version information for AM1 shows 7.1 126359-01. I followed the same procedure to patch AM2 but AM2 still shows ver 7.1.
  How do I make sure both Access Managers are patched to the same version?
  I'm able to authenticate to one IIS6 site and authentication is passed on to Outlook Web Access on AM1 but when I shut down AM1 to test failover to AM2 OWA prompts me again for password. How do I resolve this?
  On AM1 http://host.domain/amserver/UI/Login?realm=sso successfully logs in but the same on AM2 gives Warning that "You have already logged in. Do you want to log out and then login to a different organization?"
  Please help !!!

  I'll answer what bits I can:
  Q: AM showing the same version?
  A: No idea on this one. I would have expected the operation you described to have produced the right answer. Check that neither your application server nor your web browser are caching old pages (ctrl-F5 in my browser)
  Q: How do I resolve re-authentication on failover?
  A: The AM documentation includes a deployment example that covers pretty closely what it is you are trying to achieve:
  http://docs.sun.com/app/docs/doc/820-2278
  Specifically, the problem you are describing is related to session failover. The sessions are stored in a local DB so when you failover the backup server does not store the same information and hence requires a reauthentication. The section of the above doc that deals with this is here:
  http://docs.sun.com/app/docs/doc/820-2278/gdsre?l=en&a=view
  Q: "You have already logged in" warning
  A: No idea. Sorry.
  R

• ISW and Directory Server 6.3. unable to sync passwords

  I thought I try to move on to DS6.3 and Windows Sync.
  I have already have 5.3 running on another machine and all works fine.
  But, I am having problem with the new version.
  I am getting the following error in the log files when a password change happens (AD->LDAP)
  LDAP modify operation of entry uid=andrew..failed at null. Error code: 65, reason: null"
  {code}
  FINE 55 CNN100 ldap2 "LDAP operation on entry uid=andrew,ou=people,dc=dcs,dc=bbk,dc=ac,dc=uk failed at ldap://ldap2:389, error(65): Object class violation." (Action ID=CNN101-11DFDD5663D-32, SN=9)
  SEVERE 55 CNN100 ldap2 "LDAP modify operation of entry uid=andrew,ou=people,dc=dcs,dc=bbk,dc=ac,dc=uk failed at null. Error code: 65, reason: null" (Action ID=CNN101-11DFDD5663D-32, SN=10)
  SEVERE 55 CNN100 ldap2 "LDAP modify operation of entry uid=andrew,ou=people,dc=dcs,dc=bbk,dc=ac,dc=uk failed at null. Error code: 65, reason: null" (Action ID=CNN101-11DFDD5663D-32, SN=10)
  {code}
  The users already exist in AD and LDAP.
  # idsync resync -f sul1_sg.cfg -k
  # idsync resync -o Sun
  # idsync resync -f sul1_sg.cfg -i NEW_LINKED_USERS
  Any pointers...
  Andrew

  Thanks it gave me the version
  [dsadm]
  dsadm               : 6.3                  B2008.0311.0212 NAT
  [slapd 64-bit]
  Sun Microsystems, Inc.
  Sun-Java(tm)-System-Directory/6.3 B2008.0311.0212 64-bit
  ns-slapd            : 6.3                  B2008.0311.0212 NAT
  Slapd Library       : 6.3                  B2008.0311.0212
  Front-End Library   : 6.3                  B2008.0311.0212Also, the hot fix from Sun fixed my problem. All is looking good.
  Cheers
  Andrew

• OAM 10g directory server switch

  Hi,
  I need to reinstall the OID 11g instance that OAM 10g uses for users/policies/config.
  The OID host name and port will not change and I'll load all the original OAM data into the new OID.
  I think I just need to run a script that wil load all the OAM schema objects into OID.
  Can anyone tell me which script does this?
  I'm wondering if it's ds_conf_update but this may change more than I need.
  Thanks
  Darren

  Hi Darren,
  Yes, ds_conf_update is the command to do this - it is documented in the OAM 10g Installation Guide.
  Regards,
  Colin

• Ilash and Directory Server Resource Kit 5.2

  I can't seem to find the 'ilash: the LDAP Administrative Shell' utility within the latest download of the Directory Resource Kit 5.2...
  http://docs.sun.com/app/docs/doc/816-6400-10/
  http://docs.sun.com/app/docs/doc/816-6400-10/ilash.html
  Has it been removed!?
  Cheers,
  Rob Chevalier

  Yes ilash has been removed from the DSRK for licensing issues.
  Ludovic.

• Access Manager Failed to Connect to Directory Server

  Dear All,
  I have problem with Directory Server connection in Access Manager. This happened in Production site, all application that integrated with Oracle Access Manager (OAM) for Single Sign On are not accessible after the Directory Server connection problem occur in OAM. The problem has only started occurring suddenly, before it the all service including the OAM and Directory Server is running well. Below are the error messages that appear in WebGate log file (ohs1.log) and OAM log file (oblog.log) :
  >> OHS/WebGate (ohs1.log) :
  [2014-01-21T09:25:12.0053+07:00] https://community.oracle.com/OHS https://community.oracle.com/OHS-9999 https://community.oracle.com/apache2entry_web_gate.cpp host_id: <WEBGATE_HOSTNAME> [host_addr:10.10.254.178] [ecid: 004w76rlRYt0NuapxKL6iW0000sE001oGY] The host and port from the requested URL could not be found in the Policy database. Check if the corresponding directory service is up.
  >> OAM (Oblog.log):
  2014/01/15@03:12:23.833746      [30573 30606 | tel:30573%20%20%2030606]   DB_RUNTIME      ERROR  0x000008C1      ../ldap_connection_mngr.cpp:443 "Failed to connect to directory server" lpszHost<LDAP_HOSTNAME_VIA_LOADBALANCER> port<LDAP_PORT_VIA_LOAD_BALANCER>
  The OAM using the Load Balancer between the LDAP Directory Server to OAM's component. When the error appears, there are no problem with the Load Balancer and all of Directory Sever services is up. There are two Directory Server servers in Multi Master Replication and 14 WebGate servers that integrated with OAM. Is there a limitation number of WebGate for integrated to the OAM?
  I have tried to set some parameters in OAM configuration to solve this problem. I set the Maximum Connection of Directory Server parameter to 10 value (in OAM Console), the LDAPOperationTimeout paramater to 1 hour value and the LDAPMaxNoOfRetries parameter to 2 value (in the globalparams.xml). After set these parameters, the error is not appear in some days, but suddenly appear again in the same error message. May be set these parameters is not appropriate solution for the problem or the value that I set is not correct. Any experience with this?
  I still don't know what the root cause of this problem. Restart all of OAM services (including the WebGate) is temporary solution when the error appear.
  Any idea for this problem?
  Thanks in advice.

  Hi Jun-Y,
  Thank you for your answer.
  What do you means with the Directory Server's idle timeout is the "Idle Timeout" parameter in LDAP Client Control Settings?
  I use Oracle Directory Server Enterprise 11.1.1.5.0. Now, the Directory Server's idle timeout parameter is "unlimited" value.
  If the idle timeout of the load balancer set 1 hour, it means that I must change the directory server's idle timeout to be less than 1 hour. Isn't right?

• Directory Server 5.1 and CMS 4.2 SP2

  There's a similar question on 16 January that didn't get answered.
  I realise I can configure CMS to publish certificates to an "external" DS 5.1 LDAP directory. However, I'd like to know whether there is a realistic method to make CMS use DS 5.1 for it's internal database (port 38900). I don't want to build a complex mixed-version environment unless there will be no alternative for (say) the next 6-9 months.
  I have a production user directory that is being upgraded from DS 4.12 to 5.1. Our CMS system is also in production, and was upgraded to 4.2 SP2 about 6 months ago.
  Does anyone have any experiences in this area that can help me decide on an optimal way forward?

  I recommened that you read the Release Notes of DS5.2, there are some notes on Replication between 5.1 and 5.2.
  ===
  In Directory Server 5.2, the schema file 11rfc2307.ldif has been altered to conform to rfc2307. If replication is enabled between 5.2 servers and 5.1 servers, the rfc2307 schema MUST be corrected on the 5.1 servers, or replication will not work correctly.
  Workaround
  To ensure correct replication between Directory Server 5.2 and Directory Server 5.1, perform the following tasks:
  * For zip installations, remove the 10rfc2307.ldif file from the 5.1 schema directory and copy the 5.2 11rfc2307.ldif file to the 5.1 schema directory. (5.1 Directory Server Solaris packages already include this change.)
  * Copy the following files from the 5.2 schema directory into the 5.1 schema directory, overwriting the 5.1 copies of these files:
  11rfc2307.ldif, 50ns-msg.ldif, 30ns-common.ldif, 50ns-directory.ldif, 50ns-mail.ldif, 50ns-mlm.ldif, 50ns-admin.ldif, 50ns-certificate.ldif, 50ns-netshare.ldif, 50ns-legacy.ldif, and 20subscriber.ldif.
  * Restart the Directory Server 5.1 server.
  * In the Directory Server 5.2 server, set the nsslapd-schema-repl-useronly attribute under cn=config to on.
  * Configure replication on both servers.
  * Initialize the replicas.
  ===
  Also search for "migrate" or "repl" or "5.1" in Release Notes and read the relevant information.
  http://docs.sun.com/source/817-7611/index.html
  Another guide is "Installation and Migration Guide"
  http://docs.sun.com/app/docs/doc/817-7608
  HTH.
  Gary