Open Directory authentication question

Similar Messages

• Open Directory Migration Question

  Setup:
  My company has two servers, both running 10.5.6. We are migrating from the server Fubar (xserve) as it has had a lot of problems and we want to do a fresh install on it (I was not the admin who initially set it up).
  In order to get a 'fresh' OD going, we are recreating all the accounts on the new server Edoras (powerpc mac pro), making sure to preserve UID of the users.
  Problem:
  User A cannot change his password on Edoras after Directory Utility has been changed to point at it. He can change his password locally, but it does not propagate to Edoras, nor does a password change on Edoras affect his local machine.
  The questions I haven't been able to get answers for are:
  * Should the OD search string be different on Fubar and Edoras? Currently our search string is 'dc=fubar,dc=domain,dc=com'.
  * Are there other attributes that have to be setup in OD besides UID? I noticed when using the Target tab in Workgroup Manager that there is a GeneratedUID attribute, does this need to match?
  Thanks for any information/help.

  I did something like this recently. Unfortunately I couldn't get an answer on the Internet and had to re-configure Directory Access on the client machines manually.
  I moved our system from a POwerMac G4 with several upgrades (eSATA card, eSATA Coolgear Enclosure, 7200.11 (yeah I know, bad drives to use) Seagate drives, 1.8 GHz PPC 7447 upgrade, 1.5GB of ram) to a new Mac Pro with a Highpoint RAID controller. The old G4 was very unreliable and couldn't hand
  I had to go to each machine with ARD, open Directory Access, delete the LDAP entry and re-enter it. This was really annoying and confusing for me as the old server and the new server had:
  The same version of OSX (ok, one was a PPC version and I special ordered the Intel version from Apple Tech Support), but they both were running 10.4.11 with the newest security patches.
  The same OD Search Strings
  The same IP Address for the Server
  The same DNS name for the server
  and the same user IDs and group settings
  and I still had to re-do Directory Access using the client machines. Before re-doing the Directory Access re-binding I would try to login. The "other" icon would appear on the loging window, but when I would loging with the correct username and password the login windows would "shake it's head" and wouldn't let me login.
  The biggest pain was that portable directories didn't sync correct anymore, so I had to manually backup, then delete the account, then re-bind, then re-create and restore the portable directory on each laptop manually.
  Unfortunately I do not know the unix command to change directory binding to client computers using ARD. If such a command exists it would make things much easier for you. Does anyone know if a command exists?

• Open Directory Keychain Question

  I have set up open directory on my domain but I am having trouble with Keychain access over the network when users logging into network accounts. Whenever I log in using open directory, I can open all of my applications, however each time I log in to my user account all of my keychain passwords are reset. I can look into the user preferences file and see the keychain file, but for some reason whenever a user logs out the changes to it are lost.
  Is Keychain access supported when network mounting user folders? If so, what is the proper way to implement keychain access?

  mickey13 wrote:
  I have 2 Apple servers.  One is running 10.6 (server), the other is running 10.5 (server).  I have my Open Directory on the 10.6 server, and I have the 10.5 server use it via LDAP for user authentication.  What I'd like to do is to assign a home directory on the 10.5 server for users in the 10.6 Open Directory.  Any ideas?
  This should work the same way as normal.
  Define the user accounts in Open Directory as normal via Workgroup Manager
  On the 10.5 Server, set up a share point, usually AFP is used as the protocol, this is done in Server Admin
  On the 10.5 Server, set up that share point to be an Automounted share for user home directories, this will register that share in Open Directory assuming you have already successfully connected the 10.5 Server to Open Directory system, this is also done in Server Admin
  Go back to Workgroup Manager select a user account you want to store on the 10.5 server, click on the Home tab, you should now see the 10.5 share point listed as an available choice for storing home directories.
  Click on the 10.5 share point and save the user account.
  I normally now click on create Home directory, although this happens automatically when a user logs in for the first time.
  It is perfectly ok to mix 10.5 and 10.6 servers in this manner. The client machines can also be a different version e.g. 10.4
  What you are doing above even though you are mixing 10.5 and 10.6 servers, is the same as you would do to spread the workload of user home directories across multiple servers. While handling user home directories does not cause a massive amount of CPU activity (or memory use) it does cause a significant amount of disk activity and therefore at a certain level spreading user accounts across multiple servers is recommended.

• Open Directory Configuration Question

  I've got a Mac-Mini based server running Mountain Lion (10.8.3) and Server.app (2.2.1).  The server was migrated from Lion some weeks ago, the Server works OK, but seeing odd CPU usage and fairly frequent non-specific error reports which suggests that there are still a few odd gremlins lurking around that I'm trying to track down.  So I'm trying to find things that appear odd.  I've found one such in the reported configuration for Open Directory.
  The server is configured to be an Open Directory master, and is the only Open Directory server we have.  The panel for Open Directory in Server.app lists the single entry as follows:
  * www.2gc.org (master)
  * 10.0.1.2, 10.211.55.2, 10.37.129.2
  The first IP address is the IP address of the server on our LAN.  I have no idea what the second and third IP addresses are - they do not appear to have anything to do with any network we have configured.  They are from the "private" address space - so I'm guessing they are non-functional since we don't have a network using either with these IP ranges within them - but they must have come from somewhere.
  It is also not clear where / how these entries are set within ML.
  It may be that this is all perfectly normal, or maybe symptomatic of something that can be cleaned up. 
  Would value any thoughts.
  Thanks in advance.

  Hi Simon
  Thanks for the thoughts.  There are no other servers on the network - this is an isolated computer parked on a fixed IP with no downstream LAN - the 10.0.1.2 address is the one assigned it by the router that connects it to the outside world - but no other devices are connected to the sub-net the machine sits on: all services are provided through the fixed IP to machines accessing it directly from internet via FQDN.
  All of which makes the presence of the other two IPs curious, and apparently unnecessary.
  Good housekeeping suggests they could be removed - but unclear how these entries are set.  But in the interim good to know that the presence of these IPs is probalby harmless.

• Initial Open Directory Authentication

  So weird! Have new 10.3 server installed, configued with Open Dir Master. Put in
  custom path based on server IP. Now, can't authenticate to my domain. Instead
  of bringing over the Administrator name & Psw, getting error messages of
  invalid login info. Stopped in my tracks! Can only access Net/info domain.
  Have already tried installing the software again, no luck. Help!!!

  If you haven't already reinstalled, here are some things to check:
  • Are all of the OD services running? Check in Server Admin -> Open Directory service in the sidebar -> Overview in the toolbar.
  • Is there anything suspicious in any of the server logs (Server Admin -> Open Directory -> Logs in the toolbar -> choose various logs from the View menu near the bottom of the window)?
  • Are you using Time Machine to back up the server? It apparently shuts down OD services to get a clean backup, and has sometimes had trouble restarting them afterward (although this is supposed to be better in 10.6.5)...

• OSX 10.6 server open directory authentication

  I was wondering if there is any issues with allowing one user account to authenicate (login) at the same time on serveral machines?

  This is perfectly ok to do but remember that it is possible to set an account in Workgroup Manager to only allow a single login at a time. Also, if you login to the same Network Home Directory (i.e. same account) from more than one machine at the same time then some applications do not allow or cope with two systems trying to access those files at the same time.

• Open Directory authentication error

  Hi,
  I am trying to create a replica with 10.8 server.
  Steps:
  Create OD on server 1.
  Create Replica on server 2. All works fine
  Restore OD. Replica stop working. I get an error message saying that I cannot authentificate against diradmin on main OD.
  What is the step to either merge the database or create a new diradmin password. This is driving me nuts!
  Tks

  Get a working master with all your users first.
  Make sure DNS (forward and reverse) is correct from both locations.
  Then add the replica.
  There's a good chance the OD you are restoring has references to an older hostname or IP, this can break your setup.
  Depending on the size of your setup.. it may be less painful not to bother restoring your old OD and just create from users/groups scratch (leaving behind the possibility of bringing in issues related to your previous OD config).
  Its a hassle.. but looking for a needle in a haystack is also.

• Use Open Directory for intranet web acces

  Is it possible to tap in to Open Directory user information from other services than those build into the server? And that way use the Open Directory authentication for our own home-made service?
  We plan to setup an intranet on our OS X 10.6 server. We're still not sure whether to use one of the popular Open Source cms/portal platforms such as Drupal or maybe even WordPress.
  1. I would like to use the users accounts in our Open Directory to authenticate to the intranet. Is that possible in any way?
  2. Or does anyone know of a way to modify e.g. the build in blog function and integrate that with another system such as Drupal or WordPress?
  I'm guessing there are blocks of code in the blog that handle user authentication. And if I keep them where they are on the server and include them in other Drupal files, it may be possible? Is the build in blog build on an open source system like some of the other services on Mac OS X server? A system I can read about anywhere?
  +Note: The build in blog or wiki service does not match our needs for an intranet. We need to customize it a lot to make i suit our needs.+
  3. Plan B could be to export our 100 users and passwords from Open Directory and import them in the intranet system. But as far as I know it's impossible to export the passwords. Right?
  +New users would then have to be added to both Open Directory and the separate intranet system in the future. That would be okay for working but not perfect Plan B.+

  ryanowich wrote:
  Is it possible to tap in to Open Directory user information from other services than those build into the server?
  Yes.
  And that way use the Open Directory authentication for our own home-made service?
  Sure. I have HP OpenVMS systems that are authenticating to Mac OS X Server boxes. LDAP has a callable interface for applications written in most any active programming language, and many packages already have LDAP support.
  We plan to setup an intranet on our OS X 10.6 server. We're still not sure whether to use one of the popular Open Source cms/portal platforms such as Drupal or maybe even WordPress.
  You need to narrow your requirements and your ideas somewhat, and work toward a list of features.
  I have some discussions posted of what I went through when I ended up picking Drupal.
  1. I would like to use the users accounts in our Open Directory to authenticate to the intranet. Is that possible in any way?
  Network servers (Apache, DHCP, etc) can authenticate to LDAP, but (once granted access via DHCP and RADIUS, or analogous) clients don't usually further authenticate.
  Within Drupal, the [Drupal|http://drupal.org] module [ldapauth|http://drupal.org/node/118092] would be worth a test. That's an available connection into LDAP. (Haven't prototyped that module, though.)
  2. Or does anyone know of a way to modify e.g. the build in blog function and integrate that with another system such as Drupal or WordPress?
  You're apparently not familiar with Drupal. You might want to learn more about it, and particularly its extensibility. Drupal can be connected to some refrigerators, if you were inclined to do so.
  I'm guessing there are blocks of code in the blog that handle user authentication. And if I keep them where they are on the server and include them in other Drupal files, it may be possible? Is the build in blog build on an open source system like some of the other services on Mac OS X server? A system I can read about anywhere?
  Including random blocks of code isn't a strategy for success. Understanding the basics of how the pieces fit together tends to be a better strategy. For Drupal, there's always the [Drupal documentation|http://drupal.org/documentation], or the available books on the CMS. Or you can call in somebody that's done this stuff.
  +Note: The build in blog or wiki service does not match our needs for an intranet. We need to customize it a lot to make i suit our needs.+
  The built-in services are limited, yes. I've been running Drupal on Mac OS X Server for years now.
  3. Plan B could be to export our 100 users and passwords from Open Directory and import them in the intranet system. But as far as I know it's impossible to export the passwords. Right?
  I would sincerely hope you don't get the passwords out of your authentication system. That would be bad. Cleartext passwords are bad news. You don't want that ability.
  +New users would then have to be added to both Open Directory and the separate intranet system in the future. That would be okay for working but not perfect Plan B.+
  That would be a hassle.
  And I've tested with Wordpress on Mac OS X Server, but haven't deployed it in production. I'll leave discussions of its features and capabilities to others. That written, you might try the [Wordpress web site|http://Wordpress.org], as I'd expect there would be discussions of LDAP there.
  I'd suggest determining your requirements, otherwise you're going to flail around given the numbers of options an alternatives here. If you have your requirements, then you have a framework to pick your tools. [Here is what I looked at when I picked Drupal|http://labs.hoffmanlabs.com/node/100].

• Ubuntu Karmic authentication against Snow leopard open directory server

  Hi,
  I'm looking for help. I've tried to configure an installation of Karmic to authenticate against our office's open directory server running on an osx snow leopard server. Currently `getent password` show all users including those from the open directory server when running the command as both root and normal users. However authentication against the open directry users fails with the following messages in the /var/log/auth.log:-
  Dec 7 22:42:05 [hostname] getent: nss_ldap: failed to bind to LDAP server ldap://server.domain.com: Invalid credentials
  Dec 7 22:42:05 [hostname] getent: nss_ldap: could not search LDAP server - Server is unavailable
  (I've changed the hostname and ldap url)
  /etc/ldap.conf has:-
  base dc=server,dc=domain,dc=com
  ldap_version 3
  rootbinddn cn=diradmin,dc=server,dc=domain,dc=com
  bind_policy soft
  pam_password md5
  /etc/ldap.secret is set to the password of the diradmin user and has a permission mask of 600
  /etc/pam.d/common-passwd :-
  password sufficient pam_ldap.so md5
  password required pam_unix.so nullok obscure md5
  password optional pam_smbpass.so nullok use_authtok tryfirstpass missingok
  /etc/pam.d/common-auth:-
  auth [success=2 default=ignore] pam_unix.so nullok_secure
  auth [success=1 default=ignore] pam_ldap.so usefirstpass
  auth requisite pam_deny.so
  auth required pam_permit.so
  /etc/pam.d/common-account:-
  account [success=2 newauthtokreqd=done default=ignore] pam_unix.so
  account [success=1 default=ignore] pam_ldap.so
  account requisite pam_deny.so
  account required pam_permit.so
  /etc/pam.d/common-session
  session [default=1] pam_permit.so
  session requisite pam_deny.so
  session required pam_permit.so
  session required pam_unix.so
  session optional pam_ldap.so
  session optional pamckconnector.so nox11
  Does anyone have any ideas where to go from here?
  Message was edited by: zebardy

  Hi
  It's easy enough to 'connect' any version of OS X Server to any other version of OS X Server. Use the Join button in the Users & Groups Preferences Pane. Alternatively use the Directory Utility itself.
  You seem to be misunderstanding what an Open Directory Master and Replica are? They are not what I think you think they are. They are not a 'back-up' of each other if you're providing more than the shared Directory Service.
  An OD Replica maintains a read-only copy of the LDAP Database (Usernames, Passwords and Policies etc) that's stored on the OD Master and nothing more. If the Master was to go offline for any reason the Replica can be quickly promoted to a Master Role and continue to provide information for the shared directory. This assumes it has easy and quick access to the Volume storing networked home folders? The LDAP Database in that case would then become writable. Later on and whenever you've fixed the problem with the old Master it can quickly be demoted and made a Replica of the now new Master.
  Although this is for 10.6 Server (it is nevertheless still applicable) everything you need to know about Master and Replica relationships is here:
  http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf
  Page 55 onwards.
  From Page 64:
  "The Open Directory master and its replicas must use the same version of Mac OS X Server. . ."
  If your OD Master is also providing Mail, Calendar and Contact Services then none of these will be replicated. You will have to maintain a backup of these databases yourself using whatever method you deem fit for your needs.
  HTH?
  Tony

• Authentication Delays / Slow Authentication for Open Directory Users

  I'm experiencing delays when authenticating Open Directory users and it absolutely has me at my wit's end.
  The problem is quite simple: any time an Open Directory user authenticates his password there is a delay of at least 5-10 seconds. This goes for clients that are bound to the directory server and also authenticating locally on the server. Here are some examples:
  * On the server, there is a several second delay on the Login Window screen when trying to log in using an Open Directory account. Logging in as a local user is instantaneous.
  * In Workgroup manager, authenticating as the Directory Administrator takes several seconds.
  * On a remote computer, sharing the screen using an Open Directory user take several seconds and again, a local user is instantaneous. Screen sharing takes particularly long and often temporarily shows a sheet saying it has lost the connection with the server while authenticating.
  * Connecting with AFP takes several seconds when using an Open Directory login
  * On a client computer, unlocking the screen after sleep or screen saver takes several seconds for Open Directory users
  * Connecting with SSH does NOT exhibit the behavior
  In addition to all of this, I've seen periodic random unexplainable freezes for several seconds on client computers that are bound to the directory even when logged in as a local user account (and with no other users logged in.) For example, launching applications often results in a freeze. After unbinding the computer from the directory the problem goes away entirely.
  The history of the problem:
  Used Tiger Server for over a year = no problems
  Clean install of Leopard Server 10.5.0 back in October = no problems
  Update to Leopard Server 10.5.1 = no problems
  Then, all of the sudden one day several weeks back I started having problems. The server had been up for a few weeks. I didn't install any updates. I didn't change any configuration. Literally the only thing that I had done recently was unplug the Apple Cinema Display and keyboard+mouse that was connected to the server. Then I started having problems so I plugged the display, keyboard and mouse back in to troubleshoot it. I cleared the directory services caches on my server and clients and rebooted the Airport Base Station that's serving as my router and eventually the problem went away. I wish I could tell you which of those things resolved the problem but I have no idea. It was fine for a couple more weeks (and incidentally I once again unplugged the display, keyboard and mouse from the server). Then last week I started having problems again and this time no amount of rebooting, cache clearing, rebinding, troubleshooting using information in these forums or anything else will fix the problem. I only mention the display/keyboard/mouse thing because it's literally the only thing I changed around the time the problems started happening. I truly don't think it has anything to do with it.
  So in desperation I backed up and did a clean install today. Here's the process I used:
  0. Erase the disk
  1. Install Leopard Server 10.5.0 from the install DVD
  2. In the setup assistant, use the Advanced Configuration option but I didn't enable any services. Set up network settings and host name of myserver.mydomain.private.
  3. Reboot
  4. Use Software Update to update to 10.5.1 and Security Update 2007-009 v1.1
  5. Reboot
  6. Configure DNS (see below for detailed configuration)
  7. Reboot
  8. Change role to Open Directory Master
  9. Reboot
  ... and the problem is still there. Simply logging into the server GUI with the Directory Administrator account has the delay. Authenticating in Workgroup Manager has the delay. I haven't even bothered to set up AFP or any other users yet. I'm truly at my wit's end and I'm ready to chuck the server out the window.
  I've done a lot of googling and searching of these forums looking for answers. All of the responses seem to point to a problem with DNS or with the Kerberos realm. I believe all of my setup is correct. Here it is:
  == Basic Configuration ==
  OS: Mac OS X Server 10.5.1 (9B18) with Security Update 2007-009 v.1.1
  Services Enabled:
  DNS
  Open Directory
  (All other services are not yet enabled)
  == DNS Setup ==
  Primary Zone: mydomain.private.
  Allows zone transfer: no
  Nameservers: ns.mydomain.private.
  myserver (Machine) 10.0.22.201
  ns (Alias) myserver.mydomain.private.
  Reverse Zone: 22.0.10.in-addr.arpa.
  10.0.22.201 (Reverse Mapping) myserver.mydomain.private.
  Accept recursive queries from the following networks:
  localnets
  Forwarder IP Addresses:
  208.67.222.222
  208.67.220.220
  == Open Directory Setup ==
  Role: Open Directory Master
  LDAP Search Base: dc=myserver,dc=mydomain,dc=private
  Kerberos Realm: myserver.mydomain.private
  == Network Configuration ==
  Configure: Manually
  IP Address: 10.0.22.201
  Subnet Mask: 255.255.255.0
  Router: 10.0.22.1
  DNS Server: 127.0.0.1
  Search Domains: mydomain.private
  == Other Stuff ==
  Using 'changeip -checkhostname' verifies that the hostname and DNS hostname are both myserver.mydomain.private.
  I set the realm to myserver.mydomain.private (though the default was myserver.local) based on the advice of another poster to this forum. Kerberos.app reveals something interesting: the kdc and admin servers are both myserver.local and the domains are .local and local. I tried changing all instances of 'local' to 'mydomain.private' to see if that would solve the problem. No luck.
  I verified on a client that 'host myserver' and 'host 10.0.22.201' return proper DNS and reverse DNS resolutions.
  Hopefully one of the gurus out there will be able to help me out.
  Thanks,
  jeff

  I gathered together some log information for when I try to authenticate user 'diradmin' in Workgroup Manager. You can see from the log messages that this authentication took 4 seconds. There's an interesting error message in slapd.log (see below) but it doesn't say what it's looking for in the keytab that it's not finding. Grr! I've provided a listing of the principles in my keytab. I haven't monkeyed around with it at all -- this is just what resulted from promoting the server to an Open Directory Master.
  == kdc.log ==
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  == slapd.log ==
  Dec 30 18:21:48 myserver slapd[36]: <= bdbsubstringcandidates: (authAuthority) index_param failed (18)
  Dec 30 18:21:52 myserver slapd[36]: SASL [conn=20] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
  == sudo klist -k ==
  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]

• How can I get authentication and authorization through OS X open directory with the Sun ZFS STOR ZS3-2

  how can I get authentication and authorization through OS X open directory with the Sun ZFS STOR ZS3-2
  I have configure NFS, I need help configuring the share that I created in the Sun ZFS STOR ZS3-2 to connect with the OS X Open Directory

  Hi,
      You may  try checking the help page for ldap configuration :
  https://<Appliance_IP>:215/wiki/index.php/Configuration:Services:LDAP
  ZFS Storage supports LDAP, NIS, AD as directory service.
  Hope Open Directory is also based on LDAP and may work in similar fashion.
  Thanks
  Nitin

• RoundCube Webmail Authenticating against Open Directory on Mountain Lion 10.8.x

  Hello all,
  I've been battling this issue for over a month with no success. Here is what we got:
  Mac Mini Server running Mountain Lion Server 10.8.2 running Calendar, Contacts, Mail and Web services.
  With there being no webmail present I've gone thru the process of installing RoundCube.
  I'm using Postgres as the database.
  When I test the ability to login I get the following error messages in the console.app
  10/12/12 10:13:27.071 AM log[182]: auth: Error: od(andrew,::1): Authentication server failed to complete the requested operation.
  10/12/12 10:13:27.071 AM log[182]: auth: Error: od(andrew,::1): authentication failed for user=andrew, method=DIGEST-MD5
  The first line I find the most interesting but have had no success determinign exactly what it means.
  I'm using open directory to authenticate and it is working perfectly with every other service so I'm led to believe it's an issue between RoundCube and Open Directory.
  ANY help would be appreciated emmensely!

  Sorry about taking so long to get back on here working on this. I've switched over to MySQL. I had a hard time because mysql.sock was located under /tmp/ rather than /var/mysql/ but I fixed that by using the following command:
  sudo ln -s /tmp/mysql.sock /var/mysql/mysql.sock
  Then I reinstalled roundcube. Here is my main.inc.php file:
  <?php
  +-----------------------------------------------------------------------+
  | Main configuration file                                               |
  |                                                                       |
  | This file is part of the Roundcube Webmail client                     |
  | Copyright (C) 2005-2011, The Roundcube Dev Team                       |
  |                                                                       |
  | Licensed under the GNU General Public License version 3 or            |
  | any later version with exceptions for skins & plugins.                |
  | See the README file for a full license statement.                     |
  |                                                                       |
  +-----------------------------------------------------------------------+
  $rcmail_config = array();
  // LOGGING/DEBUGGING
  // system error reporting: 1 = log; 2 = report (not implemented yet), 4 = show, 8 = trace
  $rcmail_config['debug_level'] = 1;
  // log driver:  'syslog' or 'file'.
  $rcmail_config['log_driver'] = 'file';
  // date format for log entries
  // (read http://php.net/manual/en/function.date.php for all format characters) 
  $rcmail_config['log_date_format'] = 'd-M-Y H:i:s O';
  // Syslog ident string to use, if using the 'syslog' log driver.
  $rcmail_config['syslog_id'] = 'roundcube';
  // Syslog facility to use, if using the 'syslog' log driver.
  // For possible values see installer or http://php.net/manual/en/function.openlog.php
  $rcmail_config['syslog_facility'] = LOG_USER;
  // Log sent messages to <log_dir>/sendmail or to syslog
  $rcmail_config['smtp_log'] = true;
  // Log successful logins to <log_dir>/userlogins or to syslog
  $rcmail_config['log_logins'] = false;
  // Log session authentication errors to <log_dir>/session or to syslog
  $rcmail_config['log_session'] = false;
  // Log SQL queries to <log_dir>/sql or to syslog
  $rcmail_config['sql_debug'] = false;
  // Log IMAP conversation to <log_dir>/imap or to syslog
  $rcmail_config['imap_debug'] = false;
  // Log LDAP conversation to <log_dir>/ldap or to syslog
  $rcmail_config['ldap_debug'] = false;
  // Log SMTP conversation to <log_dir>/smtp or to syslog
  $rcmail_config['smtp_debug'] = false;
  // IMAP
  // the mail host chosen to perform the log-in
  // leave blank to show a textbox at login, give a list of hosts
  // to display a pulldown menu or set one host as string.
  // To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
  // Supported replacement variables:
  // %n - http hostname ($_SERVER['SERVER_NAME'])
  // %d - domain (http hostname without the first part)
  // %s - domain name after the '@' from e-mail address provided at login screen
  // For example %n = mail.domain.tld, %d = domain.tld
  $rcmail_config['default_host'] = 'localhost';
  // TCP port used for IMAP connections
  $rcmail_config['default_port'] = 143;
  // IMAP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
  // best server supported one)
  $rcmail_config['imap_auth_type'] = null;
  // If you know your imap's folder delimiter, you can specify it here.
  // Otherwise it will be determined automatically
  $rcmail_config['imap_delimiter'] = null;
  // If IMAP server doesn't support NAMESPACE extension, but you're
  // using shared folders or personal root folder is non-empty, you'll need to
  // set these options. All can be strings or arrays of strings.
  // Folders need to be ended with directory separator, e.g. "INBOX."
  // (special directory "~" is an exception to this rule)
  // These can be used also to overwrite server's namespaces
  $rcmail_config['imap_ns_personal'] = null;
  $rcmail_config['imap_ns_other']    = null;
  $rcmail_config['imap_ns_shared']   = null;
  // By default IMAP capabilities are readed after connection to IMAP server
  // In some cases, e.g. when using IMAP proxy, there's a need to refresh the list
  // after login. Set to True if you've got this case.
  $rcmail_config['imap_force_caps'] = false;
  // By default list of subscribed folders is determined using LIST-EXTENDED
  // extension if available. Some servers (dovecot 1.x) returns wrong results
  // for shared namespaces in this case. http://trac.roundcube.net/ticket/1486225
  // Enable this option to force LSUB command usage instead.
  $rcmail_config['imap_force_lsub'] = false;
  // Some server configurations (e.g. Courier) doesn't list folders in all namespaces
  // Enable this option to force listing of folders in all namespaces
  $rcmail_config['imap_force_ns'] = false;
  // IMAP connection timeout, in seconds. Default: 0 (no limit)
  $rcmail_config['imap_timeout'] = 0;
  // Optional IMAP authentication identifier to be used as authorization proxy
  $rcmail_config['imap_auth_cid'] = null;
  // Optional IMAP authentication password to be used for imap_auth_cid
  $rcmail_config['imap_auth_pw'] = null;
  // Type of IMAP indexes cache. Supported values: 'db', 'apc' and 'memcache'.
  $rcmail_config['imap_cache'] = null;
  // Enables messages cache. Only 'db' cache is supported.
  $rcmail_config['messages_cache'] = false;
  // SMTP
  // SMTP server host (for sending mails).
  // To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
  // If left blank, the PHP mail() function is used
  // Supported replacement variables:
  // %h - user's IMAP hostname
  // %n - http hostname ($_SERVER['SERVER_NAME'])
  // %d - domain (http hostname without the first part)
  // %z - IMAP domain (IMAP hostname without the first part)
  // For example %n = mail.domain.tld, %d = domain.tld
  $rcmail_config['smtp_server'] = 'localhost';
  // SMTP port (default is 25; use 587 for STARTTLS or 465 for the
  // deprecated SSL over SMTP (aka SMTPS))
  $rcmail_config['smtp_port'] = 25;
  // SMTP username (if required) if you use %u as the username Roundcube
  // will use the current username for login
  $rcmail_config['smtp_user'] = '';
  // SMTP password (if required) if you use %p as the password Roundcube
  // will use the current user's password for login
  $rcmail_config['smtp_pass'] = '';
  // SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
  // best server supported one)
  $rcmail_config['smtp_auth_type'] = '';
  // Optional SMTP authentication identifier to be used as authorization proxy
  $rcmail_config['smtp_auth_cid'] = null;
  // Optional SMTP authentication password to be used for smtp_auth_cid
  $rcmail_config['smtp_auth_pw'] = null;
  // SMTP HELO host
  // Hostname to give to the remote server for SMTP 'HELO' or 'EHLO' messages
  // Leave this blank and you will get the server variable 'server_name' or
  // localhost if that isn't defined.
  $rcmail_config['smtp_helo_host'] = '';
  // SMTP connection timeout, in seconds. Default: 0 (no limit)
  $rcmail_config['smtp_timeout'] = 0;
  // SYSTEM
  // THIS OPTION WILL ALLOW THE INSTALLER TO RUN AND CAN EXPOSE SENSITIVE CONFIG DATA.
  // ONLY ENABLE IT IF YOU'RE REALLY SURE WHAT YOU'RE DOING!
  $rcmail_config['enable_installer'] = false;
  // provide an URL where a user can get support for this Roundcube installation
  // PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
  $rcmail_config['support_url'] = 'http://www.crawfordworks.ca/contact';
  // replace Roundcube logo with this image
  // specify an URL relative to the document root of this Roundcube installation
  $rcmail_config['skin_logo'] = null;
  // automatically create a new Roundcube user when log-in the first time.
  // a new user will be created once the IMAP login succeeds.
  // set to false if only registered users can use this service
  $rcmail_config['auto_create_user'] = true;
  // use this folder to store log files (must be writeable for apache user)
  // This is used by the 'file' log driver.
  $rcmail_config['log_dir'] = 'logs/';
  // use this folder to store temp files (must be writeable for apache user)
  $rcmail_config['temp_dir'] = 'temp/';
  // lifetime of message cache
  // possible units: s, m, h, d, w
  $rcmail_config['message_cache_lifetime'] = '10d';
  // enforce connections over https
  // with this option enabled, all non-secure connections will be redirected.
  // set the port for the ssl connection as value of this option if it differs from the default 443
  $rcmail_config['force_https'] = false;
  // tell PHP that it should work as under secure connection
  // even if it doesn't recognize it as secure ($_SERVER['HTTPS'] is not set)
  // e.g. when you're running Roundcube behind a https proxy
  // this option is mutually exclusive to 'force_https' and only either one of them should be set to true.
  $rcmail_config['use_https'] = false;
  // Allow browser-autocompletion on login form.
  // 0 - disabled, 1 - username and host only, 2 - username, host, password
  $rcmail_config['login_autocomplete'] = 0;
  // Forces conversion of logins to lower case.
  // 0 - disabled, 1 - only domain part, 2 - domain and local part.
  // If users authentication is not case-sensitive this must be enabled.
  // After enabling it all user records need to be updated, e.g. with query:
  // UPDATE users SET username = LOWER(username);
  $rcmail_config['login_lc'] = 0;
  // Includes should be interpreted as PHP files
  $rcmail_config['skin_include_php'] = false;
  // display software version on login screen
  $rcmail_config['display_version'] = false;
  // Session lifetime in minutes
  // must be greater than 'keep_alive'/60
  $rcmail_config['session_lifetime'] = 10;
  // session domain: .example.org
  $rcmail_config['session_domain'] = '';
  // session name. Default: 'roundcube_sessid'
  $rcmail_config['session_name'] = null;
  // Backend to use for session storage. Can either be 'db' (default) or 'memcache'
  // If set to memcache, a list of servers need to be specified in 'memcache_hosts'
  // Make sure the Memcache extension (http://pecl.php.net/package/memcache) version >= 2.0.0 is installed
  $rcmail_config['session_storage'] = 'db';
  // Use these hosts for accessing memcached
  // Define any number of hosts in the form of hostname:port or unix:///path/to/sock.file
  $rcmail_config['memcache_hosts'] = null; // e.g. array( 'localhost:11211', '192.168.1.12:11211', 'unix:///var/tmp/memcached.sock' );
  // check client IP in session athorization
  $rcmail_config['ip_check'] = false;
  // check referer of incoming requests
  $rcmail_config['referer_check'] = false;
  // X-Frame-Options HTTP header value sent to prevent from Clickjacking.
  // Possible values: sameorigin|deny. Set to false in order to disable sending them
  $rcmail_config['x_frame_options'] = 'sameorigin';
  // this key is used to encrypt the users imap password which is stored
  // in the session record (and the client cookie if remember password is enabled).
  // please provide a string of exactly 24 chars.
  $rcmail_config['des_key'] = 'Qw4jLYQK+MyNLPIRmON7Lq+Z';
  // Automatically add this domain to user names for login
  // Only for IMAP servers that require full e-mail addresses for login
  // Specify an array with 'host' => 'domain' values to support multiple hosts
  // Supported replacement variables:
  // %h - user's IMAP hostname
  // %n - http hostname ($_SERVER['SERVER_NAME'])
  // %d - domain (http hostname without the first part)
  // %z - IMAP domain (IMAP hostname without the first part)
  // For example %n = mail.domain.tld, %d = domain.tld
  $rcmail_config['username_domain'] = '';
  // This domain will be used to form e-mail addresses of new users
  // Specify an array with 'host' => 'domain' values to support multiple hosts
  // Supported replacement variables:
  // %h - user's IMAP hostname
  // %n - http hostname ($_SERVER['SERVER_NAME'])
  // %d - domain (http hostname without the first part)
  // %z - IMAP domain (IMAP hostname without the first part)
  // For example %n = mail.domain.tld, %d = domain.tld
  $rcmail_config['mail_domain'] = '';
  // Password charset.
  // Use it if your authentication backend doesn't support UTF-8.
  // Defaults to ISO-8859-1 for backward compatibility
  $rcmail_config['password_charset'] = 'ISO-8859-1';
  // How many seconds must pass between emails sent by a user
  $rcmail_config['sendmail_delay'] = 0;
  // Maximum number of recipients per message. Default: 0 (no limit)
  $rcmail_config['max_recipients'] = 0;
  // Maximum allowednumber of members of an address group. Default: 0 (no limit)
  // If 'max_recipients' is set this value should be less or equal
  $rcmail_config['max_group_members'] = 0;
  // add this user-agent to message headers when sending
  $rcmail_config['useragent'] = 'Roundcube Webmail/'.RCMAIL_VERSION;
  // use this name to compose page titles
  $rcmail_config['product_name'] = 'Tri Innovations Webmail';
  // try to load host-specific configuration
  // see http://trac.roundcube.net/wiki/Howto_Config for more details
  $rcmail_config['include_host_config'] = false;
  // path to a text file which will be added to each sent message
  // paths are relative to the Roundcube root folder
  $rcmail_config['generic_message_footer'] = '';
  // path to a text file which will be added to each sent HTML message
  // paths are relative to the Roundcube root folder
  $rcmail_config['generic_message_footer_html'] = '';
  // add a received header to outgoing mails containing the creators IP and hostname
  $rcmail_config['http_received_header'] = false;
  // Whether or not to encrypt the IP address and the host name
  // these could, in some circles, be considered as sensitive information;
  // however, for the administrator, these could be invaluable help
  // when tracking down issues.
  $rcmail_config['http_received_header_encrypt'] = false;
  // This string is used as a delimiter for message headers when sending
  // a message via mail() function. Leave empty for auto-detection
  $rcmail_config['mail_header_delimiter'] = NULL;
  // number of chars allowed for line when wrapping text.
  // text wrapping is done when composing/sending messages
  $rcmail_config['line_length'] = 72;
  // send plaintext messages as format=flowed
  $rcmail_config['send_format_flowed'] = true;
  // don't allow these settings to be overriden by the user
  $rcmail_config['dont_override'] = array();
  // Set identities access level:
  // 0 - many identities with possibility to edit all params
  // 1 - many identities with possibility to edit all params but not email address
  // 2 - one identity with possibility to edit all params
  // 3 - one identity with possibility to edit all params but not email address
  $rcmail_config['identities_level'] = 0;
  // Mimetypes supported by the browser.
  // attachments of these types will open in a preview window
  // either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
  $rcmail_config['client_mimetypes'] = null;  # null == default
  // mime magic database
  $rcmail_config['mime_magic'] = '/usr/share/misc/magic';
  // path to imagemagick identify binary
  $rcmail_config['im_identify_path'] = null;
  // path to imagemagick convert binary
  $rcmail_config['im_convert_path'] = null;
  // maximum size of uploaded contact photos in pixel
  $rcmail_config['contact_photo_size'] = 160;
  // Enable DNS checking for e-mail address validation
  $rcmail_config['email_dns_check'] = false;
  // PLUGINS
  // List of active plugins (in plugins/ directory)
  $rcmail_config['plugins'] = array();
  // USER INTERFACE
  // default messages sort column. Use empty value for default server's sorting,
  // or 'arrival', 'date', 'subject', 'from', 'to', 'fromto', 'size', 'cc'
  $rcmail_config['message_sort_col'] = '';
  // default messages sort order
  $rcmail_config['message_sort_order'] = 'DESC';
  // These cols are shown in the message list. Available cols are:
  // subject, from, to, fromto, cc, replyto, date, size, status, flag, attachment, 'priority'
  $rcmail_config['list_cols'] = array('subject', 'status', 'fromto', 'date', 'size', 'flag', 'attachment');
  // the default locale setting (leave empty for auto-detection)
  // RFC1766 formatted language name like en_US, de_DE, de_CH, fr_FR, pt_BR
  $rcmail_config['language'] = null;
  // use this format for date display (date or strftime format)
  $rcmail_config['date_format'] = 'Y-m-d';
  // give this choice of date formats to the user to select from
  $rcmail_config['date_formats'] = array('Y-m-d', 'd-m-Y', 'Y/m/d', 'm/d/Y', 'd/m/Y', 'd.m.Y', 'j.n.Y');
  // use this format for time display (date or strftime format)
  $rcmail_config['time_format'] = 'H:i';
  // give this choice of time formats to the user to select from
  $rcmail_config['time_formats'] = array('G:i', 'H:i', 'g:i a', 'h:i A');
  // use this format for short date display (derived from date_format and time_format)
  $rcmail_config['date_short'] = 'D H:i';
  // use this format for detailed date/time formatting (derived from date_format and time_format)
  $rcmail_config['date_long'] = 'Y-m-d H:i';
  // store draft message is this mailbox
  // leave blank if draft messages should not be stored
  // NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
  $rcmail_config['drafts_mbox'] = 'Drafts';
  // store spam messages in this mailbox
  // NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
  $rcmail_config['junk_mbox'] = 'Junk';
  // store sent message is this mailbox
  // leave blank if sent messages should not be stored
  // NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
  $rcmail_config['sent_mbox'] = 'Sent Messages';
  // move messages to this folder when deleting them
  // leave blank if they should be deleted directly
  // NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
  $rcmail_config['trash_mbox'] = 'Trash';
  // display these folders separately in the mailbox list.
  // these folders will also be displayed with localized names
  // NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
  $rcmail_config['default_folders'] = array('INBOX', 'Drafts', 'Sent Messages', 'Junk', 'Trash');
  // automatically create the above listed default folders on first login
  $rcmail_config['create_default_folders'] = false;
  // protect the default folders from renames, deletes, and subscription changes
  $rcmail_config['protect_default_folders'] = true;
  // if in your system 0 quota means no limit set this option to true
  $rcmail_config['quota_zero_as_unlimited'] = false;
  // Make use of the built-in spell checker. It is based on GoogieSpell.
  // Since Google only accepts connections over https your PHP installatation
  // requires to be compiled with Open SSL support
  $rcmail_config['enable_spellcheck'] = true;
  // Enables spellchecker exceptions dictionary.
  // Setting it to 'shared' will make the dictionary shared by all users.
  $rcmail_config['spellcheck_dictionary'] = false;
  // Set the spell checking engine. 'googie' is the default. 'pspell' is also available,
  // but requires the Pspell extensions. When using Nox Spell Server, also set 'googie' here.
  $rcmail_config['spellcheck_engine'] = 'googie';
  // For a locally installed Nox Spell Server, please specify the URI to call it.
  // Get Nox Spell Server from http://orangoo.com/labs/?page_id=72
  // Leave empty to use the Google spell checking service, what means
  // that the message content will be sent to Google in order to check spelling
  $rcmail_config['spellcheck_uri'] = '';
  // These languages can be selected for spell checking.
  // Configure as a PHP style hash array: array('en'=>'English', 'de'=>'Deutsch');
  // Leave empty for default set of available language.
  $rcmail_config['spellcheck_languages'] = NULL;
  // Makes that words with all letters capitalized will be ignored (e.g. GOOGLE)
  $rcmail_config['spellcheck_ignore_caps'] = false;
  // Makes that words with numbers will be ignored (e.g. g00gle)
  $rcmail_config['spellcheck_ignore_nums'] = false;
  // Makes that words with symbols will be ignored (e.g. g@@gle)
  $rcmail_config['spellcheck_ignore_syms'] = false;
  // Use this char/string to separate recipients when composing a new message
  $rcmail_config['recipients_separator'] = ',';
  // don't let users set pagesize to more than this value if set
  $rcmail_config['max_pagesize'] = 200;
  // Minimal value of user's 'keep_alive' setting (in seconds)
  // Must be less than 'session_lifetime'
  $rcmail_config['min_keep_alive'] = 60;
  // Enables files upload indicator. Requires APC installed and enabled apc.rfc1867 option.
  // By default refresh time is set to 1 second. You can set this value to true
  // or any integer value indicating number of seconds.
  $rcmail_config['upload_progress'] = false;
  // Specifies for how many seconds the Undo button will be available
  // after object delete action. Currently used with supporting address book sources.
  // Setting it to 0, disables the feature.
  $rcmail_config['undo_timeout'] = 0;
  // ADDRESSBOOK SETTINGS
  // This indicates which type of address book to use. Possible choises:
  // 'sql' (default) and 'ldap'.
  // If set to 'ldap' then it will look at using the first writable LDAP
  // address book as the primary address book and it will not display the
  // SQL address book in the 'Address Book' view.
  $rcmail_config['address_book_type'] = 'sql';
  // In order to enable public ldap search, configure an array like the Verisign
  // example further below. if you would like to test, simply uncomment the example.
  // Array key must contain only safe characters, ie. a-zA-Z0-9_
  $rcmail_config['ldap_public'] = array();
  // If you are going to use LDAP for individual address books, you will need to
  // set 'user_specific' to true and use the variables to generate the appropriate DNs to access it.
  // The recommended directory structure for LDAP is to store all the address book entries
  // under the users main entry, e.g.:
  //  o=root
  //   ou=people
  //    uid=user@domain
  //  mail=contact@contactdomain
  // So the base_dn would be uid=%fu,ou=people,o=root
  // The bind_dn would be the same as based_dn or some super user login.
  * example config for Verisign directory
  $rcmail_config['ldap_public']['Verisign'] = array(
    'name'          => 'Verisign.com',
    // Replacement variables supported in host names:
    // %h - user's IMAP hostname
    // %n - http hostname ($_SERVER['SERVER_NAME'])
    // %d - domain (http hostname without the first part)
    // %z - IMAP domain (IMAP hostname without the first part)
    // For example %n = mail.domain.tld, %d = domain.tld
    'hosts'         => array('directory.verisign.com'),
    'port'          => 389,
    'use_tls'                => false,
    'ldap_version'  => 3,       // using LDAPv3
    'user_specific' => false,   // If true the base_dn, bind_dn and bind_pass default to the user's IMAP login.
    // %fu - The full username provided, assumes the username is an email
    //       address, uses the username_domain value if not an email address.
    // %u  - The username prior to the '@'.
    // %d  - The domain name after the '@'.
    // %dc - The domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
    // %dn - DN found by ldap search when search_filter/search_base_dn are used
    'base_dn'       => '',
    'bind_dn'       => '',
    'bind_pass'     => '',
    // It's possible to bind for an individual address book
    // The login name is used to search for the DN to bind with
    'search_base_dn' => '',
    'search_filter'  => '',   // e.g. '(&(objectClass=posixAccount)(uid=%u))'
    // DN and password to bind as before searching for bind DN, if anonymous search is not allowed
    'search_bind_dn' => '',
    'search_bind_pw' => '',
    // Default for %dn variable if search doesn't return DN value
    'search_dn_default' => '',
    // Optional authentication identifier to be used as SASL authorization proxy
    // bind_dn need to be empty
    'auth_cid'       => '',
    // SASL authentication method (for proxy auth), e.g. DIGEST-MD5
    'auth_method'    => '',
    // Indicates if the addressbook shall be hidden from the list.
    // With this option enabled you can still search/view contacts.
    'hidden'        => false,
    // Indicates if the addressbook shall not list contacts but only allows searching.
    'searchonly'    => false,
    // Indicates if we can write to the LDAP directory or not.
    // If writable is true then these fields need to be populated:
    // LDAP_Object_Classes, required_fields, LDAP_rdn
    'writable'       => false,
    // To create a new contact these are the object classes to specify
    // (or any other classes you wish to use).
    'LDAP_Object_Classes' => array('top', 'inetOrgPerson'),
    // The RDN field that is used for new entries, this field needs
    // to be one of the search_fields, the base of base_dn is appended
    // to the RDN to insert into the LDAP directory.
    'LDAP_rdn'       => 'cn',
    // The required fields needed to build a new contact as required by
    // the object classes (can include additional fields not required by the object classes).
    'required_fields' => array('cn', 'sn', 'mail'),
    'search_fields'   => array('mail', 'cn'),  // fields to search in
    // mapping of contact fields to directory attributes
    //   for every attribute one can specify the number of values (limit) allowed.
    //   default is 1, a wildcard * means unlimited
    'fieldmap' => array(
      // Roundcube  => LDAP:limit
      'name'        => 'cn',
      'surname'     => 'sn',
      'firstname'   => 'givenName',
      'title'       => 'title',
      'email'       => 'mail:*',
      'phone:home'  => 'homePhone',
      'phone:work'  => 'telephoneNumber',
      'phone:mobile' => 'mobile',
      'phone:pager' => 'pager',
      'street'      => 'street',
      'zipcode'     => 'postalCode',
      'region'      => 'st',
      'locality'    => 'l',
  // if you uncomment country, you need to modify 'sub_fields' above
  //    'country'     => 'c',
      'department'  => 'departmentNumber',
      'notes'       => 'description',
  // these currently don't work:
  //    'phone:workfax' => 'facsimileTelephoneNumber',
  //    'photo'        => 'jpegPhoto',
  //    'organization' => 'o',
  //    'manager'      => 'manager',
  //    'assistant'    => 'secretary',
    // Map of contact sub-objects (attribute name => objectClass(es)), e.g. 'c' => 'country'
    'sub_fields' => array(),
    'sort'          => 'cn',    // The field to sort the listing by.
    'scope'         => 'sub',   // search mode: sub|base|list
    'filter'        => '(objectClass=inetOrgPerson)',      // used for basic listing (if not empty) and will be &'d with search queries. example: status=act
    'fuzzy_search'  => true,    // server allows wildcard search
    'vlv'           => false,   // Enable Virtual List View to more efficiently fetch paginated data (if server supports it)
    'numsub_filter' => '(objectClass=organizationalUnit)',   // with VLV, we also use numSubOrdinates to query the total number of records. Set this filter to get all numSubOrdinates attributes for counting
    'sizelimit'     => '0',     // Enables you to limit the count of entries fetched. Setting this to 0 means no limit.
    'timelimit'     => '0',     // Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit.
    'referrals'     => true|false,  // Sets the LDAP_OPT_REFERRALS option. Mostly used in multi-domain Active Directory setups
    // definition for contact groups (uncomment if no groups are supported)
    // for the groups base_dn, the user replacements %fu, %u, $d and %dc work as for base_dn (see above)
    // if the groups base_dn is empty, the contact base_dn is used for the groups as well
    // -> in this case, assure that groups and contacts are separated due to the concernig filters!
    'groups'        => array(
      'base_dn'     => '',
      'scope'       => 'sub',   // search mode: sub|base|list
      'filter'      => '(objectClass=groupOfNames)',
      'object_classes' => array("top", "groupOfNames"),
      'member_attr'  => 'member',   // name of the member attribute, e.g. uniqueMember
      'name_attr'    => 'cn',       // attribute to be used as group name
  // An ordered array of the ids of the addressbooks that should be searched
  // when populating address autocomplete fields server-side. ex: array('sql','Verisign');
  $rcmail_config['autocomplete_addressbooks'] = array('sql');
  // The minimum number of characters required to be typed in an autocomplete field
  // before address books will be searched. Most useful for LDAP directories that
  // may need to do lengthy results building given overly-broad searches
  $rcmail_config['autocomplete_min_length'] = 1;
  // Number of parallel autocomplete requests.
  // If there's more than one address book, n parallel (async) requests will be created,
  // where each request will search in one address book. By default (0), all address
  // books are searched in one request.
  $rcmail_config['autocomplete_threads'] = 0;
  // Max. numer of entries in autocomplete popup. Default: 15.
  $rcmail_config['autocomplete_max'] = 15;
  // show address fields in this order
  // available placeholders: {street}, {locality}, {zipcode}, {country}, {region}
  $rcmail_config['address_template'] = '{street}<br/>{locality} {zipcode}<br/>{country} {region}';
  // Matching mode for addressbook search (including autocompletion)
  // 0 - partial (*abc*), default
  // 1 - strict (abc)
  // 2 - prefix (abc*)
  // Note: For LDAP sources fuzzy_search must be enabled to use 'partial' or 'prefix' mode
  $rcmail_config['addressbook_search_mode'] = 0;
  // USER PREFERENCES
  // Use this charset as fallback for message decoding
  $rcmail_config['default_charset'] = 'ISO-8859-1';
  // skin name: folder from skins/
  $rcmail_config['skin'] = 'larry';
  // show up to X items in messages list view
  $rcmail_config['mail_pagesize'] = 50;
  // show up to X items in contacts list view
  $rcmail_config['addressbook_pagesize'] = 50;
  // sort contacts by this col (preferably either one of name, firstname, surname)
  $rcmail_config['addressbook_sort_col'] = 'surname';
  // the way how contact names are displayed in the list
  // 0: display name
  // 1: (prefix) firstname middlename surname (suffix)
  // 2: (prefix) surname firstname middlename (suffix)
  // 3: (prefix) surname, firstname middlename (suffix)
  $rcmail_config['addressbook_name_listing'] = 0;
  // use this timezone to display date/time
  // valid timezone identifers are listed here: php.net/manual/en/timezones.php
  // 'auto' will use the browser's timezone settings
  $rcmail_config['timezone'] = 'auto';
  // prefer displaying HTML messages
  $rcmail_config['prefer_html'] = true;
  // display remote inline images
  // 0 - Never, always ask
  // 1 - Ask if sender is not in address book
  // 2 - Always show inline images
  $rcmail_config['show_images'] = 0;
  // compose html formatted messages by default
  // 0 - never, 1 - always, 2 - on reply to HTML message only
  $rcmail_config['htmleditor'] = 0;
  // show pretty dates as standard
  $rcmail_config['prettydate'] = true;
  // save compose message every 300 seconds (5min)
  $rcmail_config['draft_autosave'] = 300;
  // default setting if preview pane is enabled
  $rcmail_config['preview_pane'] = false;
  // Mark as read when viewed in preview pane (delay in seconds)
  // Set to -1 if messages in preview pane should not be marked as read
  $rcmail_config['preview_pane_mark_read'] = 0;
  // Clear Trash on logout
  $rcmail_config['logout_purge'] = false;
  // Compact INBOX on logout
  $rcmail_config['logout_expunge'] = false;
  // Display attached images below the message body
  $rcmail_config['inline_images'] = true;
  // Encoding of long/non-ascii attachment names:
  // 0 - Full RFC 2231 compatible
  // 1 - RFC 2047 for 'name' and RFC 2231 for 'filename' parameter (Thunderbird's default)
  // 2 - Full 2047 compatible
  $rcmail_config['mime_param_folding'] = 0;
  // Set true if deleted messages should not be displayed
  // This will make the application run slower
  $rcmail_config['skip_deleted'] = false;
  // Set true to Mark deleted messages as read as well as deleted
  // False means that a message's read status is not affected by marking it as deleted
  $rcmail_config['read_when_deleted'] = true;
  // Set to true to never delete messages immediately
  // Use 'Purge' to remove messages marked as deleted
  $rcmail_config['flag_for_deletion'] = false;
  // Default interval for keep-alive/check-recent requests (in seconds)
  // Must be greater than or equal to 'min_keep_alive' and less than 'session_lifetime'
  $rcmail_config['keep_alive'] = 60;
  // If true all folders will be checked for recent messages
  $rcmail_config['check_all_folders'] = false;
  // If true, after message delete/move, the next message will be displayed
  $rcmail_config['display_next'] = false;
  // 0 - Do not expand threads
  // 1 - Expand all threads automatically
  // 2 - Expand only threads with unread messages
  $rcmail_config['autoexpand_threads'] = 0;
  // When replying place cursor above original message (top posting)
  $rcmail_config['top_posting'] = false;
  // When replying strip original signature from message
  $rcmail_config['strip_existing_sig'] = true;
  // Show signature:
  // 0 - Never
  // 1 - Always
  // 2 - New messages only
  // 3 - Forwards and Replies only
  $rcmail_config['show_sig'] = 1;
  // When replying or forwarding place sender's signature above existing message
  $rcmail_config['sig_above'] = false;
  // Use MIME encoding (quoted-printable) for 8bit characters in message body
  $rcmail_config['force_7bit'] = false;
  // Defaults of the search field configuration.
  // The array can contain a per-folder list of header fields which should be considered when searching
  // The entry with key '*' stands for all folders which do not have a specific list set.
  // Please note that folder names should to be in sync with $rcmail_config['default_folders']
  $rcmail_config['search_mods'] = null;  // Example: array('*' => array('subject'=>1, 'from'=>1), 'Sent' => array('subject'=>1, 'to'=>1));
  // Defaults of the addressbook search field configuration.
  $rcmail_config['addressbook_search_mods'] = null;  // Example: array('name'=>1, 'firstname'=>1, 'surname'=>1, 'email'=>1, '*'=>1);
  // 'Delete always'
  // This setting reflects if mail should be always deleted
  // when moving to Trash fails. This is necessary in some setups
  // when user is over quota and Trash is included in the quota.
  $rcmail_config['delete_always'] = false;
  // Directly delete messages in Junk instead of moving to Trash
  $rcmail_config['delete_junk'] = false;
  // Behavior if a received message requests a message delivery notification (read receipt)
  // 0 = ask the user, 1 = send automatically, 2 = ignore (never send or ask)
  // 3 = send automatically if sender is in addressbook, otherwise ask the user
  // 4 = send automatically if sender is in addressbook, otherwise ignore
  $rcmail_config['mdn_requests'] = 0;
  // Return receipt checkbox default state
  $rcmail_config['mdn_default'] = 0;
  // Delivery Status Notification checkbox default state
  $rcmail_config['dsn_default'] = 0;
  // Place replies in the folder of the message being replied to
  $rcmail_config['reply_same_folder'] = false;
  // Sets default mode of Forward feature to "forward as attachment"
  $rcmail_config['forward_attachment'] = false;
  // Defines address book (internal index) to which new contacts will be added
  // By default it is the first writeable addressbook.
  // Note: Use '0' for built-in address book.
  $rcmail_config['default_addressbook'] = null;
  // Enables spell checking before sending a message.
  $rcmail_config['spellcheck_before_send'] = false;
  // Skip alternative email addresses in autocompletion (show one address per contact)
  $rcmail_config['autocomplete_single'] = false;
  // Default font for composed HTML message.
  // Supported values: Andale Mono, Arial, Arial Black, Book Antiqua, Courier New,
  // Georgia, Helvetica, Impact, Tahoma, Terminal, Times New Roman, Trebuchet MS, Verdana
  $rcmail_config['default_font'] = '';
  // end of config file

• Brand new Open Directory server not authenticating 10.9, 3.3.2

  I'm hoping somebody here has ran into this as it's driving me up a wall.
  I'm on a completely clean install of OS X Mavericks, with the installation from the App Store.
  On top of that, a completely clean install of Server.app 3.2.2 is installed.
  This server has a FQDN, and when I check to see if the hostname resolves in DNS, it totally does. DNS is not turned on as a service, but DNS server settings are correct and the server can hit the outside internet just fine.
  So my steps are as follows: Install Mavericks, clean onto a new partition. Update with all patches. Set Static IP. Install Server 3.2.2 which installs without error. Check hostname settings. All good there. Verify permissions. Create OD Master. I cannot get a single newly created with Server.app Local Network user to log in, even with home folders all 100% local to the client machine. I've unbound and rebound the client machine. I've restarted everything. Nothing.
  When attempting to log in, if I set it to reset password at next login, the prompt to reset the password will appear. I know at least initial auth is taking place, or I wouldn't be getting a password reset screen. After attempting to reset the password, neither the original temporary nor reset password will work. Users cannot log in.
  Here are the errors generated, with my info edited out:
  Jan 14 17:49:35 server slapd[111]: passwd_extop: (null) changed password for uid=test,cn=users,dc=controller,dc=domain,dc=edu
  Jan 14 17:49:35 server slapd[111]: => bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
  Jan 14 17:49:35 server slapd[111]: conn=1181 op=3: attribute "entryCSN" index delete failure
  Jan 14 17:49:41 server slapd[111]: => bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
  Jan 14 17:49:41 server slapd[111]: conn=1197 op=3: attribute "entryCSN" index delete failure
  I understand this is common for users upgrading from 10.6.8 but this is completely clean. I'm not usually administering an OS X server; I'm completely lost.
  Have tried: Recreating master, rekerberizing
  Using scutil and host to verify the DNS on the server works perfectly. Am I missing something small with DNS? We are a fairly large org with DNS not being provided by this server. If you think a different log file would help, please let me know which one.

  What do you get from this:
  sudo /usr/libexec/slapd -Tt
  Anything in /Library/Logs/slapconfig.log?
  Also, have you tried the suggestion here:
  Open Directory - Local Network User/Group - GONE

• Use Open Directory on Mac OS X Server for Airport authentication?

  Is it possible to set up an Airport Extreme network so that only people with user names and passwords in the Open Directory on my Mac OS X Server can access it?
  I'm picturing a scenario where users would be prompted for the same user name and password they use for other network services when they attempt to join the wireless network.
  Our Airport Extreme access point is connected to the second Ethernet port on an original-model XServe that's running Mac OS X Server 10.3.9 (soon to be upgraded to 10.4.x).

  Is it possible to set up an Airport Extreme network
  so that only people with user names and passwords in
  the Open Directory on my Mac OS X Server can access
  it?
  I'm picturing a scenario where users would be
  prompted for the same user name and password they use
  for other network services when they attempt to join
  the wireless network.
  Our Airport Extreme access point is connected to the
  second Ethernet port on an original-model XServe
  that's running Mac OS X Server 10.3.9 (soon to be
  upgraded to 10.4.x).
  What you seem to be describing, is WPA2/Enterprise level security. This would require you to run some type of Radius Server on your XServe, and you would simply duplicate the name & password they use on the XServe on the Radius Server. BTW, this is considered one of the most secure methods of running a wireless network in the corporate world.
  You will however, have to research Radius & it's requirements, as I have not yet implemented that on my own system. HTH.
  Regards,
  Albert
  G4 QuickSilver01 OWC 1.47Ghz CPU 1.5GB RAM 740GB HDD   Mac OS X (10.4.3)   17" Aluminum PowerBook G4 1.33Ghz CPU 1.5GB RAM 80GB HD

• Open Directory not working for AFP authentication

  Scenario:
  - Running OS X Server (10.9) using FileSharing with AFP to share to multiple users.
  - Currently the users login with local user accounts to gain access.  I'd like to use our Open Directory server to authenticate instead (save me maintaining local users).
  Issue:
  - I added the OD server to Apple > System Prefs > Users > Login Options but when users attempt to login with their OD name/password, it doesn't recognize their credentials.  Their local user accounts work fine and I've added their OD names to the access list for the various directories on the server.
  I'm assuming I need to add the OD server somewhere else on the computer to get OS X to bind to it.  Appreciate any input here.

  Logs?