Setting up solaris 10 systems as directory server clients
I just downloaded Sun directory server and have a bunch of solaris10 boxes that I would like to use the DS for account management. Can someone point me to a definitive document (if one existe) that explains setting up the DS and initializing the unix boxes as clients?
Thanks for any help that can be provided.
This is a good one to start with
http://www.sun.com/bigadmin/features/articles/nis_ldap_part1.jsp
For setting up the directory server, look through the admin docs for your version
http://docs.sun.com/app/docs/prod/dirsvr.ee#hic
Similar Messages
-
System Landscape Directory server not started
Hi,
We are running Solution Manager 4.0 SP13.
When I log ito the NWA get the message : System Landscape Directory server not started
We are trying to configure CEN but only the Local System can be administered.
If I goto the Central SLD and login - Administration - Server Started.
If I look at the ABAP - Transaction SLDAPICUST - save configuration - all ok
I goto the Jco Connectors and ensure all Jco Connections are configured: SAPSLDAPI_SID
ABAP RFCs; All configured
ABAP - Transaction - sldcheck .. it returns with success.
I login to the ABAP stack - smgw - logged in clients and all Jco Connections are available
I go into the J2ee Admin - navigate to the SLD Data supplier - all tests return success.
The SLD CIM is version 1.5.20
The application com.sap.engine.class.download is started ( Note 1017526 )
However when I login to with the J2ee_admin tool the following is missing from the CIM Client:
sap.com/tclmwebadminmainframewd/webdynpro/public/lib/app.jar
sap.com/tclmwebadminsldwd/webdynpro/public/lib/app.jar
Please help.Hi Anand,
I verified the SLD Post Processing doc in case I missed something. The doc I used:
https://websmp106.sap-ag.de/~sapidb/011000358700003772372006E
I went through every point in the doc and verified that it was completed .
If I open Monitoring Setup Guide for SAP NetWeaver 7.0 SP Stack 12 ( Can't find 13 ) I go to page 68 :
6.5.2. Configuring the Connection Between CEN and the SLD ... I have followed all the steps without any error.:
I followed it Step-by-Step.... however the following CIM Client Genearations do not exist:
sap.com/tclmwebadminmainframewd/webdynpro/public/lib/app.jar
sap.com/tclmwebadminsldwd/webdynpro/public/lib/app.jar
What is available and Activated :
sap.com/tclmwebadminmainframewd/webdynpro/public/lib/sap.comtclmwebadminmainframe~wd.jar
sap.com/tclmwebadminsldwd/webdynpro/public/lib/sap.comtclmwebadminsld~wd.jar
I alos Decided for the purpose of Troubleshooting to Activate All:
sap.com/tclmwebadmin~mainframe.......
sap.com/tclmwebadmin~sld..........
When I go into NWA .. its still says SLD Not started.
If I go inot the J2ee Admin Tool - SLD Data Supplier - Trigger Data Transfer OK
I goto the SLD - Administration . SLD Started
I Can see all the Techinical systems - ABAP and Java.
All business Systems are there
SLDCHECK works fine .. no errors !
But I can't change the status of the NWA System Landscape Selectipon From Local to Central.
Warning / Error :
System Landscape Directory server not started
and
Only local system can be administered
I maybe missing something but I can't see what it is....
Further Help required ! -
How to install directory server/client on Solaris 9 for dummys
Hi,
after reading hunderts of pages, after asking questions in forums without getting the right answers, i was able to install the directory server in our company.
Here is the summary i made for myself. Perhaps it helps others to avoid the same problems.
Set up a Directory Server (sun one ds 5.1)
Present situation:
-Nisplus is installed
-Solaris OS 9 sparc 64bit is installed
-DS5 Software is normally already installed in Solaris 9. Check off with 'pkginfo | grep IPLT*'
-Otherwise install from Solaris OS 9 Disc1 with 'pkgadd -d IPLTxxxx .'
-Software setup with '/usr/sbin/directoryserver setup'
Install admin- and directory server.
For Directory Server use port 389 (necessary for later use of SSL)
For Admin Server use any empty port > 1024
Run directoryserver as root (necessary for using port 389 and for -starting servers from console)
Use default Directory Manager DN cn=Directory manager
Use your domain as DIT (default information tree) example: dc=example, dc=com
As second DIT, setup installs o=NetscapeRoot. Don't change this DIT at all!!!!!
The server stores all the default schemas there which are absolutely important for the directoy
server. Don't change anything there !
-Configure software with 'idsconfig'
Preferred - and default server xxx.xxx.xxx.xxx (ip_adds of your directory server)
Use default search scope one
Use credential's Proxy
Use authentication Simple (you may change this later if needed)
All the rest should remain on default settings
You will be asked for a proxy passwort
-Start the directoryserver console with '/usr/sbin/directoryserver startconsole'
-If it's not yet running, start the directory server from console or with command 'directoryserver -s instance_name start'
-If it's not yet running, start the admin server from console or with command 'directoyserver start-admin'
-On directoryserver's gui at configuraton/password set password encryption to 'unix crypt algorithm (CRYPT)'
Import Data
-Get Data from Nisplus with
'niscat passwd.org_dir passwd.ldap'
'niscat hosts.org_dir hosts.ldap'
'niscat groups.org_dir groups.ldap'
etc
-adjust the files. (try it out with one entry of a file only. You may delete this entry with the gui very easy if it's not successfull.
-hosts.ldap must look like
xxx.xxx.xxx.xxx machine1
xxx.xxx.xxx.xxx machine2
xxx.xxx.xxx.xxx machine3
First value is the ip-address, second one is the hostname.
If you have more than one hostname per machine, use a second line (don't write 2 names behind the ip-address like you did in nisplus!!!)
Change content of files into ldif format
-perl migrate_hosts.pl hosts.ldap hosts.ldif
-perl migrate passwd.pl passwd.ldap passwd.ldif
-You may download the above perl-Files from http://www.padl.com
Change the converted passwd.ldif File as follows:
-before change:
dn: uid=mario,ou=People,dc=krinfo,dc=ch
uid: mario
cn: mario
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: {crypt}6O9m3uK./T/rM
loginShell: /bin/bash
uidNumber: 1020
gidNumber: 14
homeDirectory: /home/mario
-after change:
dn: uid=mario,ou=People,dc=krinfo,dc=ch
uid: mario
cn: mario
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount <--- this line must be inserted
objectClass: top
userPassword: {crypt}6O9m3uK./T/rM
loginShell: /bin/bash
uidNumber: 1020
gidNumber: 14
homeDirectory: /home/mario
Insert the line for every entry in the passwd.ldif file
You may now import all these xxxx.ldif files into the directory server with
-ldapadd -h name_of_directoryserver -D "cn=Directory Manager" -w password -f XXXXX.ldif
You may use this commands later to import further data.
-Initialise a client
'ldapclient -a proxyDN=cn=proxyagent,ou=profile,dc=example,dc=com init xxx.xxx.xxx.xxx'
The xxx.xxx.xxx.xxx at the end is the ip address of the directory server
-This will make a client with data taken from the default profile from the directory server. This profile has been produced with the earlier command idsconfig and can be changed if needed.
-The System will ask you for the proxy password (given the first time in idsconfig dialog)
-You may now look at the produces files
in '/var/ldap/ldap_client_file' for the client settings
in '/var/ldap/ldap_client_cred' for the proxy settings
'ldapclient list' shows the settings of the client
With 'ldaplist -h' you may see all the existing entries with their objects.
Activate the client
-If it's not yet running, start '/usr/lib/ldap/ldap_cachemgr'
-All nisplus daemons/programs have been stopped by ldapclient command. If not, stop them manually.
-/etc/nsswitch.conf should have been copied from /etc/nsswitch.ldap from ldapclient too.
-If not, do it manually.
example
passwd: files ldap
group: files ldap
hosts ldap dns files
etc
I recommend to change the file '/etc/nsswitch.ldap' because the system oftens copies nsswitch.ldap to nsswitch.conf and if nsswitch.ldap is adapted, you must now change it again and again.
you may now check whether ldap is working fine with the following requests:
getent passwd username
getent hosts hostname
getent groups
getent network
These commands should give you the requested answer.
Be sure to clean:
/etc/hosts inside is only your workstation and the directory server
/etc/passwd only default and local entries
/etc/groups only default and local entries
etc
try a telnet to your own machine to check, whether password and automount of your home_dirctory works fine.
I failed here. All was working fine, but the password exchange did not because of credential/authentication problems.
Best regards and good luck
MarioDirectory Server 5.1 does not support Kerberos authentication.
Beside this there are some extensions in MS kerberos authentication that makes it almost impossible to have a MS client authenticate with something else than AD.
Regards,
Ludovic. -
Minimum Solaris installation for Directory Server
Hello,
i want to set up a new Solaris installation for Sun ONE directory server.
But i don't want to install always the "entire distribution" and then turn off all services. I want to keep the solaris os installation as small as possible. Has anybody tried this before and can report some experiences? Is the "reduced network" cluster the right way to go or better the "core" cluster? Does anybody have a list of the packages which must be installed after a minimal solaris installation for the ds to work?
Thanks a lot,
af_inetSince you original question is "minimum requirement
at the SERVER", I would say that X is not really
needed at the server end if you use installer text
mode CLI (command is "./installer -nodisplay")
instead of installer graphical mode (GUI). However,
to fix uninstall/reinstall issue, X is needed as the
"prodreg" which is used to uninstall packages is a X
program, without text mode option.This is correct.
It is not a must to run ./startconsole (X program)
LOCALLY so as to perform DS admin functions as you
could always run SUN ONE Console REMOTELY from any
remote host (Windows or UNIX/Linux) with just the
console binaries installed. (for large data centre
env. the LDAP server is usually locked in server room
away from your desk and you tend to use remote admin
console).This is correct too. I think it's a matter of taste if i want to install console on the DS itself or on a separate host. As long as i have only one DS i will leave it on the machine itself. But you are right, this is not a must. So i should have asked my question more precicely :-)
Thank you very much,
Chris -
How to set up the System Landscape Directory
Hello Forum,
I have installed Netweaver sneek preview - Java version.( on Windows box)
I want to configure SLD on this how to go ahed ???? My other systems are
1. R/3 4.6C on Unix box
2. Netweaver (BW 3.5, EP 6.0) on Unix box
I want to make Netweaver sneek preview as SLD Server.
Thanks a lot
RavishHi Ravish,
Please have a look in https://websmp204.sap-ag.de/sld. Then navigate to
Solution Life-Cycle Management ->
System Landscape Directory ->
Media Library
And choose the document "SLD Getting Started - Check List".
Best regards,
Amit -
Extend Directory Server Client Console
Hello there:
Just a tricky question.
Is there any way of extending the (Java) Graphic User Interface of the Sun One Directory Server (5.2) console?
I dunno even if this part is open source or not.
Thanks in advance.
Best regards.Tifae,
It's kinda difficult to tell you the exact problem from your description. Do you get any errors about missing some entries under o=netscaperoot while starting the console? Alternatively, could you try using a different console to access the administration server for your existing installation? Just install another DS instance and use that console to access this admin server. -
Total newbie needs help installing and setting up Solaris 10 as a server
i'm attempting to set up one computer to act as a file and print server on my home network, so that i can store all of my music and video files on it instead and print to my parallel-only laser printer. 80% of the time i'm using my laptop, so i need the mass storage and printer to be handled by another device - the server!
i'm not sure if i'm even installing Solaris 10 correctly. how should it be installed to then act as a server? my two (incredibly long, like 3+ hours each) install attempts so far have resulted in an OS that looks like a nice fancy GUI-laden desktop which doesn't appear to show me my 750G SATA storage drive (the OS is on a 40G IDE drive).
in the end, i'd like to have the system working so that my only interaction with it is the power button - press it once to power it on and it'll boot up and long in automagically and make itself seen over the network (with printer and files stored on drives accessible to my laptop or any other PC that's on the same network), and then press the power button again to shut down the entire system gracefully (so far, when i press the power button, it's a quick kill like pulling the power cord - i'm pretty sure that's a bad way of having the system shut down, so how do i change it?)
i'm really hoping to use Solaris due to the promising ZFS scheme. my only exposure so far to unix / linux has been with ubuntu, which i usually like but sometimes loathe (primarily file permissions and network manager).Let's try step by step rather than asking for setting up a server as a while and I'll try to help you as much as I can.
For setting up a printer, it's not that easy or quick setting up a printer on Solaris, I mean it's not like plug-n-play. Tell us about your printer and how it's connected to your system (usb, ethernet, parallel, serial).
As for shutting down the system, it's recommended to use the shutdown commnad like this:
# shutdown -y -i0 -g0
--gibb -
Setting up Access Manager and Directory Server for Failover.
I'm setting up 2 Access Managers AM1,AM2 and 2 Directory Servers DS1 and DS2 for failover. I've connected AM1 and AM2 to DS1. Suffixes of DS1 is replicated to DS2. Any change made to AM1 is replicated to AM2 as expected. I just patched AM1 with Access Manager patch 1 and the version information for AM1 shows 7.1 126359-01. I followed the same procedure to patch AM2 but AM2 still shows ver 7.1.
How do I make sure both Access Managers are patched to the same version?
I'm able to authenticate to one IIS6 site and authentication is passed on to Outlook Web Access on AM1 but when I shut down AM1 to test failover to AM2 OWA prompts me again for password. How do I resolve this?
On AM1 http://host.domain/amserver/UI/Login?realm=sso successfully logs in but the same on AM2 gives Warning that "You have already logged in. Do you want to log out and then login to a different organization?"
Please help !!!I'll answer what bits I can:
Q: AM showing the same version?
A: No idea on this one. I would have expected the operation you described to have produced the right answer. Check that neither your application server nor your web browser are caching old pages (ctrl-F5 in my browser)
Q: How do I resolve re-authentication on failover?
A: The AM documentation includes a deployment example that covers pretty closely what it is you are trying to achieve:
http://docs.sun.com/app/docs/doc/820-2278
Specifically, the problem you are describing is related to session failover. The sessions are stored in a local DB so when you failover the backup server does not store the same information and hence requires a reauthentication. The section of the above doc that deals with this is here:
http://docs.sun.com/app/docs/doc/820-2278/gdsre?l=en&a=view
Q: "You have already logged in" warning
A: No idea. Sorry.
R -
Trouble accessing System Landscape directory
Dear Gurus,
I am currently setting up the System Landscape Directory (SLD) on the Solution Manager 4.0 system. I have managed to access the main SLD page using http://server:8000/sld, however when I click on the Adminstrator link, and then eg. 'log'. I will get this message:
500 Internal Server Error SAP J2EE Engine/7.00
Application error occurred during the request procession.
Details:
com.sap.engine.services.servlets_jsp.server.exceptions.WebIOException:
Error compiling [/admin/log.jsp] of alias [sld] of J2EE application [sap.com/com.sap.lcr].
Exception id: [000C29B5E9430058000000320000226800045399F55C32B9]
There are several other links in the SLD Administration that does not work and will incur the same error message as above:
details.jsp
systemmessage.jsp
and many others. I have checked in visual admin and all application s are up. Please advise on my current situation.
With Many Thanks and Best Regards.Hi,
You dont have to create this user in the system.This is the defualt user created during installation. You will find this in the
001 client. Also to change the password u can use visual admin
or http://ip:5xx00/nwa use j2ee_admin here and login then change the password for the sld user.
Regards,
Vamshi. -
Unable to read software component version from System Landscape Directory "
I've worked in past creating/importing SWCV, but this is new system PI7.0 and stuck.
A) Is my understanding on resolution correct?
Should I go and apply notes 940309 and create client copy of existing client 001
OR
change role of client 001; SXMB_ADMIN -> 'Integration Engine Configuration' to 'Integration Server'
I have no problem in using client 001 as Integration server, all I want is import of SWCV to work. Thanks. Appreciate the help.
B) Here is what I have done and the error:
1) Followed weblog below and created product, software component, technical system, business sytem in SLD.
/people/srinivas.vanamala2/blog/2007/02/05/step-by-step-guide-xml-file-2-xml-file-scenario-part-i
2) When I import the SWC from integration repository getting error
(Unable to read software component version from System Landscape Directory "server:5<system number>00").
C) Pointers used from the forum to debug the issue, but still no luck
Below are the points checked from the forum and all steps are correct, but still have issues with the import
1) check the RFCs SAPSLDAPI, LCRSAPRFC, connection test pass as the program ID registered with Jco
2) T-code SLDCHECK no errors (followed http://help.sap.com/saphelp_nw04/helpdata/de/78/20244134a56532e10000000a1550b0/content.htm)
3) T-code SLDAPICUST got user PIAPPLUSER, pwd is correct (reset the pwd)
4) logged using PIAPPLUSER http://server:port/sld and it works
5) One of the weblog SLD Check Failed (LCR_LIST_BUSINESS_SYSTEMS function doesn't work) referred to apply notes 940309
Notes: 940309
You are installing 'SAP NetWeaver 2004s SR1 ABAP+Java' Usage Type 'NetWeaver Process Integration (PI)'.
You don't want to use the default client 001, but another client as Integration Server.applied portion (PIPostInstallProcess) of OSS notes 940309 and it resolved.
Note:
I still retained client 001 and didn't do client copy as mentioned in the notes. The wizard based CTC tool helped. Here are the details if someone has similar issue and want to know further details:
A NetWeaver Process Integration (PI) Installation (ABAP+Java) has two parts: Installation and configuration. The former is done by the Installer, the latter by the 'Central Template Configuration' (CTC) Tool.
http://help.sap.com/saphelp_nw04s/helpdata/en/14/39084136b5f423e10000000a155106/frameset.htm
1. Call the wizard-based configuration tool as described in Configuration Wizard.
2. Select the scenario PI and the task PIPostInstallProcess.
3. Choose Execute.
A list of the steps to be executed by the wizard is displayed.
4. Choose Install. -
Access Manager Failed to Connect to Directory Server
Dear All,
I have problem with Directory Server connection in Access Manager. This happened in Production site, all application that integrated with Oracle Access Manager (OAM) for Single Sign On are not accessible after the Directory Server connection problem occur in OAM. The problem has only started occurring suddenly, before it the all service including the OAM and Directory Server is running well. Below are the error messages that appear in WebGate log file (ohs1.log) and OAM log file (oblog.log) :
>> OHS/WebGate (ohs1.log) :
[2014-01-21T09:25:12.0053+07:00] https://community.oracle.com/OHS https://community.oracle.com/OHS-9999 https://community.oracle.com/apache2entry_web_gate.cpp host_id: <WEBGATE_HOSTNAME> [host_addr:10.10.254.178] [ecid: 004w76rlRYt0NuapxKL6iW0000sE001oGY] The host and port from the requested URL could not be found in the Policy database. Check if the corresponding directory service is up.
>> OAM (Oblog.log):
2014/01/15@03:12:23.833746 [30573 30606 | tel:30573%20%20%2030606] DB_RUNTIME ERROR 0x000008C1 ../ldap_connection_mngr.cpp:443 "Failed to connect to directory server" lpszHost<LDAP_HOSTNAME_VIA_LOADBALANCER> port<LDAP_PORT_VIA_LOAD_BALANCER>
The OAM using the Load Balancer between the LDAP Directory Server to OAM's component. When the error appears, there are no problem with the Load Balancer and all of Directory Sever services is up. There are two Directory Server servers in Multi Master Replication and 14 WebGate servers that integrated with OAM. Is there a limitation number of WebGate for integrated to the OAM?
I have tried to set some parameters in OAM configuration to solve this problem. I set the Maximum Connection of Directory Server parameter to 10 value (in OAM Console), the LDAPOperationTimeout paramater to 1 hour value and the LDAPMaxNoOfRetries parameter to 2 value (in the globalparams.xml). After set these parameters, the error is not appear in some days, but suddenly appear again in the same error message. May be set these parameters is not appropriate solution for the problem or the value that I set is not correct. Any experience with this?
I still don't know what the root cause of this problem. Restart all of OAM services (including the WebGate) is temporary solution when the error appear.
Any idea for this problem?
Thanks in advice.Hi Jun-Y,
Thank you for your answer.
What do you means with the Directory Server's idle timeout is the "Idle Timeout" parameter in LDAP Client Control Settings?
I use Oracle Directory Server Enterprise 11.1.1.5.0. Now, the Directory Server's idle timeout parameter is "unlimited" value.
If the idle timeout of the load balancer set 1 hour, it means that I must change the directory server's idle timeout to be less than 1 hour. Isn't right? -
Password Policy on Directory Server 11.1.1.7.2
Hi,
I'm trying to set up a password policy with DS 11.1.1.7.2 but it doesn't seem to be getting applied to the users. I went through the DSCC gui and created a new policy that is supposed to remember the last 3 passwords and also expire in a couple days just for test purposes. I then set the compatibility mode to Directory Server 6 and clicked on "Assign Policy" and selected ou=people,o=xxxxxx,o=isp where my test accounts are.
I've then tried using ldapmodify using the credentials to the accounts who's passwords I'm changing and it allows me to reuse the same passwords. I saw something about using a virtual attribute for assigning users to a policy. Is that required also?
dn: cn=TestPWpolicy1,o=xxxxxxx,o=isp
cn: TestPWpolicy1
objectclass: sunPwdPolicy
objectclass: pwdPolicy
objectclass: ldapsubentry
objectclass: top
passwordrootdnmaybypassmodschecks: on
passwordstoragescheme: CRYPT
pwdallowuserchange: true
pwdattribute: userPassword
pwdcheckquality: 2
pwdexpirewarning: 86400
pwdinhistory: 3
pwdmaxage: 172800
pwdminage: 0
pwdminlength: 2
pwdmustchange: false
createtimestamp: 20150302195541Z
creatorsname: cn=admin,cn=administrators,cn=dscc
entrydn: cn=testpwpolicy1,o=xxxxxxxx,o=isp
entryid: 28
hassubordinates: FALSE
modifiersname: cn=admin,cn=administrators,cn=dscc
modifytimestamp: 20150302195541Z
nsuniqueid: 0a0ca681-c11611e4-800799c3-4c540d75
numsubordinates: 0
parentid: 2
subschemasubentry: cn=schema
Thanks for any help.Hello,
A user entry references a custom password policy through the value of the operational attribute pwdPolicySubentry. When referenced by a user entry, a custom password policy overrides the default password policy for the instance.
It is unclear to me whether you want to assign the new password policy to an individual account or to every user in ou=people,o=xxxx,o=isp.
To assign a password policy to an individual account, just ddd the password policy DN to the values of the pwdPolicySubentry attribute of the user entry e.g.
$ cat pwp.ldif
dn: uid=dmiller,ou=people,o=xxxxxxx,o=isp
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=TestPWpolicy1,o=xxxxxxx,o=isp
$ ldapmodify -D cn=directory\ manager -w - -f pwp.ldif
Enter bind password:
modifying entry uid=dmiller,ou=people,o=xxxxxxx,o=isp
$ ldapsearch -D cn=directory\ manager -w - -b dc=xxxxxxx,o=isp \
"(uid=dmiller)" pwdPolicySubentry
Enter bind password:
version: 1
dn: uid=dmiller, ou=People, o=xxxxxxx,o=isp
pwdPolicySubentry: cn=TestPWpolicy1,o=xxxxxxx,o=isp
$
See Directory Server Password Policy - 11g Release 1 (11.1.1.7.0)
You can also assign a password policy to a set of users using cos/roles virtual attributes as described in section 8.3.4 at Directory Server Password Policy - 11g Release 1 (11.1.1.7.0)
-Sylvain
Please mark the response as helpful or correct when appropriate to make it easier for others to find it -
Ldap client with directory server 6.0 on solaris 9 systems
I have a directory server 6.0 running on a solaris 9 system. I have set up idsconfig, vlvindex and certificate database on the server side. The client ldap I am trying to set up is also solaris 9 system. I have set the certificate database on this ldap client using the Resource Kit certutil and import the server certificate to client certificate database. It seems the TLS secure connection did work between LDAP server and client. (I use the Resource Kit ldapsearch command to test it) I use 'ldapclient -v init ...' command using 'profileName=tlsprofile' to initialize the LDAP client and the information returned from that command said LDAP client configed sucsessfully. But when I run ldapaddent command to import /etc/passwd. I got error:
Passwd container does not exist.
The ldapaddent command I ran like this:
ldapaddent -v -f <passwd file> -D "cn=Directory Manager" passwd
Then I tried to use 'ldapclient -v manual ....' command to set up LDAP client. That command finishes succefully. But I still can not import /etc/passwd using ldapaddent with same error.
What is wrong with my set-up?
Thanks,
--xinhuanI looked into the /var/adm/messages, and I have the following error:
ldap_cachemgr[1640]: [ID 605618 daemon.error] libldap: CERT_VerifyCertName: cert server name 'directory server' does not match 'hostname.mycompany.com': SSL connection denied
It seems I have problem with SSL certificate set-up. I did generate the server side 'hostname.mycompany.com' certificate then use the Resource Kit certutil import that certificate to the client side. Is that right way to do?
Thanks,
--xinhuan -
Setup Java system directory server 6 client for user authentication
I am trying to set up a native LDAP client for sun directory server 6 for network based user authentication. I checked the sun doc for naming service (LDAP) and the documentation are for setting up LDAP client for directory server 5. Is there any documentation for setting up LDAP client for directory server 6? Or the documents for setting LDAP client for directory server 5 is still good for 6? Particularly, I want to use SSL communication between server and client.
Hi,
could be one of the other 'bad jokes' of DS/ldapclient because the documentation describes a lot of stuff about profiles etc. but: you need some special schema files to use the whole stuff and they are not installed with Solaris or DS (and they include the NisDomainObject). I had to search for them in the internet. They are also printed in the documentation. Save them in your server's config/schema directory as i.e. 61DUAConfigProfile.ldif and 62nisDomain.ldif and try idsconf again (maybe you have to cleanup something).
I test and prepare DS6 here, and we will use it in production too. I hadn't any problem with it and it has some important advantages over DS5.2. But we won't have a huge directory so I can't tell you anything more about it.
Regards
Jochem Ippers
Here are the ldifs:
61DUAConfigProfile.ldif:
dn: cn=schema
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live, in seconds, before a client DUA should re-read this configuration profile' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by a DUA' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server for a specific service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
objectClasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top STRUCTURAL DESC 'Abstraction of a base configuration for a DUA' MUST ( cn ) MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) X-ORIGIN 'user defined' )
62nisDomain.ldif:
dn: cn=schema
attributeTypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
objectClasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top STRUCTURAL MUST nisDomain X-ORIGIN 'user defined' ) -
10.3.9 clients not working with 10.4.9 open directory server
I have a 10.4.9 server running open directory and managing about 20 10.4.9 clients. I am trying to have it manage our remaining 10.3.9 clients, but for whatever reason, I cannot seem to get the 10.3 clients to "attach" to the server.
I have the 10.3 clients set up in a computer list on the server, and in directory access I have it set to "get ldap mappings from server". At one point, it was suggested to me that I have the clients "get ldap mappings from open directory server". I tried this, and manually set the search base suffix. My search base suffix was "dc=example,dc=local". I even tried doing "cn=config,dc=example,dc=local" (where in both cases example.local was replaced with my real DNS name). Any suggestions on what else I could try to get this to work?That's the odd thing though. I've done this with 10.4 no problem. Settings always worked. For some reason though, even though the clients are able to login using a network user, none of the preference settings sync.
For example - I always put a loginwindow message on as a sort of "test" to see if preferences are being set. If that works, then I rarely have a problem. No matter what I do, though, I cannot get the loginwindow message to display on the 10.3 clients. It works really well on 10.4, but not at all on 10.3. I've tried this on multiple 10.3 machines, as well, (and they're both based on different system images) but it still doesn't work. When I get back to work on Friday, I'll have to see if preferences will work for network users; that's the one thing I haven't tried.
Other than dumping the directoryaccess preferences, is there another preference setting that could be dumped on the client that may make it grab prefs from the server?
Maybe you are looking for
-
First of all I'm running OS X Tiger 10.4 I just got my 5th gen. iPod video today, and I sync'd it and everything, the iPod works just fine. Although, everytime I plug it in, my iPod will be listed on the source list in the left of iTunes, it will tak
-
Will Sql Server Agent start job when previous instance is running?
Just as an example, I have a job that is set to run every 5 minutes. The job takes 30 minutes to complete. So sql server agent executes the job at 9:30AM. Will the job run again at 9:35AM even though the previous instance hasn't completed? In my case
-
Hi, i have been having problems charging my ipad3 for some time now (very slow). The power is now down to 5% and i have been charging it for 4 days now without any movement. The charging flash is showing yet does not seem to be charging. Please can a
-
I'm using a Oracle 9.2 database and Oracle 9 JDBC drivers. The server has its time zone set to GMT and I'm testing from a client in EST. It seems like the Timestamp are not being returned correctly. What I think is happening here is mismatch between
-
The system could not calculate the fiscal year start or finish date message
While running the transaction FMO1 and FMOA in funds management we have confronted with the following problem. Message no. FI 500 The system could not calculate the fiscal year start or finish date. WE are using year dependent fiscal year and are imp