Sun Directory Server: Disabling and Locking Accounts

Similar Messages

• Sun Directory Server and OID Synchronization

  I'm having a problem with synchronizing OID with our existing Sun Directory Server. This is a one way synchronization, using Sun DS as the source, and OID as the destination. I've successfully installed OID with SSL enabled (this is part of an Oracle Portal installation), and followed what docs I could find. I created an integration profile based off the iPlanet Import profile, and imported a custom mapping profile based off a differing DIT naming convention (o=company.com vs dc=company,dc=com). I have applied an ACI that should allow the synchronization profile user to update entries on the OID side, and a user in Sun DS that has access to the appropriate areas on that side. I was able to successfully bootstrap and import all of our users, and it was also able modify the last changelog number.
  Having said all of that, incremental changes aren't propagating to OID. I'm not sure where to look or what steps to take to troubleshoot this, as I'm brand new to OID. There's an agent execution command that is blank in the integration profile, but according to what I've found that's the default and is acceptable.
  Am I missing a step here? According to the docs, all I need to do is enable the profile, and away it goes.
  One last thing I had to do to overcome an issue with the changelog number not updating was adding our internal root ca's certificate to the local JVM's cacerts file. I accomplished this with the keytool command, and it seemed to work fine. I'm unsure if it's the SSL config that is hosed and is causing this, or if it's a configuration parameter I'm missing.. but I don't have anywhere to start as far as troubleshooting is concerned.

  On your integration profile, did you set the debug level to 63? You should have a _____.aud and a _____.trc file in your $ORACLE_HOME/ldap/odi/log directory that will provide more info. Did you start your DIP server (odisrv) with the oidctl command?
  You might also look at downloading the "diptester" utility for troubleshooting OID synchronization issues.
  - Brian

• User provisioning with Sun Directory Server

  I'm migrating from the internal user data store to external with Sun Directory Server as the LDAP backend and I'm unable to provision new users. I use unidssearch to list the unprovisioned accounts and it lists the user I'd like to provision. I then execute 'uniuser -user -add "DID=uid=testy,ou=People,dc=domain,dc=com" -n 10' which returns an Insufficient access right error. When I look at das.log I see the following entry...
  DATE = Thu May 10 10:25:09 2007
  PID = 440; TID = 1095888896
  LOG TYPE -> DEBUG
  FUNCTION NAME -> ctldap_CalUserUpdateByDirectoryId
  dn: uid=testy,ou=People,dc=domain,dc=com
  changetype: add
  ctCalXItemId: 00010:00500
  o: Domain Corporation
  objectClass: ctCalUser
  This entry tells me that uniuser is try to do an LDAP_ADD on an existing object in the directory when it should do a LDAP_MODIFY.
  Does anyone know why this is?

  the unidsacisetup(8) command can be used to add the ACI for Sun Directory server. The ACI it sets is a little to loose for my liking so I modified it slightly.
  Original:
  (target="ldap:///dc=domain,dc=com") (targetattr = "*") (version 3.0; acl "Calendar Administrators Group"; allow(all) groupdn = "ldap:///cn=OracleCalendarAdminGroup,ou=OracleCalendar,dc=domain,dc=com";)
  Modified:
  (target="ldap:///dc=domain,dc=com") (targetattr = "*") (version 3.0; acl "Calendar Administrators Group"; allow(read,write,compare) groupdn = "ldap:///cn=OracleCalendarAdminGroup,ou=OracleCalendar,dc=domain,dc=com";)

• Sun Directory Server Installation

  Hi all,
  I am a student in a Computer Science degree and as my project i am designing a web application that allows users to exchange ideas through a "messaging" system.
  After discussion with my tutors we have come up with a design idea that we would use an LDAP server to authenticate users as well as keep message details such as Topic, message header, etc. The actual body of the msg should be kept in a separate database.
  To the point....
  It has been suggested that i use the Sun Java System Directory Server 5.2 for this project and i was also given a compressed installation package. I have tried to install this and received error msgs similar to the ones i have found others have had in this forum.
  For example topics:
  1. Forums - Directory Server configuration issues in Windows
  2. Forums - Install failed on Windows XP
  I am using windows XP and from what i have read although it is not supported some people have managed to get this to work. Also i read that maybe Studio enterprise might solve this issue or provide some support?
  Is this true and if so can someone give me some guidance on how to achieve this?
  Also i would appreciate your opinion on wether this design approach( LDAP for authentication and database for store) is feasible or technicaly "correct" and maybe suggestions to a different approach....

  I think that its never a bad idea to get acquainted with something like the Sun Directory Server although I'm not sure that means that one HAS to use it in a project.
  The DS can be a pain to get up but for the most part if you get the latest DS5.2 Q4 or something...most installations go smoothly. If it was me I would just chuck every thing about the convo into the directory but I'm sure that there's a reason that you want to use the DS in conjuction with other storage DBs.
  I don't think you need to get Studio enterprise. I was able to get it up and running all by itself on windows. After I installed it I jsut made sure to remember the two random ports it picks up for Admin and DS ldap usage. Also I changed the password expiry time of the account that is used by the Admin console.
  GLuck with this.
  Cheers,
  - Pulkit

• Linux: /etc/pam.d/system-auth config w/ Sun Directory Server 6.2

  I have a RHEL 4.3 WS system authenticating againd a Sun Directory Server 6.2 ldap server. I've configured my linux as an ldap client according to Redhat and Sun docs:
  http://kbase.redhat.com/faq/FAQ_79_6031.shtm
  http://www.sun.com/bigadmin/features/articles/nis_ldap_part3.jsp#P3
  My problem is with the /etc/pam.d/system-auth file. I've configured it according to the above sun doc but receive an error in /var/logs/ messages with this one line:
  account    [default=bad   success=ok user_unknown=ignore err=ignore
  authinfo_unavail=ignore] /lib/security/$ISA/pam_ldap.soThe error returned is:
  Mar  5 22:54:29 hostname sshd: PAM pam_parse: expecting return value;
  [...err=ignore authinfo_unavail=ignore]Login works fine if I comment that line, but I'd like to correct the error in that statement. Any help would be appreciated.
  Here is my entire /etc/pam.d/system-auth file:
  #%PAM-1.0
  # This file is auto-generated.
  # User changes will be destroyed the next time authconfig is run.
  auth        required      /lib/security/$ISA/pam_env.so
  auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
  nullok
  auth        sufficient    /lib/security/$ISA/pam_ldap.so
  use_first_pass
  auth        required      /lib/security/$ISA/pam_deny.so
  account     required      /lib/security/$ISA/pam_unix.so
  account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid <
  100 quiet
  account    [default=bad   success=ok user_unknown=ignore err=ignore
  authinfo_unavail=ignore] /lib/security/$ISA/pam_ldap.so
  account    [default=bad   success=ok user_unknown=ignore err=ignore
  authinfo_unavail=ignore] /lib/security/$ISA/pam_ldap.so
  account     required      /lib/security/$ISA/pam_permit.so
  password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
  password    sufficient    /lib/security/$ISA/pam_unix.so nullok
  use_authtok md5 shadow nis remember=12
  password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
  password    sufficient    /lib/security/$ISA/pam_unix.so nullok
  use_authtok md5 shadow
  password    required      /lib/security/$ISA/pam_deny.so
  session     required      /lib/security/$ISA/pam_limits.so
  session     required      /lib/security/$ISA/pam_unix.soThanks.
  keywords:
  linux ldap sun directory server pam.d system-auth

  You do realize there is a decdicated Directory Server forum?
  It can be readily found on the Enterprise System forum page.
  http://forum.java.sun.com/index.jspa?tab=es

• Error while migrating to Sun Directory Server 6.0

  Hi All,
  I am trying to migrate the Sun One Directory Server 5.2 to Sun Directory Server 6.0. I am getting the following error
  bash-3.2# ./dsmig migrate-config /var/Sun/mps/slapd-circb2bld3/ /var/SunDirectoryServer6.0/dsInst/
  Launching Configuration Migration of server instance /var/Sun/mps/slapd-circb2bld3 .....
  Enter the certificate database password:
  Starting server instance /var/SunDirectoryServer6.0/dsInst ..... Instance /var/SunDirectoryServer6.0/dsInst is already running (ns-slapd pid is 3868)
  Enter "cn=Directory Manager" password:
  Connecting to server localhost:389 .....
  Could not bind securely on "localhost:389".
  Remote host closed connection during handshake
  Details: SSL peer shut down incorrectly
  Could not create context for configuration migration.
  Operation "migrate-config" failed.
  Please help me.

  Please stop
  The migration guide has step by step instructions, including command line examples, are you using that as your reference?
  Your upgrade should be to (at a minimum) DSEE 6.3.1.1.1. Upgrading to 6.0 is upgrading to a release level that has no patches or fixes to the product. There are significant fixes to the migration command line tools. There is a good chance you will run into issues.
  You should install and review migration to ODSEE 11.1.1.7.0 (which would effectively be the 7.2 release of the DS).
  There is a specific guide for migration and upgrade, which includes migration from DS 5.2 to 11.x
  The full documentation collection for 11.1.1.7.0 is here
  http://docs.oracle.com/cd/E29127_01/index.htm
  The specific migration guide is here
  http://docs.oracle.com/cd/E29127_01/doc.111170/e28971/toc.htm
  See: Part II Migrating from ODSEE 5.2 to ODSEE 11g Release 1 (11.1.1.7.0)
  ODSEE 11.1.1.7.0 can be downloaded from here.
  http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html

• Provisioning Sun directory Server to a User in OIM

  I am learning a OIM tool since 2 months, I could not able to do provisioning sun directory server to a user in OIM, the error is I am not getting the value for Organization DN. I am using ODSEE 11.1.1.5.0 and OIM 11.1.1.5.0. I have followed below steps
  1. Copy Connector and External Code Files.
  2. Configure Oracle Identity Manager Server.
  3. Import an Oracle Identity Manager Connector.
  4. Define an IT Resource.
  5. Create a User.
  6. Assign the Connector to a User.
  Please anyone suggest me solution for this problem.

  Hi,
  You need to run organization lookup reconciliation first then select value in the process form.
  If you are getting particular error, paste error messages from console?
  Regards,
  Raghav.

• Installation/Config Problem with Sun Directory Server Control Center (6.0)

  Hi All,
  I have recently attempted an installation of Sun Directory Server EE 6.0 on a x86 Solaris 10 machine.
  I have selected to install Core Directory Server and Sun Directory Server Control Center with my installation.
  After installation, if I check the status of the SUNDSCC, I receive the following message:
  bash-3.00# ./dsccsetup status
  DSCC Application is not installed
  DSCC Agent is registered in Cacao
  DSCC Registry has been created
  Path of DSCC registry is /var/opt/SUNWdsee/dscc6/dcc/ads
  Port of DSCC registry is 3998
  I have also tried to re-start the Sun Java Web Console using the /usr/sbin/smcwebserver start command but that does not do anything.
  If i try to initialize the SUNDSCC usin the ./dsccsetup initialize command, the registry got created, but it still displays as "application not installed".
  I do not understand. I have already installed this application using the JES installer.
  please help!
  Regards,
  Saahil Goel

  I had a similar issue. Here is how I fixed it.
  Run dsccsetup status with the -v option. it will show you where it is trying to find the DSCC Application. Then do a find on your system to see where it is actually installed. Then simply copy it over to where dsccsetup is looking for it. Then do dsccsetup initialize. Below is what it looked like on my system when I did it:
  # ./dsccsetup status -v
  ## /usr/sbin/smreg is present
  ## /usr/sbin/smcwebserver is present
  ## /opt/server/sun/dscc6/dccapp is MISSING
  DSCC Application is not installed
  ## /opt/sun/cacao/bin/cacaoadm is present
  ## /opt/server/sun/dscc6/lib/jar/nquickmodule.jar is present
  ## Running /opt/sun/cacao/bin/cacaoadm list-modules -r
  DSCC Agent is registered in Cacao
  ## Running /opt/sun/cacao/bin/cacaoadm status
  ## Running /opt/sun/cacao/bin/cacaoadm list-modules
  ## Running /opt/sun/cacao/bin/cacaoadm get-param network-bind-address
  ## Running /opt/sun/cacao/bin/cacaoadm get-param jmxmp-connector-port
  ## /opt/server/sun/ds6/bin/dsadm is present
  DSCC Registry has been created
  Path of DSCC registry is /var/opt/sun/dscc6/dcc/ads
  Port of DSCC registry is 3998
  # find / -name dccapp
  /opt/server/dscc6/dccapp
  # cp -R /opt/server/dscc6 /opt/server/sun
  # ./dsccsetup dismantle
  DSCC Application is not registered in Sun Java(TM) Web Console
  Unregistering DSCC Agent from Cacao...
  Deleting DSCC Registry...
  All server registrations will be definitively erased.
  Existing server instances will not be modified.
  Do you really want to delete the DSCC Registry ? [y/n]y
  Server stopped
  DSCC Registry has been deleted successfully
  # ./dsccsetup initialize
  Registering DSCC Application in Sun Java(TM) Web Console
  This operation is going to stop Sun Java(TM) Web Console.
  Do you want to continue ? [y,n] y
  Stopping Sun Java(TM) Web Console...
  Registration is on-going. Please wait...
  DSCC is registered in Sun Java(TM) Web Console
  Restarting Sun Java(TM) Web Console
  Please wait : this may take several seconds...
  Sun Java(TM) Web Console restarted successfully
  Registering DSCC Agent in Cacao...
  Checking Cacao status...
  Deploying DSCC agent in Cacao...
  DSCC agent has been successfully registered in Cacao.
  Choose password for Directory Service Manager:
  Confirm password for Directory Service Manager:
  Creating DSCC registry...
  DSCC Registry has been created successfully
  Hope this helps.

• Log file size in Sun Directory Server

  Does anyone have an idea about the how the Sun Directory Server's log file size will increase in size with respective to the actions performed?
  Can someone give a data regarding this? If someone has a better scenario and the supportive data w.r.t log file size it will be helpful.
  Thanks,

  AFAIK No its based on time "At a certain time, or after a specified interval, the server rotates your access logs. "
  More info in Archiving Log Files in [http://docs.sun.com/app/docs/doc/820-7985/gczxv?l=en&a=vie]
  It should be easy to write such a script to be run as a daemon in logs directory. Here is the pseudo code :
  while [1]
  do
  get size of the access/error log file
  If size of file > max_size
  <ws-install-dir>/https-<instance>/bin/rotate
  sleep for sometime
  done

• Sun Directory Server crashed

  Hi ,
  i dont know where to post this question because i really dont understand myself the error
  i downloaded Sun Directory Server 5.2 and installed in both my Solaris
  one of them is Solaris 8 ( Production Server)
  the other one is Solaris 10 ( Another Prod Server )
  i did master-master ldap replication but it works okay for quite sometimes ( few days )
  only today i found today that one of the directory server is crashing and what i found in the log is
  Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfe000000       /usr/lib/libpthread.so.1
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfdfd0000       /usr/lib/libCrun.so.1
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfdfb0000       /usr/lib/libmp.so.2
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfdf90000       /usr/lib/libaio.so.1
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfdf40000       /usr/lib/libresolv.so.2
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfede0000       /usr/platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfded0000       /usr/lib/nss_files.so.1
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfdea0000       /var/Sun/mps/bin/https/lib/libAdmservPlugin.so
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfde70000       /var/Sun/mps/lib/libadmsslutil52.so
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): 0xfde40000       /v[19/Dec/2006:17:17:10] config (10607): # An error report file has been saved as hs_err_pid10607.log.
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): # Please refer to the file for further information.
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:10] config (10607): #
  [19/Dec/2006:17:17:10] config (10607):
  [19/Dec/2006:17:17:14] info (10610): Installing a new configuration
  [19/Dec/2006:17:17:14] info (10610): [LS ls1] http://ils1app3.tpcils.com, port 390 ready to accept requests
  [19/Dec/2006:17:17:14] info (10610): A new configuration was successfully installed
  [19/Dec/2006:17:17:14] info (10610): Using the Java HotSpot(TM) Server VM v1.4.1_01 from Sun Microsystems Inc.
  [19/Dec/2006:17:17:14] info (10610): Java VM classpath: /var/Sun/mps/bin/https/jar/NSServletLayer.jar:/var/Sun/mps/bin/https/jar/NSJavaUtil.jar:/var/Sun/mps/bin/https/jar/NSJavaMiscUtil.jar:/var/Sun/mps/bin/https/jar/servlet.jar:/var/Sun/mps/bin/https/jar/servlet-2.3-filters-api.jar:/var/Sun/mps/bin/https/jar/jspengine.jar:/var/Sun/mps/java/ldapjdk.jar:/var/Sun/mps/java/jss311.jar:
  [19/Dec/2006:17:17:14] info (10610): Loading IWSSessionManager by default.
  [19/Dec/2006:17:17:14] info (10610): IWSSessionManager: Maximum number of sessions is 1000
  [19/Dec/2006:17:17:14] catastrophe (10610): Server crash detected (signal SIGSEGV)
  [19/Dec/2006:17:17:14] info (10610): Crash occurred in function PR_Write from module /var/Sun/mps/lib/libnspr4.so
  [19/Dec/2006:17:17:14] config (10610):
  [19/Dec/2006:17:17:14] config (10610): An unexpected exception has been detected in native code outside the VM.
  [19/Dec/2006:17:17:14] config (10610):
  [19/Dec/2006:17:17:14] config (10610): Unexpected Signal : 11 occurred at PC=0xFEEBB384
  [19/Dec/2006:17:17:14] config (10610):
  [19/Dec/2006:17:17:14] config (10610): Function=
  [19/Dec/2006:17:17:14] config (10610): PR_Write+0x0
  [19/Dec/2006:17:17:14] config (10610):
  [19/Dec/2006:17:17:14] config (10610): Library=/var/Sun/mps/lib/libnspr4.so
  [19/Dec/2006:17:17:14] config (10610):
  [19/Dec/2006:17:17:14] config (10610):
  [19/Dec/2006:17:17:14] config (10610): Cannot obtain thread information
  [19/Dec/2006:17:17:14] config (10610):This is happening is the Solaris 8
  while in the Solaris 10 ( new box ) i cant see there is an error being logged.
  Any help/idea would be highly appreciated.
  Thanks

  Could it be because of too many load calls to LDAP server?
  or different java version ??

• Sun Directory Server Password Policy Problems

  Hi,
  I am using Sun Directory Server and Sun AM (2005Q1).
  We are using SUN DS to configure the password policy to expire user passwords after 30 days.
  Also, the warning has been set to "one day before expiry". However, when the warning IS displayed to the user and the user changes his/her password on display of the warning, even though the user's password expiration timestamp attribute contains a new timestamp (which is 30 days hence the date of change), on next login user is AGAIN thrown the warning that his/her password will expire in "HH hours: MM mins".
  I do not understand what needs to be done to fix this. Any help would be appreciated.

  How is the user authenticated ? Through Access Manager or directly to the Directory Server ?
  Access Manager can be configured to handle Password expiration, and so can Directory Server. I would advise you to check which system is actually throwing the warning.
  Regards,
  Ludovic

• Sun directory server 6.3.1 admin conlsole

  Hi
  In my sun directory server 6.3.1 admin conlsole and Applications view I have the following:
  Server Group
  Server Group (2)
  Administration Server
  Identity Synchronization
  If I click on the Directory Server I get the following error:
  This server component has not yet been downloaded, or it could not be activated. Press Download to retry.
  If I click on Download, I get : (Class loader error) Failed to install a local copy of ds523.jar or one of its supporting files: error result
  What can I do to fix it?
  Thanks!

  Hi
  In my sun directory server 6.3.1 admin conlsole and Applications view I have the following:
  Server Group
  Server Group (2)
  Administration Server
  Identity Synchronization
  If I click on the Directory Server I get the following error:
  This server component has not yet been downloaded, or it could not be activated. Press Download to retry.
  If I click on Download, I get : (Class loader error) Failed to install a local copy of ds523.jar or one of its supporting files: error result
  What can I do to fix it?
  Thanks!

• Sun Directory Server as Primary Domain Controller.

  Hello,
  I've recently installed Sun Directory Server, Access Manager, and DSEE Identity Manager, on CentOS 5.2, with success, but my question is:
  Can I use this directory as a primary domain controller for my network, I want to know if it is possible to integrate this directory in the same way that Active Directory works, I mean connecting Windows computers to the DC with some kind of connector (because windows won't connect to another directory than AD natively). I know that there are some MSGina replacements, like pgina, but I'm looking for some serious solution, especially for computers running Windows Vista.
  Thanks in advance.

  Hi,
  thanks for your answer, but.. there is a way to configure the DSEE to be like a native 2000/2003 Active Directory?, I mean, connecting directly to the DSEE without using Samba, I know that is possible to use that solution, but you lose some functionality.
  I've been trying to do some research about the topic, like modifying the bind DNS to act like a AD DNS, and it works at a certain grade, windows xp detects the SVR records but when it tries to connect to the directory it fails giving me an error telling that the DC isn't available. It will be great to make such environment, Windows XP / Vista connected to DSEE without third party software.
  Any comment would be greatly appreciated.
  Thanks.

• Sun Directory Server Windows Version

  Hi,
  I am in need of Sun Directory Server 5.2 ( Windows Version ), as I am planning for upgrade to 11g.
  Is there any way I can get it?
  Thanks. JPrince

  Thank You Marco for the response.
  Yes, I understand that it is not available, however i am expecting if someone has it on their workstation, and could send it via bigfiles etc. If I dont get any response, surely i will try to reach out to support team.
  JPrince.

• Error installing OAM against Sun Directory Server 6.3: No such object (32)

  Hi folks,
  I'm getting error installing OAM 10.1.4.3.0 (Linux, 64 bit) against Sun Directory Server 6.3. I've followed Oracle troubleshooting doc (http://download.oracle.com/docs/cd/E15217_01/doc.1014/e12493/trouble.htm#BABBAAFH), and replaced every occurrence of cn=userRoot with cn=my_company_name inside iPlanet5_oblix_index_add.ldif. I still get the same error "ldapmodify: No such object (32)" for every entry in the file. Has someone managed to get it to work?
  Thank you, Roman

  Hi folks,
  I got it to work, here're the steps:
  1. After loading the schema file, follow the article (http://download.oracle.com/docs/cd/E15217_01/doc.1014/e12493/trouble.htm#BABBAAFH, not the doc 552157.1 as it states incorrect info, sorry
  Notoriuos) to edit the index file (iPlanet5_oblix_index_add.ldif) and replace all occurrences of "userRoot" with "your_company_name" (which is your ldap suffix without the c=us part as in
  o=your_company_name, c=us) using vi command:
  :%s/userRoot/your_company_name/g
  2. run ldapadd (not ldapmodify! as all but the one last object listed on the dn: line might already exist under cn=config), here's example:
  $ ldapadd -x -h your_ldap_host -p your_port -c -f IdentityServer_install_dir/identity/oblix/data.ldap/common/iPlanet5_oblix_index_add.ldif -D "cn=directory manager" -w directory_manager_passwd
  3. If done right, you should see smth like this:
  adding new entry "cn=obactionname,............... per every entry in the index file
  HTH
  Roman