Troubles with DHCP-supplied LDAP servers
Hello,
this feature does'nt work at all in my environment....
I've a openldap server (RFC 2307) and a couple of macs (newest leopard) which are working quite nice together for a while now.
It's a closed Network and want to get rid of the following commands, which I have to enter on each new mac:
sudo dsconfigldap -x -e -v -s -a ldap.mydomain.de -n "MYLDAP"
sudo dscl -q localhost -create /Search SearchPolicy dsAttrTypeStandard:CSPSearchPath
sudo dscl -q localhost -merge /Search CSPSearchPath /LDAPv3/ldap.mydomain.de
Instead i want to use the possibility to transmit the needed ldap-data using DHCP.
Therefore I've added the following lines to my dhcpd.conf-Server
option ldap-server code 95 = text;
option ldap-server “ldaps://ldap.mydomain.de:636/dc=mydomain,dc=de”;
Booting a mac I've got the following results:
bo-dhcp-228:~ sysadm$ ipconfig getpacket en1
op = BOOTREPLY
htype = 1
flags = 0
hlen = 6
hops = 0
xid = 276885973
secs = 0
ciaddr = 10.0.0.228
yiaddr = 10.0.0.228
siaddr = 10.0.0.78
giaddr = 0.0.0.0
chaddr = 0:1c:b3:b0:e2:d5
sname =
file =
options:
Options count is 9
dhcpmessagetype (uint8): ACK 0x5
server_identifier (ip): 10.0.0.78
lease_time (uint32): 0x5a0
subnet_mask (ip): 255.255.255.0
router (ip_mult): {10.0.0.1}
domainnameserver (ip_mult): {10.0.0.9}
domain_name (string): mydomain.de
ldap_url (string): ldaps://ldap.mydomain.de:636/dc=mydomain,dc=de
end (none):
So far so good.
But the ldap-server never got used.
dscl localhost list /LDAPv3 on the mac-client shows emtpy results, and
on the wire there is absolutely no traffic to ldap.mydomain.de.
In fact the mac-client completely
ignores the dhcp-provided settings. Of course I've enabled the
Setting "Add DHCP-supplied LDAP servers to automatic search policies" on
the client.
I've tried to trace the problem on the client-side by doing
sudo ipconfig setverbose 1
touch /Library/Preferences/DirectoryService/.DSLogAtStart
and looking into /Library/Logs/DirectoryService/DirectoryService.debug.log , /var/log/system.log
and /var/log/com.apple.IPConfiguration.bootp but there is no hint why the client is not using the published ldap-settings.
It must be some problem on the mac-side.
Can anybody give a hint howto solve this problem?
Thanks
Christian
I have not tried to set this up using the command line (as you described), but have in the past done it using "Server Manager" (on the server) and "Directory Access" on a Mac OS X 10.4.x client.
When I did this I found that Macs after booting would not show a list of network login acocunts (as they should have) and typically trying to login using 'other' would fail. Also typically after a minute or two (and several attempts) it usually did work. AppleCare's suggested workaround at the time was to not use DHCP to advertise the OpenDirectory but to instead manually define it on the clients (using Directory Access).
My belief as to why it did not work is that when a Mac boots, it enables its network interface, asks the DHCP server for an address (and the LDAP details) and then in theory should continue to boot and connect to the LDAP server. However I believe that the timing of these events is such that the Mac goes past the LDAP stage before it has finished the DHCP stage and as a result does not have the LDAP information in time. By manually defining the LDAP (OpenDirectory) server in Directory Access it is already known in advance and you avoid this problem.
I have seen nothing to suggest that Leopard is any different in this area (although my recollection is that Panther - Mac OS X 10.3) did not have this problem.
So I use a manually defined entry on all our computers, and I have incorporated this in to the standard disk image I use to build all the new computers.
Similar Messages
-
Trouble with applet tutorial about servers
I downloaded the sources of this (http://java.sun.com/docs/books/tutorial/deployment/applet/clientExample.html) example and am trying to make them work. However I'm having trouble with the server program.It compiles fine but when I run it I get NullPointerException in QuoteServerThread class on this line:
packet = new DatagramPacket(buf, 256);buf is a byte array and it's set to null.
I don't have any experience with networking in java so if the problem is something really simple you'll know why I didn't find it.
Oh, and the code of the thread is here http://java.sun.com/docs/books/tutorial/deployment/applet/examples/QuoteServerThread.javaReplace
byte[] buf = null;with
byte[] buf = new byte[ 256 ];Other problems may happen if this sample was not tested properly.
The problem is that the DatagramPacket requires you to supply a non-null buffer, as per:
DatagramPacket
public DatagramPacket(byte[] buf, int length)
Constructs a DatagramPacket for receiving packets of length length.
The length argument must be less than or equal to buf.length.
Parameters:
buf - buffer for holding the incoming datagram.
length - the number of bytes to read.
Edited by: baftos on Jul 18, 2008 3:38 PM -
Can LAUTHSVR be used with non WebLogic LDAP servers?
Is it possible to use LAUTHSVR with other LDAP servers like MS Active Directory?
Martin,
LAUTHSVR currently does not support ActiveDirectory. BEA Product Management
is aware that some customers would like to use alternate LDAP servers and a
future release of Tuxedo may or may not contain enhancements in this area.
With present releases of Tuxedo, it is possible for an application to modify
the $TUXDIR/lib/AUTHSVR.c source to write whatever sort of authorization
server is desired, but the application will need to handle interactions with
the ActiveDirectory LDAP server themselves if this approach is followed.
<Martin Borgman> wrote in message news:[email protected]..
Is it possible to use LAUTHSVR with other LDAP servers like MS ActiveDirectory? -
have a question, my mainboard is a KT3 Ultra-ARU and I just got a Antec TruePower 480W power supply and this power supply comes with a 3pin sensor and I connected this sensor to my mainboard but it does not show the speed, what can I do. I have also tried the PCAlert III and the same thing with that.
Thank youfans spin slow on it,bios 5.4 taslke about fix for slow fans
-
Trouble with CFLOCATION and Proxy Servers
Hi,
Trying to troubleshoot an annoying issue and wondering if
anyone has had any experience with this - haven't had much luck
Googling for info. Using up-to-date CF 6.1 and current version of
Apache 2.0. Client is accessing our CF webapps via a clustered
proxy server/firewall archicture. Each time client users HTTP POST
through one of our applications, the page they are redirected to
only displays a small portion of unprocessed raw source page
content, the remaining page content never seems to make it to the
client's browser. The only way they can a valid version of the page
is to refresh the browser. I verified that small portion of raw
source content is returned by the application during these
redirects using an HTTP sniffer, however my office PC still
redirects to the correct page. We are using <CFLOCATION> tags
to move users between pages after submitting.
I suspect this problem has to do with their proxy server(s)
holding HTTP 302 responses to the literal standard, which
(paraphrasing) basically states that while the URI has been moved,
it is up to the client to continue the actual redirect. I believe
HTTP 303 responses would be the "correct" implementation. Having
said that, we've never run into this issue with any other client
users before.
Has anyone ever run into similar issues before? Any help is
greatly appreciated.
Thanks,
DTSReplace
byte[] buf = null;with
byte[] buf = new byte[ 256 ];Other problems may happen if this sample was not tested properly.
The problem is that the DatagramPacket requires you to supply a non-null buffer, as per:
DatagramPacket
public DatagramPacket(byte[] buf, int length)
Constructs a DatagramPacket for receiving packets of length length.
The length argument must be less than or equal to buf.length.
Parameters:
buf - buffer for holding the incoming datagram.
length - the number of bytes to read.
Edited by: baftos on Jul 18, 2008 3:38 PM -
AEBS associates client hostnames with DHCP-supplied IP addresses?
Hi,
I have 3 Mac's, a Windows and a Linux machine on my home network.
I'm looking at getting an Airport Extreme Base Station.
I understand it does DNS forwarding and caching out-of-the-box.
I'd love to know if the Airport Extreme when acting as a DHCP server for the network will associate the client host names with the IP addresses it dishes out.
In other words, if I name my iMac "slartibartfast" will the AEBS pick up on this, and allow me ping and ssh to slartibartfast by name from the other machines on the network?
Note that I'm not talking about Bonjour here - I'm talking about DNS names.
I believe on the Mac to give it a DNS host name I have to do
scutil --set HostName slartibartfast
Thanks,
SarahUnfortunately, Apple dropped a number of features and functions in the "upgrade" to AirPort Utility 6.x in Lion and Mountain Lion.
If you are still running Lion, download and install AirPort Utility 5.6 for Mac OS X Lion to get those features back. Just keep both AirPort Utility 5.6 and 6.1 on your Mac and use the one that you need.
If you are using Mountain Lion on your Mac, things get more complcated since Apple will not officially allow you install AirPort Utility 5.6 on that operating system.
The workaround is to use a utility like Pacifist to manually extract the application and then manually install it in the Utilities folder. It will run fine this way.
More details here:
http://www.macworld.com/article/1167965/mountain_lion_and_the_ancient_airport_ba se_station.html
Another workaround....if you have Time Machine backups.....is to back in time to locate AirPort Utility 5.6 and restore it to the desktop. Then drag it into the Utilities folder. -
Trouble with all outgoing mail servers
Was there an update that would have knocked out my ability to send outgoing mail? I can still receive mail from gmail.com, live.com and a business email account that had all been working fine till about a week ago. I had not made any changes, but have since changed the outgoing port to 587, to no avail. I have also tried to Repair Disk Permissions using the Disk Utility. However, I still am not able to get the smtp servers to connect.
Any ideas?I have cleared my outbox and resent a test email from one account to the other, which I know is receiving emails. I am using the Apple Mail application, which had been working just fine with all 3 accounts for the past 2 years.
-
[RESOLVED] Trouble with NTP Sync between servers
Hello everybody,
I need your help to get my infrastructure back to normal.
Since this week (change on time to winter time), my whole infrastructure (2 DC and 6 Windows servers) is disynchronised !
I mean, they have all the same time but it is 20min in late from real time...
and i don't know why !!!
My DCs are set up to external NTP (ntp0.oleane.net & ntp1.oleane.net) and the other servers are set up to internal NTP
(DC1 & DC2).
Can someone help me to resynchronise the whole thing in order to have all my servers on the exact same timing ?
And maybe recheck if everything is OK in my configuration...
Thanks for your help
BestHi nvlopp,
Your case usually caused the public external time resource not response your server request, please first confirm your network firewall settings was not blocked the port 123
(TCP/UDP), or you can enable the time service debug logging on your PDC then post the failure part.
Enable Windows Time Service Debug Logging
http://technet.microsoft.com/en-us/library/cc816838%28v=ws.10%29.aspx
How to turn on debug logging in the Windows Time Service
http://support.microsoft.com/kb/816043
Restore Windows Time service on local computer to default settings-http://technet.microsoft.com/en-us/library/cc738995(v=WS.10).aspx
How to configure an authoritative time server in Windows Server - http://support.microsoft.com/kb/816042
http://technet.microsoft.com/en-us/library/cc779560(v=WS.10).aspx
I’m glad to be of help to you!
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Workflow support for Non OID LDAP servers
Can workflow 2.6.2 be integrated with other vendors LDAP servers??
OID supports integrating with other LDAP directories, and Workflow supports synchronizing with those other external user directories through OID. So you can use a third-party LDAP directory, but it is a requirement to go through OID to do so.
-
Integrating BIP with multiple LDAP servers
Hi,
my question is very simple. In Admin->Security Configuration->Security Model section i've setted Security model combobox with LDAP value. Then i've filled all LDAP information field (for example:URL). All works. But in my rpd i 've multiple LDAP servers (multiple URL) and in the form i can insert information about only one LDAP server.
Is it possible configure BIP with multiple LDAP servers?
Thanks
Giancarlo
P.S. I'm using OBIEE 10gHi,
my question is very simple. In Admin->Security Configuration->Security Model section i've setted Security model combobox with LDAP value. Then i've filled all LDAP information field (for example:URL). All works. But in my rpd i 've multiple LDAP servers (multiple URL) and in the form i can insert information about only one LDAP server.
Is it possible configure BIP with multiple LDAP servers?
Thanks
Giancarlo
P.S. I'm using OBIEE 10g -
Other LDAP servers with Oracle ?
Hi,
We plan to integrate further ldap in our enterprise and
specially with oracle databases (configuration, security
issues). Oracle provide his own LDAP server know as OID, but can
we use an other ldap server to store Oracle specific ldap datas ?
We have to consider ldap for windows (Active Directory), for
mail purpose (postfix) and for database logon and configuration.
We don't want to have Active Directory plus OID plus Netscape
LDAP plus Openldap ... We want to use ldap protocols and data
that fits in an integrated directory for entreprise use.
So can we deploy another directory server behind Oracle ldap
clients functionalities ?
Thank in advance for your help ,-)Hello aymeric,
The wonderful thing about LDAP is that it is a protocol standard
governed by the IETF. So migrating from one server to another
should be relatively easy. Since version 3.0.1, OID has a Meta
Directory or as it is sometimes refered to as the Directory
Integration server built into it which allows you to create
custom connectors to synchronize OID with just about any type of
data repository.
Can you give me a specific example of what you want to migrate?
Obviously I cannot vouch for the capabilities of other LDAP
servers regarding this subject.
Thanks,
Jay -
Hello !
I've got a real trouble with my dns configuration... and i can't understand! so, i need some help....
well, qutie newbie in mac os server, i run in on a G4, and i had not noticed any trouble until i've decided to run open directory as a master with LDAP, wanting to have a kerberos protection for the users.
Kerberos doesn't want to play with me !
I've been in console mode to have a look, and, actually i've seen this :
"Oct 17 11:31:08 wakan servermgrd: servermgr_dns: no name available via DNS for 192.168.0.109
Oct 17 11:31:08 wakan servermgrd: servermgr_dns: no reverse DNS entry for server, various services may not function properly"
Ok... my DNS has a trouble... but i don't know how to fix it ! Is there anybody in this world who can help me?
I don't want to have a real DNS for my little server... but i understand that my config is not good. I can understand that having a caching DNS can improve the quality of my config, and, in other hand that it is necessary for having the services of OSX server in an effeciant way, but i don't know the way and the parameters i've to put in my config to fix it.
Now, just some words on my config...
First, i've got an adress provided by my FAI (the frenchy workd for ISP, i think) is "193.252.209.135". This adress is set on a d-link modem router via PPOE. The DNS of my provider (wanadoo.fr) are 80.10.246.1 and 80.10.246.132.
After this there is my G4 With mac osX server.
• en0, the "extenal gate" and the internal ethernet on the computer is plug on the modem with the adress "192.168.0.109". the router is set on "192.168.0.1". the dns are 80.10.246.1 and 80.10.246.132.
• en1, the "internal gate" for the network, an PCI card in the computer, has the parameters : adress "192.168.3.1", subnet "255.255.255.0", router "192.168.3.1". no dns records. (no VPN service for the moment). After this, i've a switch for the macs behind the server. (without any link agregation)
All those parameters have been set by the gateaway assistant.
And now the parameters inside the admin server :
DHCP : en1 - adress from 192.168.3.2 to 192.168.3.254, name 192.168.3. no static card. Router 192.168.3.1. No name for domaine by defaut, name servers 80.10.246.1 and 80.10.246.132 No LDAP, no WINS.
DNS : No zone transfert, recursivity is ON. No zone records.
NAT : set on full, Transfert and Network Address Translation.
When i've been on the terminal, i had those information:
"wakan:~ st$ sudo changeip -checkhostname
Password:
Primary address = 192.168.0.109
Current HostName = wakan.local
The DNS hostname is not available, please repair DNS and re-run this tool."
All my "main" services are working fine (AFP, Firewall, DHCP, DNS, Update) Open Directory is running without Kerberos. By the way, all the macs after the G4server can have a corect access to internet, and share information via LDAP of Open Directory, but i've to say that, a couple of days later, a friend of mine, who has a PC computer, can't have a DHCP dynamic address when he plug on my little network. I think that it is an other trouble, and i've decided to have e look to this later... but if someone knows how to resolve it...
So here begins the nightmare for me... so if anybody can help me... i realy need some help to fix this mystery!!!
Special thanks!As the router modem is already doing NAT why use NAT in the server?
If you want to use OpenDirectory and other services you should/need to set up the DNS correctly using the server's private IP (and others in the same range the server is setup with). The domainname used internally can be different than your public one.
And then use the server as the only DNS for you LAN clients and the server itself. Forwarders (your ISP DNSes) in /etc/named.conf usually speeds up lookups of external addresses (also turning off IPv6 can help that too). -
I am having a bit of trouble with ip redirects on an airnet 1042N
Here is what happens, I turn off ip redirect, everything works fine, turn it on, everything works fine. The problem is when I apply an ACL to it.
If I apply an ACL, I can ping web sites, but I can not browse websites or telnet to port 80. This is simply a test configuration before I move it into production. 10.0.0.0/22 is our subnet. I want the guest ssid to allow access to the internet, but not the the internal network (with the exception of the gateway (10.0.1.254) , dhcp, and dns servers (same server 10.0.1.221)
Running config
Current configuration : 2475 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname testap
logging rate-limit console 9
enable secret 5 $1$PBvp$dH8HqNdXBTP7eCzYanRRo.
no aaa new-model
dot11 syslog
dot11 ssid main
authentication open
authentication key-management wpa version 2
wpa-psk ascii 7 1234567890abcdefghi
ip redirection host 10.0.1.254 access-group 102 in
dot11 ssid secondary
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 075E731F1A5C4F524F4B5B0D06292F212E343D2B
ip redirection host 10.0.1.254 access-group 103 in
username Cisco password 7 01300F175804
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid main
ssid secondary
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
ip address 10.0.2.150 255.255.252.0
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.0.2.150 255.255.252.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
access-list 101 permit ip any host 10.0.1.254
access-list 101 permit ip any host 10.0.1.221
access-list 101 deny ip 10.0.0.0 0.0.3.255 10.0.0.0 0.0.3.255
access-list 101 permit ip any any
access-list 102 permit ip any 10.0.0.0 0.0.3.255
access-list 103 permit 80 any any
access-list 103 permit ip any host 10.0.1.254
access-list 103 permit ip any host 10.0.1.221
access-list 103 deny ip 10.0.0.0 0.0.3.255 10.0.0.0 0.0.3.255
access-list 103 permit ip any any
access-list 120 permit ip host 10.0.3.41 any
access-list 120 permit ip any host 10.0.3.41
bridge 1 route ip
line con 0
logging synchronous
line vty 0 4
login local
endJames:
Welcome to the forum.
To enable both encrypted and unencrypted traffic on same radio you need to use VLANs. If you are using only the native VLAN then you are abide by only one encryption method for all SSIDs.
Check this for multiple SSIDs and multiple VLANs:
https://supportforums.cisco.com/docs/DOC-14496
For your network above, you should review the ACL and make sure it allows the needed traffic. Make sure both ports 80 and 23 are opened. Make sure to choose correct ports (udp, tcp) on the ACL.
You can also try configuring ip redirect from GUI. give a look to the ip redirect doc: http://tiny.cc/gdsekw.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you" -
Is it possible to configure and use two or more LDAP servers to authenticate OBIEE users? We have users with logins in two different domains that need to log in to our OBI servers.
Yes, It is.
Just list out all the LDAP servers with domain identifiers.
then In your authentication initialization block add all the LDAP servers. So the BI Server will authenticate against each server until it finds a match. or based on domain identifier it will go to the correspondent LDAP server.
- Madan -
I'm having big trouble with my new mainboard: Part II
Hi
I haven't got any more replies to my post "I'm having big trouble with my new mainboard" by Krelian 2003.09.13 at 05:25. Please help! I've been struggling with this for a LONG time. And now my computer won't boot at all! Sometimes the LED's in front of the computer lights up for half a second, and nothing more happens. The only sign of life is the green light in the LAN jack. It happened after I took the ide cable for my harddrive in and out of the mainboard. This is insane, how can that suddeny happen :O ?! I was asked by wonkanoby to post max amps for my PSU, I did, and I really need to know if I maybe need a new PSU, since he asked that. Can a new PSU solve all the problems mentioned in my previous posts? Everything was fine except that I couldn't get into Windows, before i tried another harddrive on my computer. How can that complicate things so much? I have tried going barebone, and taking out the cmos battery and setting the jumpers JBAT1, J10 and J11. I have also tried every suggestion I got. Please help! I really need to get this fixed!
-KrelianSome power supplies or designed so that if there is a short or overload they shut them selfs off and some will not turn back on. Some have a relay that will click back on and work, some you have to cycle the power switch. Those that won't come back on will have to be replaced. I'm not saying that yours is that type as I have no way of telling. But if you have a friend who will loan you a good power supply you might try it. As someone else said just turning off the power will not darn all the power from some motherboards. To test this turn off your power supply than turn on the computer with the start botton. Mine will flash the lights and fans will start to spin than die. So every time you turn off computer to work on it. After turning off PSU hit the start botton to drian any power left in it before working on it. Also do this after unplugging it just to make sure.
Maybe you are looking for
-
How to run the client program in weblogic 8.1 server
Hi I am new to EJB 2.0. I am deployed sucessfully a session ejb program. While running an ejb client program it throws an exception. In my session ejb program i created two jar file. one is sessionejb.jar and another one is sessionejbclient.jar. In s
-
Web Gallery in iWeb Doesn't Behave Like Standalone Gallery
From iPhoto I published a web gallery of four albums. When you go to the web gallery the four albums appear. The key photo of each album is displayed. If you move your cursor you can skim. If I add a page in iWeb and then select Insert Web Gallery an
-
IMovie HD6 Ken Burns Effect Not working
Hi. I've been using iMovie HD6 with my old iMacG4. We used Ken Burns Effect a lot with no problems. I just got a 1 year old G5 iMAC with Intel Dual Processor and it has the latest versions of Tiger and iMovie 06. Everything works but the Ken Burns Ef
-
Cannot reset display to macmini default
cannot reset my display (VGA) monitor to default settings on the mac mini what are my options?
-
How to avoid transaction overhead in oracle ?
Hi , My database has 85 lakhs records already, during working hours,in single minute 20 records are being inserted into my table.at the same time some users trying to fetch the data from same table .so after long wait ,i m getting script time out err