UME-LDAP Configuration

Similar Messages

• Guide me how to automate UME LDAP Configuration

  Hello colleagues,
  I am not sure if this is the right place for putting my question.
  We wanted to automate 'UME LDAP Configuration with Microsoft AD', because we have nearly 25 portals and has to be refreshed for every 3 months from different systems. Instead of configuring UME  every time, we wanted to automate it such that
  it can be done by one click for each portal.
  I am not aware, if it can be done through Webdynpro or Java API.
  Please let me know in which way we can achieve this functionality. If it is in Java then please let me know how to access UME APIs. Moreover Configtool will not save its data at O.S level, it stores in DB.
  Please guide me on achieving this.
  Regards,
  kasi

  Hi Nivas,
  thank you very much for your answer.
  Could you please let me know any APIs to use these functions
  I googled and found APIs for User management ( creating,deleting ,etc..) only.
  I could not find any APIs for LDAP settings in Configtool.
  I wanted to set these values ( which are specified in above link ) from out side.
  Regards,
  venkat
  Edited by: Venkata Kasi G on Mar 2, 2012 2:41 PM

• UME LDAP configuration XML file

  Dear Experts-
  I am configuring multiple LDAP as ume for EP 7.0 EHP2 . I am following the the document below.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/8036faa9-3d95-2c10-e596-c7c97082f07e?QuickLink=index&overridelayout=true
  It mentions xml file to be dowloaded is  dataSourceConfiguration_multiLDAP_db.xml file but ther eis no such file. Can you please let me know where I can find this.
  The only ones I see are.
  Microsoft ADS readonly , deep and flat
  Microsoft ADS Deep & flat
  Novell LDAP Read only flat and deep
  Novell LDAP flat & deep
  DatasourceConfiguration_simens_deep_readonly_db
  Siemes LDAP servers Read flat & deep
  Just to let you know we are using MS ADS flat. Please  let me which which file I can choose to put the second LDAP data source.
  Thanks,
  John

  John,
  There is no such file (dataSourceConfiguration_multiLDAP_db.xml) delivered for configuring multiple LDAP data sources.
  You will need to download dataSourceConfiguration_ads_readonly_db.xml and modify as per your needs and upload it with your own custom name.
  1. Open the dataSourceConfiguration_ads_readonly_db.xml file using a text
  editor (other than Notepad) and locate the <dataSource.../> section for the u201CCORP_LDAPu201D.
  2. For each additional LDAP server, paste the copy into the document after the original
  </dataSourceu2026> ending tag for the CORP_LDAP source. Change the name of the data source for
  pasted copy to u201CCORP_LDAP_Xu201D or some other value. This value becomes a data source identifier
  for UME and prefixes the principal Ids.
  For each LDAP data source, locate the <privateSectionu2026> within the <dataSourceu2026> tag and
  enter the following lines if they are not present:
  <ume.ldap.access.server_name>SERVER_HOSTNAME</ume.ldap.access.server_name>
  <ume.ldap.access.server_port>SERVER_PORT</ume.ldap.access.server_port>
  <ume.ldap.access.user>DS_USER_NAME</ume.ldap.access.user>
  <ume.ldap.access.password>DS_PASSWORD</ume.ldap.access.password>
  <ume.ldap.access.base_path.user>USER_ROOT_IN_DS</ume.ldap.access.base_path.user>
  <ume.ldap.access.base_path.grup>GROUP_ROOT_IN_DS</ume.ldap.access.base_path.grup
  >
  Save this file with your custom name and upload it.
  Thanks,
  Shanti

• How to create a user in J2ee UME, if LDAP configured?

  Hi SAP Gurus,
  I have a question for my J2EE engine. We configured LDAP for user storage, so that our User can use there normal LDAP user ID. Now I want to create an administrative user like J2EE_ADMIN or Administrator, these are standard users and present in the UME of the J2EE engine since the installation of my portal.
  But when I go to the user admin and want to create this new admin user, I got an error message, that Im not able to create it.
  I also try to create the user via the Visual Admin and the J2EE Useradmin.
  So my question is, how can create this new user in the UME and NOT in the LDAP???
  Thanks.

  Hi Marcel Haberland ,
  If your idea is to have single Sign on , I would say the process is to create the user in LDAP itself that will be the single point of entry ,  Since the UME is configured and connected to LDAP normally with read permission your best bet will be to create the user in LDAP.
  SSO with  is configured to all your backend syst ( trusts needs to be configured between Java/Portal to all your backend systems  by Basis team), also the ids needs to exist in all the backends.
  Now to come back to your question:
  If you can login to UME of portal/Java , and create the user do not expect it to appear on your LDAP
  mainly because LDAP will never be configured in a Enterprise project  as bidirectional ( ie Read/Write ), it will be readonly.
  Also if the Basis/Portal team allow you the option to create the user in UME , they will have to restart the machine everytime you need to point to a  different data source , but I dont know if this is the case in EHP4 versions, because SAP claims with EHP4 downtimes are almost nullified.
  Edited by: Franklin Jayasim on Jun 29, 2010 6:59 PM
  Edited by: Franklin Jayasim on Jun 29, 2010 7:02 PM

• LDAP configuration using AD in EP complete details steps

  Hi gurus,
              Can anybody provide me complete details
  step to configur UME and LDAP configuration
  THanks
  Happy

  Hi,
  Below is the configuration for UME-LDAP. In configtool you have to do this configuration.
  ume.ldap.access.server_name : <servername>
  ume.ldap.access.server_port         :  <enter the port>
  ume.ldap.access.user                    : <user>
  ume.ldap.access.password           :  <password>
  ume.ldap.access.base_path.user  : 
  Ume.ldap.access.base_path.grup : 
  Refer the link for more info on LDAP configuration.
  http://help.sap.com/saphelp_nw70/helpdata/en/63/14f5b51a6eff429f2d8b2063400e82/frameset.htm
  Thanks
  R.Murali

• SAP LDAP Connector / UME LDAP and Global Site Selector (GSS)

  Hi,
  I'm wondering if SAP LDAP Connector / UME LDAP will work with Global Site Selector service, such as  CISCO GSS 4400 Series, so that GSS can provide load-balancing for LDAP access.
  If it works, is there a specific configuration on the SAP side?
  Thanks in advance.
  -denny-

  Hey Denny,
    Wondering if you ever sorted this out. I'm trying the same thing right now and UME is failing (and portal won't start) when I use the FQDN of the GSS. Behavior is strikingly similar to using the FQDN of the Active Directory domain. The only way I found to use AD as an LDAP source is to list individual DCs in the UME config. I'm hoping to use GSS instead.
  -Kevin

• UME LDAP Data - XML file not appearing

  Hi,
  I have configured the readonly ADS with DB for the user authentication. Now I want to restore back to the default datasource configuration (dataSourceConfiguration_database_only.xml). But in the dropdown box in the Configtool >> UME LDAP data under the "Directory Security" tab, I am not able see the config XML file for the DB only. I tried uploading the file, but its saying file already exists. After this I tried deleting the fils from the cluster_data\server\persistent\com.sap.security.core.ume.service and then uplaoded the XML file. Still this is not appearing in the List of Datasources available.
  Can you please let me know how shall I revert the Datasouce to DB only?
  Regards,
  Debasis

  Hi,
    Go to ConfigTool -> Global Server Configuration -> Services -> com.sap.security.core.ume.service.
  You can change the value of ume.persistence.data_source_configuration to dataSourceConfiguration_database_only.xml.
  Regards,
  Siva
  P.S: Award points if you find this useful.

• Problem with LDAP configuration in Enterprise Manager

  Hi all,
  I'm new at Java CAPS. After install some pieces of Java CAPS now I'm trying to install and configure a Sun Java System Directory Server 5.2 in our environment.
  I've already configured the Repository and the Logical Host to work with the ldap, but I have some troubles to do it with the Enterprise Manager.
  I followed the instructions of the Administrator guide about the changes to do in web.xml and ldap.properties of the sentinel app but when I do login the Enterprise Manager I can't see the options of the tree to manage servers or users.
  It seems that the app don't recover the user roles. I think so becouse I tried to create one user without roles (in normal authentication, without ldap configured) and when I did login in the result was the same.
  At the beginning of the process I created the roles 'all', 'administration' and 'management'. However I tried to copy de roles of the Tomcat authentication from 'tomcat-users.xml' to ldap roles, but it doesn't work.
  Anyone could help me?
  Thanks in advance, and sorry for my rudimentary English

  Check that you have the correct Preferred Credentials with Logon as batch job if this is windows. Also check the correct configuration with regards LDAP integration for you platform.

• Embedded LDAP configuration in Portal

  Hi,
  I am currently working on WL10.1MP1, and need to know the probable files involved in Embedded LDAP Configuration in the domain.
  Can anyone let me know.
  Regards
  Lakshmi

  Hi Lakshmi,
  Default configurations are part of config.xml, security.xml and ldif files in security folder and files in data/LDAP folder in Admin Server.
  Vishnu

• OBIEE Start/Stop Services failed(After LDAP Configuration)

  Hi ,
  We made some changes(that is we have added new OID
  and configured the new OID based upon the Oracle BI security guide which is in Oracle Site
  ) to the LDAP configuration in OBIEE web console and it prompted for a restart of the OBIEE services . when we tried restarting the services we are not able to stop all the services . Please find the attached log files .
  Note:
  1.unable to kill the process ID
  which is releated to OBIEE 11.1.1.6.0 services..
  2.We have follwed the section 3 in the below link to configure the LDAP : http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/toc.htm.
  Please find the below error details in short form and kindly find the attahced file(file name) for more details
  Error:
  Caused By: oracle.security.jps.service.igf.IGFException: JPS-02597: You configured a custom Authentication Provider or WLS generic LDAPAuthenticator, which the libOvd can not recognize. Supply the idstore.type property in jps-config.xml file, or use a specific WLS LDAP Authentication provider that matches your LDAP server instead of a generic one.
  at oracle.security.jps.internal.api.identitystore.IdentityStoreConfigurationUtil.checkIdStoreTypeLater(IdentityStoreConfigurationUtil.java:819)
  at oracle.security.jps.internal.api.identitystore.IdentityStoreConfigurationUtil.getLibOvdLdapPushData(IdentityStoreConfigurationUtil.java:524)
  at oracle.security.jps.internal.igf.ovd.OvdIGFServiceProvider$1.run(OvdIGFServiceProvider.java:232)
  at oracle.security.jps.internal.igf.ovd.OvdIGFServiceProvider$1.run(OvdIGFServiceProvider.java:229)
  at java.security.AccessController.doPrivileged(Native Method)
  Truncated. see log file for complete stacktrace
  >
  <Jan 29, 2013 6:39:05 AM CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
  <Jan 29, 2013 6:39:05 AM CST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
  <Jan 29, 2013 6:39:05 AM CST> <Notice> <WebLogicServer> <BEA-000365> <Server state cha
  Error Codes
  Problem Category/Subcategory
  BI EE Platform Administration/Administration Tool
  Uploaded Files
  File: nohup.zip:134848
  Template Question Responses
  1) ### Admin Tool version ###
  2) Are you running Oracle Business Intelligence Enterprise Edition using virtualization or partitioning technologies (for example, VMWare) ?
  No
  3) If yes, please provide the product used and its version.
  4) ### Documentation Used ###
  5) ### Impact on Business ###
  Edited by: 919942 on Jan 31, 2013 5:10 AM

  "JPS-02597: You configured a custom Authentication Provider or WLS generic LDAPAuthenticator, which the libOvd can not recognize. Supply the idstore.type property in jps-config.xml file, or use a specific WLS LDAP Authentication provider that matches your LDAP server instead of a generic one."
  Looks like the config you entered was a tad off. Any chance you can roll back by restoring the original files from before the change?
  $FMWH/user_projects/domains/yourdomain/config/config.xml
  $FMWH/user_projects/domains/yourdomain/config/fmwconfig/jps-config.xml
  In the config.xml, inside the <realm> tag yo ushould find your authenticaiton providers and there's two important things for your new one to check:
  1.) xsi-type="wls:..." <-- This should be your OID type rather than a generic (or wrong) one
  2.) If you're not 100% sure about the config or don't want to immediately shut out native WLS users or want to retain them (both OID and WLS LDAP considered valid), then PLEASE make sure that you run your new authenticator with <sec:control-flag>SUFFICIENT</sec:control-flag> and don't make it REQUIRED since otherwise you won't be able to bring anything up anymore if a single parameter in the authenticator config is off...
  Also, check out what Tony wrote together a while back: http://www.peakindicators.com/index.php/knowledge-base/115-oracle-bi-11g-security-troubleshooting
  Update:
  Should have read the error message more carefully...looks like you actually just slipped by one line in the authenticator config and chose "OracleVirtualDirectory" instead of "OracleInternetDirectory" since it tries to use the libOvd rather than the OID one.
  Edited by: Christian Berg on Jan 31, 2013 2:58 PM

• LDAP Configuration for ECC 6.0 ( ABAP Stack only)

  Hi,
  Can any one guide me with the steps for the LDAP Configuration for ECC 6.0 ( Abap stack only).
  Some of my observations are....
  I can see the LDAP Support in the Installation master at the following path.
  1. Additional Software Life cycle Tasks --> Application Server --> LDAP Support.
  But the prerequisites for this task is given as "You must have extended the LDAP schema for the sap data types before.".
  When i am goint thru service market place i came across the following note.
  Note 888848 - Notes on schema enhancement with RSLDAPSCHEMAEXT.
  Thanks,
  Tanuj

  Dear All,
  We are trying to configure the LDAP using with active directory .  In the
  step of "Synchronization of SAP User Administration with LDAP
  Directory"when executing the report"RSLDAPSYNC_USER" we are facing one
  error.
  Please find the trace file and error screenshot in the attachment.Please help us on
  priority.
  Please find the Trace log in the below:
  RFC destination : LDAP_LDAPSE-01
  Tracelevel      :      8,704
  F5: Shutdown F6: Clear list F7: Dump status F8: Refresh list
  [Wed Jun 26 11:15:38 2013]
  Slot 0 (WIPROTECH): >>> ldap_initU(host="abg-mumabc-dc1.abgplanet.abg.com", port=389)
  [Wed Jun 26 11:15:39 2013]
  Slot 0 (WIPROTECH): <<< ldap_initU() == <NOT NULL> := connected
  Slot 0 (WIPROTECH): >>> ldap_set_option(version=3)
  Slot 0 (WIPROTECH): <<< ldap_set_option() == 0
  Slot 0 (WIPROTECH): >>> ldap_simple_bind_sU(dn="poornataad", password: not initial)
  [Wed Jun 26 11:15:40 2013]
  Slot 0 (WIPROTECH): <<< ldap_simple_bind_sU() == 0 := success
  [Wed Jun 26 11:15:43 2013]
  >>>>Required attributes table
  Line    0: "CREATETIMESTAMP" (length 15)
  Line    1: "MODIFYTIMESTAMP" (length 15)
  Line    2: "SAPUSERNAME" (length 11)
  <<<<Required attributes table
  Slot 0 (WIPROTECH): >>> ldap_search_sU(base="CN=poornataad,CN=Users,DN=abgplanet,DC=abg,DC=com", filter="(&(OBJECTCLASS=user)(SAPUSERNAME=*))", scope=2)
  Slot 0 (WIPROTECH): <<< ldap_search_sU() == 91
  >>> ldap_msgfree()
  <<< ldap_msgfree()
  Slot 0 (WIPROTECH): >>> ldap_unbind_s()
  Slot 0 (WIPROTECH): <<< ldap_unbind_s() == 0
  Please find the error screenshot in the below.
  Regards,
  Dilip Sampath.CH
  +91-9619735957.

• Errors in LDAP configuration with Shared Services

  Dear sirs,
  we are getting errors in LDAP configuration with Shared Services.
  Base DN is ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo East
  The group cn is cn=AH
  In LDAP log you can see the applications is searching the group:
  "ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo"
  When it should be:
  “ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo East”
  We think the problem is with space in Base DN "o=Grupo East", it is not properly considered.
  Error Codes
  EPMCSS-05145
  Thanks in advance

  Hi.
  Could you try to define the Base DN as :
  ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo\ East
  I don't know if will work fine.. but you can use special characteres using with the "\"
  Good luck.
  Best regards!

• Please let me know LDAP Configuration in Oracle Weblogic Server 10.3.2

  Hi,
  Please let me know LDAP Configuration in Oracle Weblogic Server 10.3.2.Please give me the steps to configure the LDAP in weblogic 10.3.2.

  Hi,
  You can check http://download.oracle.com/docs/cd/E15523_01/doc.1111/e14142/console.htm#i1075285

• MQ + OpenLdap: Any working example of LDAP configuration?

  MQ + OpenLdap: Any working example of [LDAP configuration], [LDIF initial data] and [imobjmgr addTopicFactory/addTopic command] files ?
  I'm using Sun MQ3.5 + OpenLdap2.2.20 as jndi remote binding mechanism.
  I've unsuccessfuly tryed to add a Topic Factory!
  Running the command
       imqobjmgr -i add_ldap_topic_factory.poperties
  I get such an exception:
       javax.naming.OperationNotSupportedException:
       [LDAP: error code 53 - no global superior knowledge];
       remaining name 'cn=myTopicConnectionFactory'
  This is the test configuration adopted using rootdn user to write to LDAP repository:
  #slapd.conf
  include /usr/local/etc/openldap/schema/core.schema
  database     bdb
  suffix          "dc=imq,dc=com"
  rootdn          "cn=Manager,dc=imq,dc=com"
  rootpw          secret
  directory     /usr/local/etc/openldap/var/openldap-data
  index     objectClass     eq
  #test.ldif
  dn: dc=imq,dc=com
  objectClass: dcObject
  objectClass: organization
  dc: imq
  o: imq
  #add_ldap_topic_factory.poperties
  version=2.0
  cmdtype=add
  obj.type=tf
  obj.lookupName=cn=myTopicConnectionFactory
  obj.attrs.imqAddressList=mq://localhost:7676/jms
  objstore.attrs.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
  objstore.attrs.java.naming.provider.url=ldap://localhost:389/o=imq
  objstore.attrs.java.naming.security.principal=cn=Manager,dc=imq,dc=com
  objstore.attrs.java.naming.security.credentials=secret
  objstore.attrs.java.naming.security.authentication=simple
  Thanks for any suggestion,
  Silvano

  Agreed.
  I've been wanting to test the steps and write a tech article on this
  and post it to somewhere on sunsolve.sun.com but have not had
  time yet.
  In any case, the instructions Ken-shi gave are below including
  the 3 files (etang.ldif objectstore.properties slapd.conf). Not sure
  how messy this posting can get due to size of files.
  I'd much rather point you to a sunsolve article but don't want
  to make you wait. When I do post the sunsolve article, this thread
  will be updated with a ptr to it.
  ===Begin instructions===
  Attached please see my working configuation files.
  1.Modify your OpenLdap configuration. (see slapd.conf)
  start OpenLdap: ./slapd
  2.Modify you initial data.( see etang.ldif)
  load initial data: ldapadd -x -D "cn=Manager,dc=etang,dc=com" -W -f
  etang.ldif
  3.ObjectStore properties ( see objectstore.properties )
  create your object store with "Administration" GUI on windows;
  while creating destinations or connection factories, be sure that the
  lookup names start with "cn=".
  ===End instructions===
  ===Begin etang.ldif===
  dn: dc=etang,dc=com
  objectClass: dcObject
  objectClass: organization
  dc: etang
  o: Etang Corporation
  description: The etang corporation
  dn: cn=Manager,dc=etang,dc=com
  objectClass: organizationalRole
  cn: Manager
  description: Directory Manager
  dn: o=IMQ,dc=etang,dc=com
  objectClass: organization
  o: IMQ
  dn: ou=imqusers,o=IMQ,dc=etang,dc=com
  objectClass: organizationalUnit
  ou: imqusers
  dn: cn=admin,ou=imqusers,o=IMQ,dc=etang,dc=com
  objectClass: person
  cn: admin
  sn: admin
  userPassword: admin
  dn: cn=guest,ou=imqusers,o=IMQ,dc=etang,dc=com
  objectClass: person
  cn: guest
  sn: guest
  userPassword: guest
  ===End etang.ldif===
  ===Begin objectstore.properties===
  java.naming.provider.url ldap://10.1.0.195:389/o=IMQ,dc=etang,dc=com
  java.naming.factory.initial com.sun.jndi.ldap.LdapCtxFactory
  java.naming.security.principal cn=admin,ou=imqusers,o=IMQ,dc=etang,dc=com
  java.naming.security.authentication simple
  java.naming.security.credentials admin
  ===End objectstore.properties===
  ===Begin slapd.conf===
  # See slapd.conf(5) for details on configuration options.
  # This file should NOT be world readable.
  include          /usr/local/openldap/etc/schema/core.schema
  include /usr/local/openldap/etc/schema/cosine.schema
  include /usr/local/openldap/etc/schema/inetorgperson.schema
  include /usr/local/openldap/etc/schema/dyngroup.schema
  include /usr/local/openldap/etc/schema/java.schema
  include /usr/local/openldap/etc/schema/nis.schema
  include /usr/local/openldap/etc/schema/misc.schema
  # Define global ACLs to disable default read access.
  # Do not enable referrals until AFTER you have a working directory
  # service AND an understanding of referrals.
  #referral     ldap://root.openldap.org
  pidfile          /usr/local/openldap/var/run/slapd.pid
  argsfile     /usr/local/openldap/var/run/slapd.args
  # Load dynamic backend modules:
  # modulepath     /usr/local/openldap/libexec
  # moduleload     back_bdb.la
  # moduleload     back_ldap.la
  # moduleload     back_ldbm.la
  # moduleload     back_passwd.la
  # moduleload     back_shell.la
  # Sample security restrictions
  #     Require integrity protection (prevent hijacking)
  #     Require 112-bit (3DES or better) encryption for updates
  #     Require 63-bit encryption for simple bind
  # security ssf=1 update_ssf=112 simple_bind=64
  # Sample access control policy:
  #     Root DSE: allow anyone to read it
  #     Subschema (sub)entry DSE: allow anyone to read it
  #     Other DSEs:
  #          Allow self write access
  #          Allow authenticated users read access
  #          Allow anonymous users to authenticate
  #     Directives needed to implement policy:
  # access to dn.base="" by * read
  # access to dn.base="cn=Subschema" by * read
  # access to *
  #     by self write
  #     by users read
  #     by anonymous auth
  # if no access controls are present, the default policy
  # allows anyone and everyone to read anything but restricts
  # updates to rootdn. (e.g., "access to * by * read")
  # rootdn can always read and write EVERYTHING!
  access to * by * write
  # ldbm database definitions
  database     bdb
  suffix          "dc=etang,dc=com"
  rootdn          "cn=Manager,dc=etang,dc=com"
  # Cleartext passwords, especially for the rootdn, should
  # be avoid. See slappasswd(8) and slapd.conf(5) for details.
  # Use of strong authentication encouraged.
  rootpw          secret
  # The database directory MUST exist prior to running slapd AND
  # should only be accessible by the slapd and slap tools.
  # Mode 700 recommended.
  directory     /usr/local/openldap/var/openldap-data
  # Indices to maintain
  index     objectClass     eq
  ===End slapd.conf===

• Direct Ldap configuration mismatch....

  I am running directory server 5.1 and messaging server 5.2.
  I have one message store (msA.example.com) for users to retriew mail and it queries directory master server (dsA.exaple.com) with direct ldap configured.
  I am configuring another messaging server (msB.example.com) with smtp authentication for same users to send mail through that and it queries another ldap consumer server (dsB.example.com).
  dsB is replicated by dsA immediatly after any modification done to dsA. My present setup works fine if msB is configured on dirsync mode, but I want to configure it to use direct ldap from dsB.
  When I try to send email via msB (with direct ldap enabled) it waits a long time after (smtp) authentication and then terminated with "server unexpectedly terminated the connection" message on outlook client. I can not see any message on mail.log_current.
  All my direct ldap settings are correct and compiled properly.
  Later I found that when I comment the
  " $* $E$F$U%$[email protected]$V$H " line on imta.cnf file it works fine, ie. without any delay message is delivered.
  (But this has to be uncomment with direct ldap mode according to the sun documentation)
  Can anyone clarify this? I could see even without uncommenting the above line direct ldap works fine!

  Thanks for replys...
  But I tried with the way that you mentioned, but still the problem persists.
  No any message on DEBUG logs.
  But I have some more thing to tell....
  When I first install the messaging server (msB), I used the dsA as the ldap server. So after installation I got gelow results with configutil.
  local.ugldaphost = dsA.example.com
  local.ldaphost = dsA.example.com
  local.service.pab.ldaphost = dsA.example.com
  Since I want to use ldap queries from dsB, I change user lookups to dsB
  Then the output was,
  local.ugldaphost = dsB.example.com
  local.ldaphost = dsA.example.com
  local.service.pab.ldaphost = dsB.example.com
  Do you think this cause thye error?
  I can not use dsB for local.ldaphost since it causes the msB not usable. What I only need here is to get the user lookups from dsB.