Update defualtprofile to add a 2nd ldap server ip to defaultServerList

Similar Messages

• Usage of external LDAP server with Portal

  Hi All,
  We are in a situation to use external LDAP server with WLP 8.1. These are the
  constraints we have to deal with:
  1. Only read is allowed from this LDAP server.
  2. This would be used for authentication purpose
  If thats the case, how can we use Visitor Entitlements/Delegated Admin and Group
  creation using Portal Admin tool since this will write to the configured LDAP
  server.
  Can somebody answer my question:
  1. Can we use external LDAP server - just for authetication (I know this is possible
  by using JAAS LoginModule, but I just want to get confirmed on this ) and
  2. Use default and embedded LDAP server for all others like Group/Visitor Entitlements/DAs.
  Any relevant pointers are also welcome.
  TIA,
  Prashanth Bhat.

  Thanks for th ereply. Some of your answers are not clear. Can you pls eloborate
  on this?? Pls see my comments below.
  "Johnson" <[email protected]> wrote:
  >
  Phil,
  Can I use embedded LDAP for production?
  Thanks
  Lawrence
  "Phil Griffin" <BEA> wrote:
  "Prashanth " <[email protected]> wrote in message
  news:[email protected]..
  Hi All,
  We are in a situation to use external LDAP server with WLP 8.1. Theseare
  the
  constraints we have to deal with:
  1. Only read is allowed from this LDAP server.
  2. This would be used for authentication purpose
  If thats the case, how can we use Visitor Entitlements/Delegated Adminand
  Group
  creation using Portal Admin tool since this will write to the configuredLDAP
  server.
  Can somebody answer my question:
  1. Can we use external LDAP server - just for authetication (I knowthis
  is possible
  by using JAAS LoginModule, but I just want to get confirmed on this) and
  >
  You can add the external LDAP server just for authentication, but in
  versions through
  8.1 SP2 WLP will want to verify the user exists (via the UserReaderMBean)
  during
  the login process (this check has been removed in SP3). A work around
  is to
  duplicate
  the user in a provider that does impl UserReaderMBean.
  Prashanth : You mean to say we have to duplicate the User in embedded LDAP server
  also??
  >>
  2. Use default and embedded LDAP server for all others like Group/VisitorEntitlements/DAs.
  >
  Yes, the default/embedded LDAP can still be used for DA/visitor
  entitlements. In the current
  release, the Portal Admin Tools can only be configured to use a single
  authentication provider
  while forming entitlements. In SP3, all configured providers are
  listed/usable by the tools.Prashanth : How can we configure Portal Admin tool to use authentication provider
  for entitlements??
  >>
  Any relevant pointers are also welcome.
  TIA,
  Prashanth Bhat.

• Are there any rough processes for Solaris administrator to setup Sun LDAP as nameing server at Sun sparc host? like: 1st: modify /etc/nfsswitch.nfs 2nd: add LDAP server in /etc/hosts. 3rd: ......

  Besides, can we install the LDAP server in sparc hosts as nameing system? Can we use Sun LDAP server or iPlanet Directory Server? or need BIND DNS server too?

  There is a nice book from Michael Haines and Tom Bialaski: "Solaris and LDAP Naming Services" which contains all you need to configure Directory Server, LDAP, Naming Switch...
  Ludovic.

• Rc.local script to bind and add ldap server

  Greetings All,
  For the past few years, I've used the script below to bind and add authentication servers to my client machines. The process is simple enough, copy the rc.local script (ref'd below) to /etc/ as root and reboot the client. The problem now, is I don't know if this will work in 10.6. As I read this script, I realized there have been enough changes in location of files and file names between 10.5 and 10.6 that this script isn't going to work.
  My question to you guys is this: Is anyone else taking care of their binding/auth services in a similar manner? If so, would you mind sharing the script you're using?
  Thanks,
  -dave
  Here's mine:
  #!/bin/sh
  # WARNING -- REMEMBER TO UNCOMMENT THE SELF-DELETING LINE!
  #Site and/or District-specific Variables
  #Local Admin in Image
  LOCADMIN="tech" # Local admin user in your image
  LOCPASSWD="techpwd" # Local admin password in your image
  #Open Directory
  ODSITESERVER="odr1.mydomain.edu" # FQDN of the Open Directory Server
  ODADMIN="diradmin" # Directory Admin for Open Directory
  ODPASSWD="diradminpwd" #Password for OD Directory Admin
  ### DO NOT EDIT BELOW THIS LINE!
  OSMAJORVER=`sw_vers | grep ProductVersion | awk '{print $2}' | cut -c 1-4`
  ENETADDRESS=`ifconfig en0 | grep ether | awk '{print $2}'`
  #Give the network time to come online
  logger "Sleeping 30 seconds"
  sleep 30
  #Set Date and Time
  case $OSMAJORVER in
  10.3) date > /Library/Logs/binder.log 2>&1
  /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/sys temsetup-panther -setusingnetworktime off >> /Library/Logs/binder.log 2>&1
  /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/sys temsetup-panther -setusingnetworktime on >> /Library/Logs/binder.log 2>&1
  date >> /Library/Logs/binder.log 2>&1 ;;
  10.4) date > /Library/Logs/binder.log 2>&1
  /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/sys temsetup-tiger -setusingnetworktime off >> /Library/Logs/binder.log 2>&1
  /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/sys temsetup-tiger -setusingnetworktime on >> /Library/Logs/binder.log 2>&1
  date >> /Library/Logs/binder.log 2>&1 ;;
  10.5) date > /Library/Logs/binder.log 2>&1
  /usr/sbin/systemsetup -setusingnetworktime off >> /Library/Logs/binder.log 2>&1
  /usr/sbin/systemsetup -setusingnetworktime on >> /Library/Logs/binder.log 2>&1
  date >> /Library/Logs/binder.log 2>&1 ;;
  esac
  #Set Bonjour and Computer Names
  # logger "Setting Bonjour and Computer Names"
  # SERIALNUMBER=`ioreg -l |grep IOPlatformSerialNumber | awk '{print $4}' | cut -d \" -f 2`
  # SECONDOCTET=`ifconfig -a | grep inet | grep -v inet6 | awk '{print $2}' | grep ^10\. | head -n 1 | awk 'BEGIN {FS="."}; { printf "%03d", $2 }'`
  # COMPUTERID="A""$SECONDOCTET""$SERIALNUMBER"
  # logger "Computer name is $COMPUTERID"
  # scutil --set LocalHostName "$COMPUTERID"
  # scutil --set ComputerName "$COMPUTERID"
  # sleep 3
  #Set the Open Directory Server we are binding to based on the second octet of the IP address received from the DHCP lease
  # case $SECONDOCTET in
  # 002|005|047|110|112|115|119|121|123|128|133|153|241|247|250|251|253) ODSITESERVER="a941wgm.austinisd.org" ; RING="A1N";;
  # 009|045|046|052|053|107|109|117|131|132|138|144|151|154|155|179) ODSITESERVER="a117wgm.austinisd.org" ; RING="B1N";;
  # 004|006|010|048|055|056|102|106|118|129|141|149|152|157|159|161|163|164|165|178 |189|244|249) ODSITESERVER="a006wgm.austinisd.org" ; RING="C1N";;
  # 003|012|015|044|051|105|108|111|116|122|124|125|126|127|139|142|145|150|245) ODSITESERVER="a044wgm.austinisd.org" ; RING="D1N";;
  # 007|043|049|058|103|104|114|140|146|160|162|168|171|174|175|176|185|190|246|101 ) ODSITESERVER="a007wgm.austinisd.org" ; RING="B1S";;
  # 101) ODSITESERVER="a007wgm.austinisd.org" ; RING="B2S";;
  # 008|013|017|054|059|061|120|130|136|147|156|166|172|173|182|184) ODSITESERVER="a008wgm.austinisd.org" ; RING="C1S";;
  # 057|060|113|143|148|158|170|180|181|183|248) ODSITESERVER="a008wgm.austinisd.org" ; RING="C2S";;
  # *) ODSITESERVER="a000wgm.austinisd.org" ; RING="A0N";;
  # esac
  #Remove Existing Directory Services Config
  logger "Removing existing DS Config"
  rm -R /Library/Preferences/DirectoryService/ActiveDirectory*
  rm -R /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig*
  rm -R /Library/Preferences/DirectoryService/SearchNode*
  rm -R /Library/Preferences/DirectoryService/ContactsNode*
  rm -R /Library/Preferences/edu.mit.*
  rm -R /etc/krb5.keytab
  #Enable and disable appropriate plugins
  case $OSMAJORVER in
  10.3) defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "LDAPv3" "Active" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "AppleTalk" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "SLP" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "BSD" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "SMB" "Inactive" >> /Library/Logs/binder.log 2>&1
  plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist >> /Library/Logs/binder.log 2>&1 ;;
  10.4) defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "LDAPv3" "Active" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "AppleTalk" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "SLP" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "BSD" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "SMB" "Inactive" >> /Library/Logs/binder.log 2>&1
  plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist >> /Library/Logs/binder.log 2>&1 ;;
  10.5) defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Inactive" >> /Library/Logs/binder.log 2>&1
  defaults write /Library/Preferences/DirectoryService/DirectoryService "LDAPv3" "Active" >> /Library/Logs/binder.log 2>&1 ;;
  esac
  #Copy in updated ldap.conf file for Leopard machines, which disables the verification of SSL certs used for LDAP Authentication
  case $OSMAJORVER in
  10.5) cp /etc/ldap.conf-leopard /etc/openldap/ldap.conf ;;
  esac
  #Kill Directory Services and respawn to return to DS Defaults
  logger "Respawning DS"
  killall -9 DirectoryService
  #Running "id" triggers a DS Respawn
  id "$LOCADMIN" >> /Library/Logs/binder.log 2>&1
  sleep 3
  #Fix SearchNode plist
  case $OSMAJORVER in
  10.3) logger "Disabling LDAP via DHCP"
  defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "DHCP LDAP" -dict "/Sets/0" -bool FALSE >> /Library/Logs/binder.log 2>&1
  plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist >> /Library/Logs/binder.log 2>&1
  killall -9 DirectoryService >> /Library/Logs/binder.log 2>&1
  sleep 3 ;;
  10.4) logger "Disabling LDAP via DHCP"
  defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "DHCP LDAP" -dict "/Sets/0" -bool FALSE >> /Library/Logs/binder.log 2>&1
  plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist >> /Library/Logs/binder.log 2>&1
  killall -9 DirectoryService >> /Library/Logs/binder.log 2>&1
  sleep 3 ;;
  esac
  #Configure LDAPv3 Plugin -- fix with site-specific data
  logger "Configuring LDAPv3 Plugin"
  case $OSMAJORVER in
  10.4) dsconfigldap -v -l "$LOCADMIN" -q "$LOCPASSWD" -a "$ODSITESERVER" -n "Open Directory" >> /Library/Logs/binder.log 2>&1 ;;
  10.5) dsconfigldap -v -l "$LOCADMIN" -q "$LOCPASSWD" -a "$ODSITESERVER" -n "Open Directory" >> /Library/Logs/binder.log 2>&1 ;;
  esac
  sleep 3
  #Make sure we init DS and confirm connectivity to each LDAP directory
  logger "Checking OD Node Connectivity"
  date >> /Library/Logs/binder.log
  echo "Checking OD Node Connectivity" >> /Library/Logs/binder.log
  dscl localhost -list /LDAPv3/$ODSITESERVER/Groups >> /Library/Logs/binder.log 2>&1
  #Configure Search Path
  logger "Configuring Search Nodes"
  date >> /Library/Logs/binder.log
  echo "Configuring Search Nodes" >> /Library/Logs/binder.log
  dscl localhost -read /Search >> /Library/Logs/binder.log 2>&1
  case $OSMAJORVER in
  10.3) defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
  defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/LDAPv3/$ODSITESERVER"
  killall -9 DirectoryService ;;
  10.4) dscl /Search -append / CSPSearchPath "/LDAPv3/$ODSITESERVER" >> /Library/Logs/binder.log 2>&1
  dscl /Search -create / SearchPolicy CSPSearchPath >> /Library/Logs/binder.log 2>&1 ;;
  10.5) dscl /Search -append / CSPSearchPath "/LDAPv3/$ODSITESERVER" >> /Library/Logs/binder.log 2>&1
  dscl /Search -create / SearchPolicy CSPSearchPath >> /Library/Logs/binder.log 2>&1 ;;
  esac
  date >> /Library/Logs/binder.log
  echo "Confirming Search Nodes" >> /Library/Logs/binder.log
  dscl localhost -read /Search >> /Library/Logs/binder.log 2>&1
  #Remove any stale computer records from Open Directory
  logger "Removing stale computer records from OD"
  dscl /LDAPv3/"$ODSITESERVER" -search Computers ENetAddress "$ENETADDRESS" | awk 'BEGIN {FS="\t\t"}; { print $1 }' | while read COMPNAME
  do
  dscl -u "$ODADMIN" -P "$ODPASSWD" /LDAPv3/"$ODSITESERVER" -delete Computers/"$COMPNAME" >> /Library/Logs/binder.log 2>&1
  done
  #Add computer record to Open Directory
  logger "Adding new Computer Record to OD"
  dscl -u "$ODADMIN" -P "$ODPASSWD" /LDAPv3/"$ODSITESERVER" -create Computers/`scutil --get LocalHostName` ENetAddress "$ENETADDRESS" >> /Library/Logs/binder.log 2>&1
  #Add to designated computer list - this is ONLY for 10.4 server. This will need to be replaced for 10.5 server.
  COMPUTERGROUP="Unprovisioned" # Computer List
  logger "Adding to Computer List: $COMPUTERLIST"
  dscl -u "$ODADMIN" -P "$ODPASSWD" /LDAPv3/"$ODSITESERVER" -create Computers/"$COMPUTERID" ENetAddress "$ENETADDRESS"
  dscl -u "$ODADMIN" -P "$ODPASSWD" /LDAPv3/"$ODSITESERVER" -append ComputerLists/"$COMPUTERGROUP" Computers "$COMPUTERID"
  #Refresh the MCX Cache
  logger "Refeshing the MCX Cache"
  case $OSMAJORVER in
  10.3) /System/Library/LoginPlugins/MCX.loginPlugin/Contents/MacOS/MCXCacher -f >> /Library/Logs/binder.log 2>&1
  /System/Library/LoginPlugins/MCX.loginPlugin/Contents/MacOS/MCXCacher >> /Library/Logs/binder.log 2>&1 ;;
  10.4) /System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher -f >> /Library/Logs/binder.log 2>&1
  /System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher >> /Library/Logs/binder.log 2>&1 ;;
  esac
  #Disable automatic login on the client
  defaults write /Library/Preferences/.GlobalPreferences com.apple.userspref.DisableAutoLogin -bool TRUE
  #Enable login hooks on the client
  case $OSMAJORVER in
  10.4|10.5) defaults write /var/root/Library/Preferences/com.apple.loginwindow EnableMCXLoginScripts -bool true
  defaults write /var/root/Library/Preferences/com.apple.loginwindow MCXScriptTrust Anonymous ;;
  esac
  #Enable Directory Services Status by default on loginwindow
  # case $OSMAJORVER in
  # 10.4|10.5) defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus ;;
  #esac
  #Modify the binder log so that only admin viewers may access the file
  chmod u=rw,go= /Library/Logs/binder.log
  sleep 5
  #killall loginwindow
  sleep 5
  #Comment the lines below, until shutdown if you do not want the script to replace itself with a 30 second delay on startup to ensure the client receives a DHCP lease before loginwindow appears
  case $OSMAJORVER in
  10.3|10.4) echo sleep 30 > /etc/rc.local ;;
  *) srm /etc/rc.local ;;
  esac
  shutdown -r now
  #Exit
  exit 0

  The first thing I would verify is if you can connect and traverse your Active Directory/Domain Controller using Softerra's free ldap browser.
  1. Softerra ldap browser link
  http://download.softerra.com/files/ldapbrowser26.msi
  Put in the IP/hostname of the domain controller, use the same BASE DN, and user credentials that you used on the IronPort appliance.
  I would highly recommend that you create a separate account for the IronPort. (i.e. ironportldap). Do this so that you don't have to worry about accidentially resetting the password and then forgetting to update the IronPort appliance.
  2. Once you've verified that you can connect and see your tree, use the same settings from Softerra ldap browser and put them in the IronPort ldap interface.
  Try this for your Accept query string
  (|(mail={a})(proxyAddresses=smtp:{a}))
  3. If it still fails, enable the ldap debug log if you haven't already and paste in the error.
  We are trying to add an LDAP Server Profile but everytime we try to test the Accept Query we get an
  "Error - Error: configuration error" message.
  We are using AD, top of the tree for base DN. dc=domain, dc=local.
  We tried communicating with 2 different servers via telnet on ports 389, 3268, both are open.
  Tried port 389 and 3268, no SSL, Anynomous and User Password authentication methods.
  The error left us clueless since we followed the instructions on the user manual.
  For the accept query we tried this query string: (proxyAddresses=smtp:{a})
  Any ideas or pointers to what could be causing this are very appriciated.
  Thanks.
  Ed.

• How can we update data in LDAP server using PL/SQL.

  Hi,
  How can we update data in LDAP server using PL/SQL program.
  Is there any sample code for refrence.
  Thanks,
  Tarun

  Hi Justin,
  Thanks for your help. You got my correct requirements.
  Tim's example returning all the attributes of current user which is admin user. Please correct me if I am wrong.
  I have the following information:
  the admin user and password,server info , port and ldap_base for admin.
  I have uid and password for regular user, I am trying find the ldap_base for regular user, which may be different from adminuser.
  Please help me.
  Thanks,
  Edited by: james. on Jan 12, 2009 5:39 PM

• How do I add an objectclass to existing LDAP server entry using an ldif file?

  I am trying to fix an LDAP server that has been operating with schema check off. I need to add an objectclass to the groups so that some attributes that have been added to the groups will be "legal." From the documentation, the changetype: modify will allow the changing/adding of attributes that are already a part of the schema objects that define the entry. It does not look like I can add an objectclass with the modify operation.
  If this is the case, then how do I add an objectclass to an existing entry? Using the GUI is not possible since the directory server in question is not being managed with an admin server. Please tell me that I do not have to delete the groups and import them again with an LDIF file that has the new objectclass added.
  Kent

  See this post:
  http://softwareforum.sun.com/servlet/ProcessRequest?RHIVEID=181&RPAGEID=135&HOID=50B500000008000000636B0000&USEARCHCONTEXT_CATEGORY_0=_21_%24_7_&USEARCHCONTEXT_CATEGORY_S=0&UCATEGORY_0=_21_%24_7_&UCATEGORY_S=0

• Still LDAP server not responding when add to authentication search path ...

  Howdy All,
  I still have an OS X Server 10.5.6 (running Open Directory with its own Master directory) that when configured to connect to a corporate LDAP server indicates the server is responding fine, but when I add the server to the authentication search path, the server is no-longer responding.
  I suspect this may mean the LDAP server is choosing to no-longer respond? Is it possible that the LDAP server could have my machine / IP address "black-listed" in some way? I have asked corporate IT but they didn't seem to think so (although I was queried before about repeated connect attempts).
  Somewhat strangely I can configure a laptop client (OS X 10.5.6) to connect to the same LDAP server from an Ethernet port on the same LAN and it works fine. However, when I connect this laptop to the LAN through my server (WiFi NAT) I get the same issue as described above.
  I don't have the firewall on the server turned on, I have played around with some certificates on the server, but have set "TLS_REQCERT never" in the ldap.conf file on the server (and client) as suggested by corporate IT. I have Kerberos running on the server and all else seems fine on the server.
  Can anyone suggest what may be causing this? Or how I can debug the problem?
  Thanks in advance.
  Cheers,
  Ashley.

  Hi Jeff,
  Thanks for your post. That said, I'm not sure how you got the impression that I wish to go to Maine I'm happy here in Perth, Western Australia.
  Jeff Kelleher wrote:
  Connecting a Mac to an LDAP server is a far cry from connecting a OS X Server to an existing LDAP server. Not that I could necessarily help, but asking how to connect an OS X Server to an LDAP server is a bit like asking "guess where I am now, how do I get to Maine?"
  You need to provide as much info as you can.
  Seriously though, I'm not sure of the difference. I am using Directory Utility to allow this OS X Server to get authentication information from an LDAP server just like an OS X Client would.
  I have Open Directory in Server Admin just setup to connect to a directory system (i.e. the organisation LDAP server), not a master or replica.
  My final goal is to allow access to an OS X TeamsServer Wiki by users who are authenticated against the LDAP server (rather than having to have separate accounts, logins, on the OSXS.)
  I am hoping that I can use a group from the LDAP server to define the team, but perhaps I will have to run a standalone OD. I hope then I can add LDAP users to the OD group.
  What other information would help?
  Thanks,
  Ashley.
  OS X Server 10.5.6

• OSX 10.9 Maverick add a LDAP server via script

  I use applescript to add a LDAP sever on 10.8, but after the 10.9 released, I found the script cannot use any more.
  Seems is the new Mail app doesn't support LDAP sever , it is integrated to Internet Accounts
  However the SAMPLE script is still the same. (  /Library/Scripts/Mail\ Scripts/Create\ New\ LDAP\ Server.scpt )
  Does any one know how to config internet accounts via script (BASH script is OK too)?
  the new mail app does not understand
  make new ldap server with properties {name:theName, host name:theAddress, search base:theSearchBase, Çclass ldpoÈ:thePort, scope:theScope}
  any more.

  I'd first read the subject and thought this involved creating an entire LDAP server via script and thought... whoa, that's some script.    
  But you're seeking to reference a remote resource or some automated way to configure your client mail, and that's currently using LDAP, right?  If so, then Apple has shifted over to Profiles and away from LDAP and MCX and related.  Profiles would be the approach I'd follow here, either with OS X Server and its profile manager or some other MDM service.
  If you have access to the Apple WWDC13 session videos, there's a session on the Profile Manager that might be worth your time.

• Updating Sun LDAP Server through custom create group forms

  Hi,
  we have requirement whererin we must create a create group form (custom form) and then update the new group details to the Sun LDAP server. After defining the LDAP Resource, how do I proceed in creating the resource object and configuring the same with the 'create group form ' for updating the necessary attributes in LDAP server.

  There is no way to perfrom LDAP authentication using our product without a mapped group. I haven't used it in a while but the Sun LDAP mamagement tools were very straight forward, creating users/groups issn't much trouble
  First creat the users and groups wherever in the direcotry, then in the group properties you must make the users members of the groups. Map the groups into BO and your done.
  If you wanted someone to setup both your LDAP directory and Business Objects typically a 3rd party professional service may be used. For configuring BO you can open a case with the authentication team in support if stuck. You could get some tips as most of our engineers have set up sun a few times for internal testing.
  Regards,
  Tim

• Can an LDAP server be it's own client?

  In short yes, why would you want to do this? Many reasons, but mine is to be able to use ldap on laptops running Solaris and have them log into the machine with ldap credentials off the network. When we plug them back onto the network, I have a master server send any new data via one-way replication. I will give 2 separate ways to accomplish this. One is, to put it bluntly, a dirty hack to get it working. The second is much more elegant and it's the one I have stressed tested to verify that it works.
  Disclaimer: I have only used these methods on Solaris10 update 3 with Trusted Extensions using directory server 5.2 as well as the administration server. I have used a few different kinds of machines (all x86) and have not had a problem with it. I do not know if it will work on any other version or hardware. I haven't even looked at the source code, all assumptions made here are from observing the systems behavior while making minor changes.
  Now, the reasons why normally you can't be your own client (at least as far as I can tell) is because of the way the system boots and the dependencies that the ldap/client service needs to start up. If you boot a machine that is it's own client and ldap/client runs before the directory server starts, of course it will fail. The system boots the services first, then legacy init scripts. Directory Server 5.2 uses init scripts. Correct me if I am wrong, but that is the only real hurdle in your way.
  So the first way to get it 'working' (dirty hack) is to delay the ldap/client smf service from starting until the directory server is started. After you become a client of yourself (in this case the global zone) disable the ldap/client serrvice.
  svcadm disable ldap/clientThen enable it temporarily with the -t option
  svcadm enable -t ldap/clientWell if you were to reboot now it would not work because the service would not start at boot because it is set to be administratively down. Edit the S72directory script in /etc/rc2.d and after the start commands just add the svcadm enable -t ldap/client command and it will load right after directory server starts. Will this work? Yes, is it a clean way to do it? NO. I used this method just for testing the theory that the only reason I could not be my own client was because of the booting issue.
  Now the best way that I can see to accomplish this is to create your own smf services for the directory server and admin server. That way all you have to do is add a dependency to the ldap/client xml file to wait until the new directory server service is started before it starts. So in /var/svc/manifest/site create a folder called ldap (I put this in site because I didn't want to run into any issues of patching). In /var/svc/manifest/site/ldap/ create two xml files named:
  quick note: These are the first services I have created. There may be a much better way to make them. If you can re-code it better, please let me know so I can look at them. Also there is no restart command in here (actually I just noticed that) so adding one of those would be wise.
  ds_admin.xml and directory_server.xml.
  ds_admin.xml contains<?xml version="1.0"?>
  <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
  <!--
       Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
       Use is subject to license terms.
       ident     "@(#)client.xml     1.4     04/12/09 SMI"
       NOTE:  This service manifest is editable; its contents will not
       be overwritten by package or patch operations, including
       operating system upgrade.
  -->
  <service_bundle type='manifest' name='SUNWdsadmin:dsadmin'>
  <service
       name='site/ldap/ds_admin'
       type='service'
       version='1'>
       <create_default_instance enabled='false' />
       <single_instance />
       <dependency
           name='fs'
           grouping='require_all'
           restart_on='none'
           type='service'>
            <service_fmri value='svc:/system/filesystem/minimal' />
       </dependency>
       <dependency
           name='net'
           grouping='require_all'
           restart_on='none'
           type='service'>
            <service_fmri value='svc:/network/initial' />
       </dependency>
       <exec_method
           type='method'
           name='start'
           exec='/lib/svc/method/ds_admin start'
           timeout_seconds='120' >
            <method_context>
                 <method_credential user='root' group='sys' />
            </method_context>
       </exec_method>
       <exec_method
           type='method'
           name='stop'
           exec='/lib/svc/method/ds_admin stop'
           timeout_seconds='60' >
            <method_context>
                 <method_credential user='root' group='sys' />
            </method_context>
       </exec_method>
       <stability value='Unstable' />
       <template>
            <common_name>
                 <loctext xml:lang='C'>
                 LDAP Admin server      
                 </loctext>
            </common_name>
            <description>
                 <loctext xml:lang='C'>
  LDAP admin server
  Information Service lookups
                 </loctext>
            </description>
       </template>
  </service>
  </service_bundle>and directory_server.xml contains:
  <?xml version="1.0"?>
  <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
  <!--
       Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
       Use is subject to license terms.
       ident     "@(#)client.xml     1.4     04/12/09 SMI"
       NOTE:  This service manifest is editable; its contents will not
       be overwritten by package or patch operations, including
       operating system upgrade.
  -->
  <service_bundle type='manifest' name='SUNWds:ds'>
  <service
       name='site/ldap/directory_server'
       type='service'
       version='1'>
       <create_default_instance enabled='false' />
       <single_instance />
       <dependency
           name='usr'
           grouping='require_all'
           restart_on='none'
           type='service'>
            <service_fmri value='svc:/system/filesystem/minimal' />
       </dependency>
       <dependency
           name='net'
           grouping='require_all'
           restart_on='none'
           type='service'>
            <service_fmri value='svc:/network/initial' />
       </dependency>
    <dependency
              name='ds_admin'
              grouping='require_all'
              restart_on='none'
              type='service'>
                  <service_fmri
                      value='svc:/site/ldap/ds_admin' />
       </dependency>
       <exec_method
           type='method'
           name='start'
           exec='/lib/svc/method/directory_server start'
           timeout_seconds='120' >
            <method_context>
                 <method_credential user='root' group='sys' />
            </method_context>
       </exec_method>
       <exec_method
           type='method'
           name='stop'
           exec='/lib/svc/method/directory_server stop'
           timeout_seconds='60' >
            <method_context>
                 <method_credential user='root' group='sys' />
            </method_context>
       </exec_method>
       <stability value='Unstable' />
       <template>
            <common_name>
                 <loctext xml:lang='C'>
                 LDAP directory server      
                 </loctext>
            </common_name>
            <description>
                 <loctext xml:lang='C'>
  LDAP directory server
  Information Service lookups
                 </loctext>
            </description>
       </template>
  </service>
  </service_bundle>Now the start/stop scripts will be located in /lib/svc/method and are as followed:
  ds_admin
  #!/sbin/sh
  case "$1" in
       start)
            /usr/sbin/directoryserver start-admin
       stop)
            /usr/sbin/directoryserver stop-admin
            echo "Usage: $0 { start | stop }"
            exit 1
  esac
  exit 0simple yes.
  directory_server
  #!/sbin/sh
  HOST_NAME=`hostname`
  SERVER_ROOT=/var/opt/mps/serverroot
  DIRECTORY_SERVER_INSTANCE=slapd-${HOST_NAME}
  case "$1" in
       start)
            ${SERVER_ROOT}/${DIRECTORY_SERVER_INSTANCE}/start-slapd
       stop)
            ${SERVER_ROOT}/${DIRECTORY_SERVER_INSTANCE}/stop-slapd
            echo "Usage: $0 { start | stop }"
            exit 1
  esac
  exit 0The only thing left to do is modify the ldap/client smf file to wait until the directory server starts before it loads.
  So edit /var/svc/manifest/network/ldap/client.xml and right before the dependency for for /var/ldap/ldap_client_file add this
  <dependency
              name='directory_server'
              grouping='require_all'
              restart_on='none'
              type='service'>
                  <service_fmri
                          value='svc:/site/ldap/directory_server' />
          </dependency>
  Any changes made to the /ldap/client xml file must be made after ALL zones have been installed. If this file is copied to a zone it will never work as the directory_server service is not loaded in the zones.
  Now what? You must remove the legacy init scripts in /etc/rc2.d. Those would be S72directory and S73mpsadm. No need to keep them around, alternatively, you can just change the capital 'S' to lower case and they want start.
  You can now either use svccfg to validate and import the new services or you can reboot. Typically, I reboot and use the '-m verbose' option on boot to watch the services for any errors. I haven't had any lately but on different systems I always watch to see if it behaves different.
  That's it. I have rebooted all the machines many, many times without error. This of course does not address loading the directory server or adding users, tnrhdb file, etc... We have scripted most of loading out and once we get some error correction coded in I will post them.
  Also, if you find any errors or even a better way to accomplish this, please post it.

  This restriction is only in terms of implementing the Solaris support for LDAP as a naming service. If the Solaris OS is configured to use LDAP as a naming service, it can't use a LDAP server running on the same host.
  The reason is that the LDAP server makes naming service calls before it gets fully started up. If the OS wants to use the LDAP server for the naming service, then a deadlock happens, where the LDAP server's gethostbyname() call can't complete because the LDAP server isn't up.
  It is possible to configure the Solaris naming resolution to avoid this problem. I've got a system set up this way myself. Regardless, the official support channels won't support a system set up this way, so if you do this you do it at your own risk.

• Portal and Netscape LDAP server integration

  Hi,
  I am trying to integrate Netscape LDAP server (6.0) with portal server 7, but
  having lots of trouble doing that.
  I've followed the instructions in the developer guide and completed the following
  steps:
  1. added a CustomRealm named defaultLDAPRealmForNetscapeDirectoryServer in config.xml
  and modified the entries to fit my environment.
  2. Deployed ldapprofile.jar and customized the env variables.
  After these two steps, nothing happened. Then I did the third step:
  3. added a iPlanet Authenticator to the realm CompatibilityRealm, which is my
  default realm for the server.
  However, after step 3, I wasn't able to boot weblogic server. Please note I have
  create two users, system and weblogic in my LDAP server.
  I copied the stack trace below. Any suggestions will be greatly appreciated.
  Weiguo
  C:\prog\bea\user_projects\portalDemoDomain>"C:\prog\bea\jdk131_03\bin\java" -hotspot
  -Xms128m -Xmx128m -XX:MaxPermSize=128m -Dcommerce.properties="C:\prog\bea\weblogic700\portal\weblogiccommerce.properties"
  -Dweblogic.Name=portalDemoServer
  -Dbea.home="C:\prog\bea" -Dweblogic.management.username= -Dweblogic.management.p
  assword= -Dweblogic.ProductionModeEnabled=true -Dweblogic.management.discover=fa
  lse -Djava.security.policy=="C:\prog\bea\weblogic700\server\lib\weblogic.policy"
  weblogic.Server
  <Nov 4, 2002 1:18:45 PM EST> <Info> <Security> <090065> <Getting boot identity
  from user.>
  Enter username to boot WebLogic server:weblogic
  Enter password to boot WebLogic server:
  Starting WebLogic Server...
  <Nov 4, 2002 1:19:06 PM EST> <Notice> <Management> <140005> <Loading configuration
  C:\prog\bea\user_projects\portalDemoDomain\.\config.xml>
  <Nov 4, 2002 1:19:21 PM EST> <Notice> <Security> <090093> <No configuration data
  was found on server portalDemoServer for realm CompatibilityRealm.>
  <Nov 4, 2002 1:19:21 PM EST> <Notice> <Security> <090082> <Security initializing
  using realm CompatibilityRealm.>
  <Nov 4, 2002 1:19:21 PM EST> <Critical> <WebLogicServer> <000364> <Server failed
  during initialization. Exception:java.lang.SecurityException: Authentication for
  user weblogic denied
  java.lang.SecurityException: Authentication for user weblogic denied at
  weblogic.security.service.SecurityServiceManager.doBootAuthorization(
  SecurityServiceManager.java:1028)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:1166)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
  at weblogic.Server.main(Server.java:32)
  >
  <Nov 4, 2002 1:19:21 PM EST> <Emergency> <WebLogicServer> <000342> <Unable to
  in
  itialize the server: Fatal initialization exception
  Throwable: java.lang.SecurityException: Authentication for user weblogic denied
  java.lang.SecurityException: Authentication for user weblogic denied
  at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
  SecurityServiceManager.java:1028)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:1166)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
  at weblogic.Server.main(Server.java:32)
  >
  The WebLogic Server did not start up properly.
  Exception raised:
  java.lang.SecurityException: Authentication for user weblogic denied
  at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
  SecurityServiceManager.java:1028)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:1166)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
  at weblogic.Server.main(Server.java:32)
  Reason: Fatal initialization exception
  Throwable: java.lang.SecurityException: Authentication for user weblogic denied
  java.lang.SecurityException: Authentication for user weblogic denied
  at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
  SecurityServiceManager.java:1028)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:1166)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
  at weblogic.Server.main(Server.java:32)

  Thanks a lot Scott. I followed your instructions and got it working to a certain
  degree. I am pretty happy about the results.
  There are still a few issues:
  1. I had to create groups and users in my directory server in order to boot up
  and logon to the server. This is expected, but is it possible to export these
  user/group settings from the embedded LDAP server so that I can import them into
  my directory server? Currently, the only way is manual and it's error prone. A
  lot of trial and error has to happen to get there.
  2. It seems that using Netscape LDAP server only allows read-only access. This
  means we have to create new users/groups outside of the portal server and one
  other side effect is self-registration is impossible, unless we use custom security
  providers. Is this assessment correct? Since LDAP integration is so important,
  wouldn't it be nice if BEA have that built-in and all we need to do is to switch
  to and configure it?
  3. I got duplicate users and groups in compatibility security. Obviously, one
  set is from my LDAP server and the other is from the embedded one. I tried to
  remove to embedded LDAP authenticator, but the duplicates are still there. How
  can I get rid of the duplicates - I only want the ones from my LDAP server?
  Thanks again Scott.
  Weiguo
  Scott Dunbar <[email protected]> wrote:
  Weiguo,
  WLP 7.0 uses a compatibility realm only and will not work with the
  custom realm that you created for the Netscape directory server.
  Configuring an LDAP compatibility realm isn't too bad and its
  configuration is much like 4.0. However, it can be hard to configure
  initially from the console. One way is to shut your server down and
  modify config.xml directly - but make sure you make a backup copy first!
  Then add something like:
  <CachingRealm BasicRealm="myRealm" CacheCaseSensitive="true"
  Name="wlcsCachingRealm"/>
  <CustomRealm
  ConfigurationData="user.filter=(&(uid=%u)(objectclass=person));
  user.dn=ou=people,dc=beasys,dc=com;
  server.principal=uid=dirmanager,ou=people,dc=beasys,dc=com;
  membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquenames));
  group.filter=(&(cn=%g)(objectclass=groupofuniquenames));
  server.host=somehost.beasys.com;
  group.dn=ou=groups,dc=beasys,dc=com"
  Name="myRealm" Password="your_password_here"
  RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"/>
  will enable your LDAP server. After this is setup it will be much
  easier to configure via the console. Obviously you'll need to update
  the parameters above for your configuration.
  Weiguo Wang wrote:
  Hi,
  I am trying to integrate Netscape LDAP server (6.0) with portal server7, but
  having lots of trouble doing that.
  I've followed the instructions in the developer guide and completedthe following
  steps:
  1. added a CustomRealm named defaultLDAPRealmForNetscapeDirectoryServerin config.xml
  and modified the entries to fit my environment.
  2. Deployed ldapprofile.jar and customized the env variables.
  After these two steps, nothing happened. Then I did the third step:
  3. added a iPlanet Authenticator to the realm CompatibilityRealm, whichis my
  default realm for the server.
  However, after step 3, I wasn't able to boot weblogic server. Pleasenote I have
  create two users, system and weblogic in my LDAP server.
  I copied the stack trace below. Any suggestions will be greatly appreciated.
  Weiguo
  C:\prog\bea\user_projects\portalDemoDomain>"C:\prog\bea\jdk131_03\bin\java"-hotspot
  -Xms128m -Xmx128m -XX:MaxPermSize=128m -Dcommerce.properties="C:\prog\bea\weblogic700\portal\weblogiccommerce.properties"
  -Dweblogic.Name=portalDemoServer
  -Dbea.home="C:\prog\bea" -Dweblogic.management.username= -Dweblogic.management.p
  assword= -Dweblogic.ProductionModeEnabled=true -Dweblogic.management.discover=fa
  lse -Djava.security.policy=="C:\prog\bea\weblogic700\server\lib\weblogic.policy"
  weblogic.Server
  <Nov 4, 2002 1:18:45 PM EST> <Info> <Security> <090065> <Getting bootidentity
  from user.>
  Enter username to boot WebLogic server:weblogic
  Enter password to boot WebLogic server:
  Starting WebLogic Server...
  <Nov 4, 2002 1:19:06 PM EST> <Notice> <Management> <140005> <Loadingconfiguration
  C:\prog\bea\user_projects\portalDemoDomain\.\config.xml>
  <Nov 4, 2002 1:19:21 PM EST> <Notice> <Security> <090093> <No configurationdata
  was found on server portalDemoServer for realm CompatibilityRealm.>
  <Nov 4, 2002 1:19:21 PM EST> <Notice> <Security> <090082> <Securityinitializing
  using realm CompatibilityRealm.>
  <Nov 4, 2002 1:19:21 PM EST> <Critical> <WebLogicServer> <000364> <Serverfailed
  during initialization. Exception:java.lang.SecurityException: Authenticationfor
  user weblogic denied
  java.lang.SecurityException: Authentication for user weblogic deniedat
  weblogic.security.service.SecurityServiceManager.doBootAuthorization(
  SecurityServiceManager.java:1028)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:1166)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
  at weblogic.Server.main(Server.java:32)
  <Nov 4, 2002 1:19:21 PM EST> <Emergency> <WebLogicServer> <000342><Unable to
  in
  itialize the server: Fatal initialization exception
  Throwable: java.lang.SecurityException: Authentication for user weblogicdenied
  java.lang.SecurityException: Authentication for user weblogic denied
  at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
  SecurityServiceManager.java:1028)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:1166)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
  at weblogic.Server.main(Server.java:32)
  The WebLogic Server did not start up properly.
  Exception raised:
  java.lang.SecurityException: Authentication for user weblogic denied
  at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
  SecurityServiceManager.java:1028)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:1166)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
  at weblogic.Server.main(Server.java:32)
  Reason: Fatal initialization exception
  Throwable: java.lang.SecurityException: Authentication for user weblogicdenied
  java.lang.SecurityException: Authentication for user weblogic denied
  at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
  SecurityServiceManager.java:1028)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:1166)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
  at weblogic.Server.main(Server.java:32)
  scott dunbar bea systems,
  inc.
  [email protected] boulder, co
  303 998 2125 usa

• Solaris 10 client - ldap_search: Can't connect to LDAP server

  Hello
  I have following configuration:
  - openLDAP server in Solaris 10 zone called ldap
  - native LDAP client in different Solaris 10 zone called mail on the same SPARC machine
  I can't get ldapsearch results after ldapclient initialization.
  [root@mail ~]# ldapsearch -b dc=pov,dc=pl objectclass=*
  ldap_search: Can't connect to the LDAP server - Connection refused
  But I am able to get data from LDAP server if address of the server is specified:
  [root@mail ~]# ldapsearch -b dc=pov,dc=pl -h 192.168.1.40 objectclass=*
  version: 1
  dn: ou=users,dc=pov,dc=pl
  objectClass: organizationalUnit
  ou: Users
  Here is ldapclient config:
  [root@mail ~]# ldapclient list
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_SERVERS= 192.168.1.40
  NS_LDAP_SEARCH_BASEDN= dc=pov,dc=pl
  NS_LDAP_AUTH= none
  NS_LDAP_CACHETTL= 0
  What am I missing?

  Hi, I'm no exprert but I will try to help you. Are you still working on this?
  This what my stuff looks like:
  # ldapclient list
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= uid=proxyagent,ou=People,dc=deathnote,dc=net
  NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
  NS_LDAP_SERVERS= 10.0.1.21:389
  NS_LDAP_SEARCH_BASEDN= dc=deathnote,dc=net
  NS_LDAP_AUTH= none
  NS_LDAP_CACHETTL= 0
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=deathnote,dc=net
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=deathnote,dc=net
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=deathnote,dc=net
  NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
  [root@light migration]# cat user00.ldif
  dn: uid=user00,ou=People,dc=deathnote,dc=net
  uid: user00
  cn: user00
  objectClass: account
  objectClass: posixAccount
  objectClass: shadowAccount
  objectClass: top
  loginShell: /bin/bash
  uidNumber: 805
  gidNumber: 501
  homeDirectory: /home/user00
  gecos: ldap user
  Also update you hosts file and add your server to the domain.
  I hope this helps.
  Edited by: CyberNinja on Oct 22, 2011 12:37 PM

• Novell-named failed to start / 2nd DSFW server

  Posting this here in case anyone else runs into this and it took me some tinkering to figure it out.
  I was busy installing a 2nd DSFW server and ran into a named error during the provisioning where it would start successfully but fail in the 'is it really running' check.
  When manually starting novell-named it gives a successful start but then exits after a second or so.
  When checking /etc/opt/novell/named/ it turned out that there was no named.conf even after configuring the dns server from imanager.
  /var/opt/novell/log/named/named.run had
  Code:
  07-Mar-2012 16:26:07.277 general: main: notice: starting BIND 9.3.2 -u named
  07-Mar-2012 16:26:07.319 general: dns/db: critical: Unable to login Error code:-223
  07-Mar-2012 16:26:07.320 general: dns/db: critical: Failed to load RRs of rootserver zone with error -112
  07-Mar-2012 16:26:07.320 general: dns/hints: warning: Loading Root data from directory Failed
  07-Mar-2012 16:26:07.321 general: server: info: loading configuration from '/etc/opt/novell/named/named.conf'
  07-Mar-2012 16:26:07.321 config: isccfg/parser: error: none:0: open: /etc/opt/novell/named/named.conf: file not found
  07-Mar-2012 16:26:08.359 general: dns/db: critical: Unable to login Error code:-223
  07-Mar-2012 16:26:08.359 network: interfacemgr: info: dns_edir_get_multival has returned error inside store_dnsserver_ip_address:25
  07-Mar-2012 16:26:08.359 network: interfacemgr: error: Error occured while updating the IP list of the DNS server object:25
  07-Mar-2012 16:26:08.359 general: server: critical: loading configuration: file not found
  07-Mar-2012 16:26:08.359 general: server: critical: exiting (due to fatal error)
  What I ended up doing was copied the options { } bit from the already up and running DSFW server into the new one, adjusted the edir object names and then novell-named would start and keep running.
  It was however still giving login errors in the logfile, after remembering it used the servers commonproxy user I ran '/opt/novell/proxymgmt/bin/change_proxy_pwd.sh -A yes' (you can find this in crontab already) and then everything started to work for real after restarting novell-named.
  Somewhere along the line it lost the correct password for the proxy user but there is hardly any indication of this, it gave me enough searching around to post this :-)
  The manual creation of the named.conf file is *probably* not needed, but mentioning it just in case.
  also, it is safe to ignore the 'unable to authenticate to ldap with <insert AD with DC= credentials here>' error you get when your eDir ldap server you are using to install eDir is not a DSFW server, this gave me a 'hmmmm' moment too.

  It most likely is a problem with the casa credential. It could be the credentials are there but their is a mismatch with with the Common Proxy user's password.
  You can verify the common proxy user's password with
  common-proxy-casa-repair-tool
  Then run the novell-dns-casa-repair-tool to sync up the dns casa keys with the correct credentials.

• Software Update without being logged in through LDAP

  Can you configure a computer to use the software update even though its logged into a local user but the directory is setup in the directory utility?
  Or does a user have to be logged in through the LDAP?

  Hi
  Yes. Push the preference out using Computer groups. Make sure (as you've stated) the computer is joined to the LDAP node using the LDAPv3 plug-in (/Applications/Directory Utility). Make sure the LDAP Server is listed in the search order.
  WGM > Computer Groups. Create a Computer Groups select Members click the diaresis button and you should see the bound hardware. Select it and add it to the Group. Define the necessary preference from there.
  Tony

• How to change LDAP server setting in Access Manager 6.2

  Hi,
  We have initially set authentication as a SunONE Directory Server 5.1 (master DS1) in Sun Java System Access Manager 6.2. In both /etc/opt/SUNWam/config/serverconfig.xml
  /etc/opt/SUNWam/config/AMConfig.properties
  conf files, DS1 was set initially. Also on console's Service Configuration ->LDAP->Primary LDAP Server was set as "DS1"
  Now the problem is that I am not able to change the DS1 to the other master "DS2". I set DS2 in both above conf files and also the Service Configuration page as Primary LDAP Server. I restarted the server. When I stopped the DS1, I couldn't login access manager console with any user. It looks like it is still trying to get authentication from DS1.
  Does anybody know what I am missing here?
  Regards,

  After hopeless tries, I finally made it work;) The trick was actually updating the sunKeyValue attribute of the entry:
  "dn:ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthLDAPService,ou=ser
  vices,dc=company,dc=com" in one of the master DS I have.
  Even though I set DS2 and loadBalancer hosts in all conf files and in Primary LDAP conf in amconsole's Service Configuration, it just didn't work until I inserted loadBalancer host in sunKeyValue attribute.
  Hope it helps to someone....
  -Bora