Update defualtprofile to add a 2nd ldap server ip to defaultServerList
Hello,
How to update the defaultprofile to add another direcotry server ip to the default server list?
In other words, how to have the existing ldap client to recongnise the newly setup replica server
i have these two ldap servers:
10.0.0.1 the master ldap
10.0.0.2 the second master ldap
jrc1client122# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=citco,dc=com
NS_LDAP_BINDPASSWD= {NS1}3dab16e843 111 1fb5
NS_LDAP_SERVERS= 10.0.0.1
NS_LDAP_SEARCH_BASEDN= dc= example ,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
j
rc1client122# ldapclient mod -a defaultServerList=10.0.0.02
System successfully configured
jrc1client122# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=citco,dc=com
NS_LDAP_BINDPASSWD= {NS1}3dab16e843111fb5
NS_LDAP_SERVERS= 10.0.0.1
NS_LDAP_SEARCH_BASEDN= dc= example ,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
ldap_client_file
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 10.0.0.1
NS_LDAP_SEARCH_BASEDN= dc=citco,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
thx a bunch.
Ray
Hi Stephan,
I have not tried this but I think "doesn't seem to work" is not the best error description you could provide.
Does slapd still start up?
Do you get errors?
Have you tried starting the server with
sudo slapd -d config
This wil print some information to stdout about the processing of the configuration file.
HTH
Regards
Martin
Similar Messages
-
Usage of external LDAP server with Portal
Hi All,
We are in a situation to use external LDAP server with WLP 8.1. These are the
constraints we have to deal with:
1. Only read is allowed from this LDAP server.
2. This would be used for authentication purpose
If thats the case, how can we use Visitor Entitlements/Delegated Admin and Group
creation using Portal Admin tool since this will write to the configured LDAP
server.
Can somebody answer my question:
1. Can we use external LDAP server - just for authetication (I know this is possible
by using JAAS LoginModule, but I just want to get confirmed on this ) and
2. Use default and embedded LDAP server for all others like Group/Visitor Entitlements/DAs.
Any relevant pointers are also welcome.
TIA,
Prashanth Bhat.Thanks for th ereply. Some of your answers are not clear. Can you pls eloborate
on this?? Pls see my comments below.
"Johnson" <[email protected]> wrote:
>
Phil,
Can I use embedded LDAP for production?
Thanks
Lawrence
"Phil Griffin" <BEA> wrote:
"Prashanth " <[email protected]> wrote in message
news:[email protected]..
Hi All,
We are in a situation to use external LDAP server with WLP 8.1. Theseare
the
constraints we have to deal with:
1. Only read is allowed from this LDAP server.
2. This would be used for authentication purpose
If thats the case, how can we use Visitor Entitlements/Delegated Adminand
Group
creation using Portal Admin tool since this will write to the configuredLDAP
server.
Can somebody answer my question:
1. Can we use external LDAP server - just for authetication (I knowthis
is possible
by using JAAS LoginModule, but I just want to get confirmed on this) and
>
You can add the external LDAP server just for authentication, but in
versions through
8.1 SP2 WLP will want to verify the user exists (via the UserReaderMBean)
during
the login process (this check has been removed in SP3). A work around
is to
duplicate
the user in a provider that does impl UserReaderMBean.
Prashanth : You mean to say we have to duplicate the User in embedded LDAP server
also??
>>
2. Use default and embedded LDAP server for all others like Group/VisitorEntitlements/DAs.
>
Yes, the default/embedded LDAP can still be used for DA/visitor
entitlements. In the current
release, the Portal Admin Tools can only be configured to use a single
authentication provider
while forming entitlements. In SP3, all configured providers are
listed/usable by the tools.Prashanth : How can we configure Portal Admin tool to use authentication provider
for entitlements??
>>
Any relevant pointers are also welcome.
TIA,
Prashanth Bhat. -
Besides, can we install the LDAP server in sparc hosts as nameing system? Can we use Sun LDAP server or iPlanet Directory Server? or need BIND DNS server too?
There is a nice book from Michael Haines and Tom Bialaski: "Solaris and LDAP Naming Services" which contains all you need to configure Directory Server, LDAP, Naming Switch...
Ludovic. -
Rc.local script to bind and add ldap server
Greetings All,
For the past few years, I've used the script below to bind and add authentication servers to my client machines. The process is simple enough, copy the rc.local script (ref'd below) to /etc/ as root and reboot the client. The problem now, is I don't know if this will work in 10.6. As I read this script, I realized there have been enough changes in location of files and file names between 10.5 and 10.6 that this script isn't going to work.
My question to you guys is this: Is anyone else taking care of their binding/auth services in a similar manner? If so, would you mind sharing the script you're using?
Thanks,
-dave
Here's mine:
#!/bin/sh
# WARNING -- REMEMBER TO UNCOMMENT THE SELF-DELETING LINE!
#Site and/or District-specific Variables
#Local Admin in Image
LOCADMIN="tech" # Local admin user in your image
LOCPASSWD="techpwd" # Local admin password in your image
#Open Directory
ODSITESERVER="odr1.mydomain.edu" # FQDN of the Open Directory Server
ODADMIN="diradmin" # Directory Admin for Open Directory
ODPASSWD="diradminpwd" #Password for OD Directory Admin
### DO NOT EDIT BELOW THIS LINE!
OSMAJORVER=`sw_vers | grep ProductVersion | awk '{print $2}' | cut -c 1-4`
ENETADDRESS=`ifconfig en0 | grep ether | awk '{print $2}'`
#Give the network time to come online
logger "Sleeping 30 seconds"
sleep 30
#Set Date and Time
case $OSMAJORVER in
10.3) date > /Library/Logs/binder.log 2>&1
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/sys temsetup-panther -setusingnetworktime off >> /Library/Logs/binder.log 2>&1
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/sys temsetup-panther -setusingnetworktime on >> /Library/Logs/binder.log 2>&1
date >> /Library/Logs/binder.log 2>&1 ;;
10.4) date > /Library/Logs/binder.log 2>&1
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/sys temsetup-tiger -setusingnetworktime off >> /Library/Logs/binder.log 2>&1
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/sys temsetup-tiger -setusingnetworktime on >> /Library/Logs/binder.log 2>&1
date >> /Library/Logs/binder.log 2>&1 ;;
10.5) date > /Library/Logs/binder.log 2>&1
/usr/sbin/systemsetup -setusingnetworktime off >> /Library/Logs/binder.log 2>&1
/usr/sbin/systemsetup -setusingnetworktime on >> /Library/Logs/binder.log 2>&1
date >> /Library/Logs/binder.log 2>&1 ;;
esac
#Set Bonjour and Computer Names
# logger "Setting Bonjour and Computer Names"
# SERIALNUMBER=`ioreg -l |grep IOPlatformSerialNumber | awk '{print $4}' | cut -d \" -f 2`
# SECONDOCTET=`ifconfig -a | grep inet | grep -v inet6 | awk '{print $2}' | grep ^10\. | head -n 1 | awk 'BEGIN {FS="."}; { printf "%03d", $2 }'`
# COMPUTERID="A""$SECONDOCTET""$SERIALNUMBER"
# logger "Computer name is $COMPUTERID"
# scutil --set LocalHostName "$COMPUTERID"
# scutil --set ComputerName "$COMPUTERID"
# sleep 3
#Set the Open Directory Server we are binding to based on the second octet of the IP address received from the DHCP lease
# case $SECONDOCTET in
# 002|005|047|110|112|115|119|121|123|128|133|153|241|247|250|251|253) ODSITESERVER="a941wgm.austinisd.org" ; RING="A1N";;
# 009|045|046|052|053|107|109|117|131|132|138|144|151|154|155|179) ODSITESERVER="a117wgm.austinisd.org" ; RING="B1N";;
# 004|006|010|048|055|056|102|106|118|129|141|149|152|157|159|161|163|164|165|178 |189|244|249) ODSITESERVER="a006wgm.austinisd.org" ; RING="C1N";;
# 003|012|015|044|051|105|108|111|116|122|124|125|126|127|139|142|145|150|245) ODSITESERVER="a044wgm.austinisd.org" ; RING="D1N";;
# 007|043|049|058|103|104|114|140|146|160|162|168|171|174|175|176|185|190|246|101 ) ODSITESERVER="a007wgm.austinisd.org" ; RING="B1S";;
# 101) ODSITESERVER="a007wgm.austinisd.org" ; RING="B2S";;
# 008|013|017|054|059|061|120|130|136|147|156|166|172|173|182|184) ODSITESERVER="a008wgm.austinisd.org" ; RING="C1S";;
# 057|060|113|143|148|158|170|180|181|183|248) ODSITESERVER="a008wgm.austinisd.org" ; RING="C2S";;
# *) ODSITESERVER="a000wgm.austinisd.org" ; RING="A0N";;
# esac
#Remove Existing Directory Services Config
logger "Removing existing DS Config"
rm -R /Library/Preferences/DirectoryService/ActiveDirectory*
rm -R /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig*
rm -R /Library/Preferences/DirectoryService/SearchNode*
rm -R /Library/Preferences/DirectoryService/ContactsNode*
rm -R /Library/Preferences/edu.mit.*
rm -R /etc/krb5.keytab
#Enable and disable appropriate plugins
case $OSMAJORVER in
10.3) defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Inactive" >> /Library/Logs/binder.log 2>&1
defaults write /Library/Preferences/DirectoryService/DirectoryService "LDAPv3" "Active" >> /Library/Logs/binder.log 2>&1
defaults write /Library/Preferences/DirectoryService/DirectoryService "AppleTalk" "Inactive" >> /Library/Logs/binder.log 2>&1
defaults write /Library/Preferences/DirectoryService/DirectoryService "SLP" "Inactive" >> /Library/Logs/binder.log 2>&1
defaults write /Library/Preferences/DirectoryService/DirectoryService "BSD" "Inactive" >> /Library/Logs/binder.log 2>&1
defaults write /Library/Preferences/DirectoryService/DirectoryService "SMB" "Inactive" >> /Library/Logs/binder.log 2>&1
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist >> /Library/Logs/binder.log 2>&1 ;;
10.4) defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Inactive" >> /Library/Logs/binder.log 2>&1
defaults write /Library/Preferences/DirectoryService/DirectoryService "LDAPv3" "Active" >> /Library/Logs/binder.log 2>&1
defaults write /Library/Preferences/DirectoryService/DirectoryService "AppleTalk" "Inactive" >> /Library/Logs/binder.log 2>&1
defaults write /Library/Preferences/DirectoryService/DirectoryService "SLP" "Inactive" >> /Library/Logs/binder.log 2>&1
defaults write /Library/Preferences/DirectoryService/DirectoryService "BSD" "Inactive" >> /Library/Logs/binder.log 2>&1
defaults write /Library/Preferences/DirectoryService/DirectoryService "SMB" "Inactive" >> /Library/Logs/binder.log 2>&1
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist >> /Library/Logs/binder.log 2>&1 ;;
10.5) defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Inactive" >> /Library/Logs/binder.log 2>&1
defaults write /Library/Preferences/DirectoryService/DirectoryService "LDAPv3" "Active" >> /Library/Logs/binder.log 2>&1 ;;
esac
#Copy in updated ldap.conf file for Leopard machines, which disables the verification of SSL certs used for LDAP Authentication
case $OSMAJORVER in
10.5) cp /etc/ldap.conf-leopard /etc/openldap/ldap.conf ;;
esac
#Kill Directory Services and respawn to return to DS Defaults
logger "Respawning DS"
killall -9 DirectoryService
#Running "id" triggers a DS Respawn
id "$LOCADMIN" >> /Library/Logs/binder.log 2>&1
sleep 3
#Fix SearchNode plist
case $OSMAJORVER in
10.3) logger "Disabling LDAP via DHCP"
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "DHCP LDAP" -dict "/Sets/0" -bool FALSE >> /Library/Logs/binder.log 2>&1
plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist >> /Library/Logs/binder.log 2>&1
killall -9 DirectoryService >> /Library/Logs/binder.log 2>&1
sleep 3 ;;
10.4) logger "Disabling LDAP via DHCP"
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "DHCP LDAP" -dict "/Sets/0" -bool FALSE >> /Library/Logs/binder.log 2>&1
plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist >> /Library/Logs/binder.log 2>&1
killall -9 DirectoryService >> /Library/Logs/binder.log 2>&1
sleep 3 ;;
esac
#Configure LDAPv3 Plugin -- fix with site-specific data
logger "Configuring LDAPv3 Plugin"
case $OSMAJORVER in
10.4) dsconfigldap -v -l "$LOCADMIN" -q "$LOCPASSWD" -a "$ODSITESERVER" -n "Open Directory" >> /Library/Logs/binder.log 2>&1 ;;
10.5) dsconfigldap -v -l "$LOCADMIN" -q "$LOCPASSWD" -a "$ODSITESERVER" -n "Open Directory" >> /Library/Logs/binder.log 2>&1 ;;
esac
sleep 3
#Make sure we init DS and confirm connectivity to each LDAP directory
logger "Checking OD Node Connectivity"
date >> /Library/Logs/binder.log
echo "Checking OD Node Connectivity" >> /Library/Logs/binder.log
dscl localhost -list /LDAPv3/$ODSITESERVER/Groups >> /Library/Logs/binder.log 2>&1
#Configure Search Path
logger "Configuring Search Nodes"
date >> /Library/Logs/binder.log
echo "Configuring Search Nodes" >> /Library/Logs/binder.log
dscl localhost -read /Search >> /Library/Logs/binder.log 2>&1
case $OSMAJORVER in
10.3) defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/LDAPv3/$ODSITESERVER"
killall -9 DirectoryService ;;
10.4) dscl /Search -append / CSPSearchPath "/LDAPv3/$ODSITESERVER" >> /Library/Logs/binder.log 2>&1
dscl /Search -create / SearchPolicy CSPSearchPath >> /Library/Logs/binder.log 2>&1 ;;
10.5) dscl /Search -append / CSPSearchPath "/LDAPv3/$ODSITESERVER" >> /Library/Logs/binder.log 2>&1
dscl /Search -create / SearchPolicy CSPSearchPath >> /Library/Logs/binder.log 2>&1 ;;
esac
date >> /Library/Logs/binder.log
echo "Confirming Search Nodes" >> /Library/Logs/binder.log
dscl localhost -read /Search >> /Library/Logs/binder.log 2>&1
#Remove any stale computer records from Open Directory
logger "Removing stale computer records from OD"
dscl /LDAPv3/"$ODSITESERVER" -search Computers ENetAddress "$ENETADDRESS" | awk 'BEGIN {FS="\t\t"}; { print $1 }' | while read COMPNAME
do
dscl -u "$ODADMIN" -P "$ODPASSWD" /LDAPv3/"$ODSITESERVER" -delete Computers/"$COMPNAME" >> /Library/Logs/binder.log 2>&1
done
#Add computer record to Open Directory
logger "Adding new Computer Record to OD"
dscl -u "$ODADMIN" -P "$ODPASSWD" /LDAPv3/"$ODSITESERVER" -create Computers/`scutil --get LocalHostName` ENetAddress "$ENETADDRESS" >> /Library/Logs/binder.log 2>&1
#Add to designated computer list - this is ONLY for 10.4 server. This will need to be replaced for 10.5 server.
COMPUTERGROUP="Unprovisioned" # Computer List
logger "Adding to Computer List: $COMPUTERLIST"
dscl -u "$ODADMIN" -P "$ODPASSWD" /LDAPv3/"$ODSITESERVER" -create Computers/"$COMPUTERID" ENetAddress "$ENETADDRESS"
dscl -u "$ODADMIN" -P "$ODPASSWD" /LDAPv3/"$ODSITESERVER" -append ComputerLists/"$COMPUTERGROUP" Computers "$COMPUTERID"
#Refresh the MCX Cache
logger "Refeshing the MCX Cache"
case $OSMAJORVER in
10.3) /System/Library/LoginPlugins/MCX.loginPlugin/Contents/MacOS/MCXCacher -f >> /Library/Logs/binder.log 2>&1
/System/Library/LoginPlugins/MCX.loginPlugin/Contents/MacOS/MCXCacher >> /Library/Logs/binder.log 2>&1 ;;
10.4) /System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher -f >> /Library/Logs/binder.log 2>&1
/System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher >> /Library/Logs/binder.log 2>&1 ;;
esac
#Disable automatic login on the client
defaults write /Library/Preferences/.GlobalPreferences com.apple.userspref.DisableAutoLogin -bool TRUE
#Enable login hooks on the client
case $OSMAJORVER in
10.4|10.5) defaults write /var/root/Library/Preferences/com.apple.loginwindow EnableMCXLoginScripts -bool true
defaults write /var/root/Library/Preferences/com.apple.loginwindow MCXScriptTrust Anonymous ;;
esac
#Enable Directory Services Status by default on loginwindow
# case $OSMAJORVER in
# 10.4|10.5) defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus ;;
#esac
#Modify the binder log so that only admin viewers may access the file
chmod u=rw,go= /Library/Logs/binder.log
sleep 5
#killall loginwindow
sleep 5
#Comment the lines below, until shutdown if you do not want the script to replace itself with a 30 second delay on startup to ensure the client receives a DHCP lease before loginwindow appears
case $OSMAJORVER in
10.3|10.4) echo sleep 30 > /etc/rc.local ;;
*) srm /etc/rc.local ;;
esac
shutdown -r now
#Exit
exit 0The first thing I would verify is if you can connect and traverse your Active Directory/Domain Controller using Softerra's free ldap browser.
1. Softerra ldap browser link
http://download.softerra.com/files/ldapbrowser26.msi
Put in the IP/hostname of the domain controller, use the same BASE DN, and user credentials that you used on the IronPort appliance.
I would highly recommend that you create a separate account for the IronPort. (i.e. ironportldap). Do this so that you don't have to worry about accidentially resetting the password and then forgetting to update the IronPort appliance.
2. Once you've verified that you can connect and see your tree, use the same settings from Softerra ldap browser and put them in the IronPort ldap interface.
Try this for your Accept query string
(|(mail={a})(proxyAddresses=smtp:{a}))
3. If it still fails, enable the ldap debug log if you haven't already and paste in the error.
We are trying to add an LDAP Server Profile but everytime we try to test the Accept Query we get an
"Error - Error: configuration error" message.
We are using AD, top of the tree for base DN. dc=domain, dc=local.
We tried communicating with 2 different servers via telnet on ports 389, 3268, both are open.
Tried port 389 and 3268, no SSL, Anynomous and User Password authentication methods.
The error left us clueless since we followed the instructions on the user manual.
For the accept query we tried this query string: (proxyAddresses=smtp:{a})
Any ideas or pointers to what could be causing this are very appriciated.
Thanks.
Ed. -
How can we update data in LDAP server using PL/SQL.
Hi,
How can we update data in LDAP server using PL/SQL program.
Is there any sample code for refrence.
Thanks,
TarunHi Justin,
Thanks for your help. You got my correct requirements.
Tim's example returning all the attributes of current user which is admin user. Please correct me if I am wrong.
I have the following information:
the admin user and password,server info , port and ldap_base for admin.
I have uid and password for regular user, I am trying find the ldap_base for regular user, which may be different from adminuser.
Please help me.
Thanks,
Edited by: james. on Jan 12, 2009 5:39 PM -
How do I add an objectclass to existing LDAP server entry using an ldif file?
I am trying to fix an LDAP server that has been operating with schema check off. I need to add an objectclass to the groups so that some attributes that have been added to the groups will be "legal." From the documentation, the changetype: modify will allow the changing/adding of attributes that are already a part of the schema objects that define the entry. It does not look like I can add an objectclass with the modify operation.
If this is the case, then how do I add an objectclass to an existing entry? Using the GUI is not possible since the directory server in question is not being managed with an admin server. Please tell me that I do not have to delete the groups and import them again with an LDIF file that has the new objectclass added.
KentSee this post:
http://softwareforum.sun.com/servlet/ProcessRequest?RHIVEID=181&RPAGEID=135&HOID=50B500000008000000636B0000&USEARCHCONTEXT_CATEGORY_0=_21_%24_7_&USEARCHCONTEXT_CATEGORY_S=0&UCATEGORY_0=_21_%24_7_&UCATEGORY_S=0 -
Still LDAP server not responding when add to authentication search path ...
Howdy All,
I still have an OS X Server 10.5.6 (running Open Directory with its own Master directory) that when configured to connect to a corporate LDAP server indicates the server is responding fine, but when I add the server to the authentication search path, the server is no-longer responding.
I suspect this may mean the LDAP server is choosing to no-longer respond? Is it possible that the LDAP server could have my machine / IP address "black-listed" in some way? I have asked corporate IT but they didn't seem to think so (although I was queried before about repeated connect attempts).
Somewhat strangely I can configure a laptop client (OS X 10.5.6) to connect to the same LDAP server from an Ethernet port on the same LAN and it works fine. However, when I connect this laptop to the LAN through my server (WiFi NAT) I get the same issue as described above.
I don't have the firewall on the server turned on, I have played around with some certificates on the server, but have set "TLS_REQCERT never" in the ldap.conf file on the server (and client) as suggested by corporate IT. I have Kerberos running on the server and all else seems fine on the server.
Can anyone suggest what may be causing this? Or how I can debug the problem?
Thanks in advance.
Cheers,
Ashley.Hi Jeff,
Thanks for your post. That said, I'm not sure how you got the impression that I wish to go to Maine I'm happy here in Perth, Western Australia.
Jeff Kelleher wrote:
Connecting a Mac to an LDAP server is a far cry from connecting a OS X Server to an existing LDAP server. Not that I could necessarily help, but asking how to connect an OS X Server to an LDAP server is a bit like asking "guess where I am now, how do I get to Maine?"
You need to provide as much info as you can.
Seriously though, I'm not sure of the difference. I am using Directory Utility to allow this OS X Server to get authentication information from an LDAP server just like an OS X Client would.
I have Open Directory in Server Admin just setup to connect to a directory system (i.e. the organisation LDAP server), not a master or replica.
My final goal is to allow access to an OS X TeamsServer Wiki by users who are authenticated against the LDAP server (rather than having to have separate accounts, logins, on the OSXS.)
I am hoping that I can use a group from the LDAP server to define the team, but perhaps I will have to run a standalone OD. I hope then I can add LDAP users to the OD group.
What other information would help?
Thanks,
Ashley.
OS X Server 10.5.6 -
OSX 10.9 Maverick add a LDAP server via script
I use applescript to add a LDAP sever on 10.8, but after the 10.9 released, I found the script cannot use any more.
Seems is the new Mail app doesn't support LDAP sever , it is integrated to Internet Accounts
However the SAMPLE script is still the same. ( /Library/Scripts/Mail\ Scripts/Create\ New\ LDAP\ Server.scpt )
Does any one know how to config internet accounts via script (BASH script is OK too)?
the new mail app does not understand
make new ldap server with properties {name:theName, host name:theAddress, search base:theSearchBase, Çclass ldpoÈ:thePort, scope:theScope}
any more.I'd first read the subject and thought this involved creating an entire LDAP server via script and thought... whoa, that's some script.
But you're seeking to reference a remote resource or some automated way to configure your client mail, and that's currently using LDAP, right? If so, then Apple has shifted over to Profiles and away from LDAP and MCX and related. Profiles would be the approach I'd follow here, either with OS X Server and its profile manager or some other MDM service.
If you have access to the Apple WWDC13 session videos, there's a session on the Profile Manager that might be worth your time. -
Updating Sun LDAP Server through custom create group forms
Hi,
we have requirement whererin we must create a create group form (custom form) and then update the new group details to the Sun LDAP server. After defining the LDAP Resource, how do I proceed in creating the resource object and configuring the same with the 'create group form ' for updating the necessary attributes in LDAP server.There is no way to perfrom LDAP authentication using our product without a mapped group. I haven't used it in a while but the Sun LDAP mamagement tools were very straight forward, creating users/groups issn't much trouble
First creat the users and groups wherever in the direcotry, then in the group properties you must make the users members of the groups. Map the groups into BO and your done.
If you wanted someone to setup both your LDAP directory and Business Objects typically a 3rd party professional service may be used. For configuring BO you can open a case with the authentication team in support if stuck. You could get some tips as most of our engineers have set up sun a few times for internal testing.
Regards,
Tim -
Can an LDAP server be it's own client?
In short yes, why would you want to do this? Many reasons, but mine is to be able to use ldap on laptops running Solaris and have them log into the machine with ldap credentials off the network. When we plug them back onto the network, I have a master server send any new data via one-way replication. I will give 2 separate ways to accomplish this. One is, to put it bluntly, a dirty hack to get it working. The second is much more elegant and it's the one I have stressed tested to verify that it works.
Disclaimer: I have only used these methods on Solaris10 update 3 with Trusted Extensions using directory server 5.2 as well as the administration server. I have used a few different kinds of machines (all x86) and have not had a problem with it. I do not know if it will work on any other version or hardware. I haven't even looked at the source code, all assumptions made here are from observing the systems behavior while making minor changes.
Now, the reasons why normally you can't be your own client (at least as far as I can tell) is because of the way the system boots and the dependencies that the ldap/client service needs to start up. If you boot a machine that is it's own client and ldap/client runs before the directory server starts, of course it will fail. The system boots the services first, then legacy init scripts. Directory Server 5.2 uses init scripts. Correct me if I am wrong, but that is the only real hurdle in your way.
So the first way to get it 'working' (dirty hack) is to delay the ldap/client smf service from starting until the directory server is started. After you become a client of yourself (in this case the global zone) disable the ldap/client serrvice.
svcadm disable ldap/clientThen enable it temporarily with the -t option
svcadm enable -t ldap/clientWell if you were to reboot now it would not work because the service would not start at boot because it is set to be administratively down. Edit the S72directory script in /etc/rc2.d and after the start commands just add the svcadm enable -t ldap/client command and it will load right after directory server starts. Will this work? Yes, is it a clean way to do it? NO. I used this method just for testing the theory that the only reason I could not be my own client was because of the booting issue.
Now the best way that I can see to accomplish this is to create your own smf services for the directory server and admin server. That way all you have to do is add a dependency to the ldap/client xml file to wait until the new directory server service is started before it starts. So in /var/svc/manifest/site create a folder called ldap (I put this in site because I didn't want to run into any issues of patching). In /var/svc/manifest/site/ldap/ create two xml files named:
quick note: These are the first services I have created. There may be a much better way to make them. If you can re-code it better, please let me know so I can look at them. Also there is no restart command in here (actually I just noticed that) so adding one of those would be wise.
ds_admin.xml and directory_server.xml.
ds_admin.xml contains<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<!--
Copyright 2004 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
ident "@(#)client.xml 1.4 04/12/09 SMI"
NOTE: This service manifest is editable; its contents will not
be overwritten by package or patch operations, including
operating system upgrade.
-->
<service_bundle type='manifest' name='SUNWdsadmin:dsadmin'>
<service
name='site/ldap/ds_admin'
type='service'
version='1'>
<create_default_instance enabled='false' />
<single_instance />
<dependency
name='fs'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/system/filesystem/minimal' />
</dependency>
<dependency
name='net'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/network/initial' />
</dependency>
<exec_method
type='method'
name='start'
exec='/lib/svc/method/ds_admin start'
timeout_seconds='120' >
<method_context>
<method_credential user='root' group='sys' />
</method_context>
</exec_method>
<exec_method
type='method'
name='stop'
exec='/lib/svc/method/ds_admin stop'
timeout_seconds='60' >
<method_context>
<method_credential user='root' group='sys' />
</method_context>
</exec_method>
<stability value='Unstable' />
<template>
<common_name>
<loctext xml:lang='C'>
LDAP Admin server
</loctext>
</common_name>
<description>
<loctext xml:lang='C'>
LDAP admin server
Information Service lookups
</loctext>
</description>
</template>
</service>
</service_bundle>and directory_server.xml contains:
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<!--
Copyright 2004 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
ident "@(#)client.xml 1.4 04/12/09 SMI"
NOTE: This service manifest is editable; its contents will not
be overwritten by package or patch operations, including
operating system upgrade.
-->
<service_bundle type='manifest' name='SUNWds:ds'>
<service
name='site/ldap/directory_server'
type='service'
version='1'>
<create_default_instance enabled='false' />
<single_instance />
<dependency
name='usr'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/system/filesystem/minimal' />
</dependency>
<dependency
name='net'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/network/initial' />
</dependency>
<dependency
name='ds_admin'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri
value='svc:/site/ldap/ds_admin' />
</dependency>
<exec_method
type='method'
name='start'
exec='/lib/svc/method/directory_server start'
timeout_seconds='120' >
<method_context>
<method_credential user='root' group='sys' />
</method_context>
</exec_method>
<exec_method
type='method'
name='stop'
exec='/lib/svc/method/directory_server stop'
timeout_seconds='60' >
<method_context>
<method_credential user='root' group='sys' />
</method_context>
</exec_method>
<stability value='Unstable' />
<template>
<common_name>
<loctext xml:lang='C'>
LDAP directory server
</loctext>
</common_name>
<description>
<loctext xml:lang='C'>
LDAP directory server
Information Service lookups
</loctext>
</description>
</template>
</service>
</service_bundle>Now the start/stop scripts will be located in /lib/svc/method and are as followed:
ds_admin
#!/sbin/sh
case "$1" in
start)
/usr/sbin/directoryserver start-admin
stop)
/usr/sbin/directoryserver stop-admin
echo "Usage: $0 { start | stop }"
exit 1
esac
exit 0simple yes.
directory_server
#!/sbin/sh
HOST_NAME=`hostname`
SERVER_ROOT=/var/opt/mps/serverroot
DIRECTORY_SERVER_INSTANCE=slapd-${HOST_NAME}
case "$1" in
start)
${SERVER_ROOT}/${DIRECTORY_SERVER_INSTANCE}/start-slapd
stop)
${SERVER_ROOT}/${DIRECTORY_SERVER_INSTANCE}/stop-slapd
echo "Usage: $0 { start | stop }"
exit 1
esac
exit 0The only thing left to do is modify the ldap/client smf file to wait until the directory server starts before it loads.
So edit /var/svc/manifest/network/ldap/client.xml and right before the dependency for for /var/ldap/ldap_client_file add this
<dependency
name='directory_server'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri
value='svc:/site/ldap/directory_server' />
</dependency>
Any changes made to the /ldap/client xml file must be made after ALL zones have been installed. If this file is copied to a zone it will never work as the directory_server service is not loaded in the zones.
Now what? You must remove the legacy init scripts in /etc/rc2.d. Those would be S72directory and S73mpsadm. No need to keep them around, alternatively, you can just change the capital 'S' to lower case and they want start.
You can now either use svccfg to validate and import the new services or you can reboot. Typically, I reboot and use the '-m verbose' option on boot to watch the services for any errors. I haven't had any lately but on different systems I always watch to see if it behaves different.
That's it. I have rebooted all the machines many, many times without error. This of course does not address loading the directory server or adding users, tnrhdb file, etc... We have scripted most of loading out and once we get some error correction coded in I will post them.
Also, if you find any errors or even a better way to accomplish this, please post it.This restriction is only in terms of implementing the Solaris support for LDAP as a naming service. If the Solaris OS is configured to use LDAP as a naming service, it can't use a LDAP server running on the same host.
The reason is that the LDAP server makes naming service calls before it gets fully started up. If the OS wants to use the LDAP server for the naming service, then a deadlock happens, where the LDAP server's gethostbyname() call can't complete because the LDAP server isn't up.
It is possible to configure the Solaris naming resolution to avoid this problem. I've got a system set up this way myself. Regardless, the official support channels won't support a system set up this way, so if you do this you do it at your own risk. -
Portal and Netscape LDAP server integration
Hi,
I am trying to integrate Netscape LDAP server (6.0) with portal server 7, but
having lots of trouble doing that.
I've followed the instructions in the developer guide and completed the following
steps:
1. added a CustomRealm named defaultLDAPRealmForNetscapeDirectoryServer in config.xml
and modified the entries to fit my environment.
2. Deployed ldapprofile.jar and customized the env variables.
After these two steps, nothing happened. Then I did the third step:
3. added a iPlanet Authenticator to the realm CompatibilityRealm, which is my
default realm for the server.
However, after step 3, I wasn't able to boot weblogic server. Please note I have
create two users, system and weblogic in my LDAP server.
I copied the stack trace below. Any suggestions will be greatly appreciated.
Weiguo
C:\prog\bea\user_projects\portalDemoDomain>"C:\prog\bea\jdk131_03\bin\java" -hotspot
-Xms128m -Xmx128m -XX:MaxPermSize=128m -Dcommerce.properties="C:\prog\bea\weblogic700\portal\weblogiccommerce.properties"
-Dweblogic.Name=portalDemoServer
-Dbea.home="C:\prog\bea" -Dweblogic.management.username= -Dweblogic.management.p
assword= -Dweblogic.ProductionModeEnabled=true -Dweblogic.management.discover=fa
lse -Djava.security.policy=="C:\prog\bea\weblogic700\server\lib\weblogic.policy"
weblogic.Server
<Nov 4, 2002 1:18:45 PM EST> <Info> <Security> <090065> <Getting boot identity
from user.>
Enter username to boot WebLogic server:weblogic
Enter password to boot WebLogic server:
Starting WebLogic Server...
<Nov 4, 2002 1:19:06 PM EST> <Notice> <Management> <140005> <Loading configuration
C:\prog\bea\user_projects\portalDemoDomain\.\config.xml>
<Nov 4, 2002 1:19:21 PM EST> <Notice> <Security> <090093> <No configuration data
was found on server portalDemoServer for realm CompatibilityRealm.>
<Nov 4, 2002 1:19:21 PM EST> <Notice> <Security> <090082> <Security initializing
using realm CompatibilityRealm.>
<Nov 4, 2002 1:19:21 PM EST> <Critical> <WebLogicServer> <000364> <Server failed
during initialization. Exception:java.lang.SecurityException: Authentication for
user weblogic denied
java.lang.SecurityException: Authentication for user weblogic denied at
weblogic.security.service.SecurityServiceManager.doBootAuthorization(
SecurityServiceManager.java:1028)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:1166)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
at weblogic.Server.main(Server.java:32)
>
<Nov 4, 2002 1:19:21 PM EST> <Emergency> <WebLogicServer> <000342> <Unable to
in
itialize the server: Fatal initialization exception
Throwable: java.lang.SecurityException: Authentication for user weblogic denied
java.lang.SecurityException: Authentication for user weblogic denied
at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
SecurityServiceManager.java:1028)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:1166)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
at weblogic.Server.main(Server.java:32)
>
The WebLogic Server did not start up properly.
Exception raised:
java.lang.SecurityException: Authentication for user weblogic denied
at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
SecurityServiceManager.java:1028)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:1166)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
at weblogic.Server.main(Server.java:32)
Reason: Fatal initialization exception
Throwable: java.lang.SecurityException: Authentication for user weblogic denied
java.lang.SecurityException: Authentication for user weblogic denied
at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
SecurityServiceManager.java:1028)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:1166)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
at weblogic.Server.main(Server.java:32)Thanks a lot Scott. I followed your instructions and got it working to a certain
degree. I am pretty happy about the results.
There are still a few issues:
1. I had to create groups and users in my directory server in order to boot up
and logon to the server. This is expected, but is it possible to export these
user/group settings from the embedded LDAP server so that I can import them into
my directory server? Currently, the only way is manual and it's error prone. A
lot of trial and error has to happen to get there.
2. It seems that using Netscape LDAP server only allows read-only access. This
means we have to create new users/groups outside of the portal server and one
other side effect is self-registration is impossible, unless we use custom security
providers. Is this assessment correct? Since LDAP integration is so important,
wouldn't it be nice if BEA have that built-in and all we need to do is to switch
to and configure it?
3. I got duplicate users and groups in compatibility security. Obviously, one
set is from my LDAP server and the other is from the embedded one. I tried to
remove to embedded LDAP authenticator, but the duplicates are still there. How
can I get rid of the duplicates - I only want the ones from my LDAP server?
Thanks again Scott.
Weiguo
Scott Dunbar <[email protected]> wrote:
Weiguo,
WLP 7.0 uses a compatibility realm only and will not work with the
custom realm that you created for the Netscape directory server.
Configuring an LDAP compatibility realm isn't too bad and its
configuration is much like 4.0. However, it can be hard to configure
initially from the console. One way is to shut your server down and
modify config.xml directly - but make sure you make a backup copy first!
Then add something like:
<CachingRealm BasicRealm="myRealm" CacheCaseSensitive="true"
Name="wlcsCachingRealm"/>
<CustomRealm
ConfigurationData="user.filter=(&(uid=%u)(objectclass=person));
user.dn=ou=people,dc=beasys,dc=com;
server.principal=uid=dirmanager,ou=people,dc=beasys,dc=com;
membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquenames));
group.filter=(&(cn=%g)(objectclass=groupofuniquenames));
server.host=somehost.beasys.com;
group.dn=ou=groups,dc=beasys,dc=com"
Name="myRealm" Password="your_password_here"
RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"/>
will enable your LDAP server. After this is setup it will be much
easier to configure via the console. Obviously you'll need to update
the parameters above for your configuration.
Weiguo Wang wrote:
Hi,
I am trying to integrate Netscape LDAP server (6.0) with portal server7, but
having lots of trouble doing that.
I've followed the instructions in the developer guide and completedthe following
steps:
1. added a CustomRealm named defaultLDAPRealmForNetscapeDirectoryServerin config.xml
and modified the entries to fit my environment.
2. Deployed ldapprofile.jar and customized the env variables.
After these two steps, nothing happened. Then I did the third step:
3. added a iPlanet Authenticator to the realm CompatibilityRealm, whichis my
default realm for the server.
However, after step 3, I wasn't able to boot weblogic server. Pleasenote I have
create two users, system and weblogic in my LDAP server.
I copied the stack trace below. Any suggestions will be greatly appreciated.
Weiguo
C:\prog\bea\user_projects\portalDemoDomain>"C:\prog\bea\jdk131_03\bin\java"-hotspot
-Xms128m -Xmx128m -XX:MaxPermSize=128m -Dcommerce.properties="C:\prog\bea\weblogic700\portal\weblogiccommerce.properties"
-Dweblogic.Name=portalDemoServer
-Dbea.home="C:\prog\bea" -Dweblogic.management.username= -Dweblogic.management.p
assword= -Dweblogic.ProductionModeEnabled=true -Dweblogic.management.discover=fa
lse -Djava.security.policy=="C:\prog\bea\weblogic700\server\lib\weblogic.policy"
weblogic.Server
<Nov 4, 2002 1:18:45 PM EST> <Info> <Security> <090065> <Getting bootidentity
from user.>
Enter username to boot WebLogic server:weblogic
Enter password to boot WebLogic server:
Starting WebLogic Server...
<Nov 4, 2002 1:19:06 PM EST> <Notice> <Management> <140005> <Loadingconfiguration
C:\prog\bea\user_projects\portalDemoDomain\.\config.xml>
<Nov 4, 2002 1:19:21 PM EST> <Notice> <Security> <090093> <No configurationdata
was found on server portalDemoServer for realm CompatibilityRealm.>
<Nov 4, 2002 1:19:21 PM EST> <Notice> <Security> <090082> <Securityinitializing
using realm CompatibilityRealm.>
<Nov 4, 2002 1:19:21 PM EST> <Critical> <WebLogicServer> <000364> <Serverfailed
during initialization. Exception:java.lang.SecurityException: Authenticationfor
user weblogic denied
java.lang.SecurityException: Authentication for user weblogic deniedat
weblogic.security.service.SecurityServiceManager.doBootAuthorization(
SecurityServiceManager.java:1028)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:1166)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
at weblogic.Server.main(Server.java:32)
<Nov 4, 2002 1:19:21 PM EST> <Emergency> <WebLogicServer> <000342><Unable to
in
itialize the server: Fatal initialization exception
Throwable: java.lang.SecurityException: Authentication for user weblogicdenied
java.lang.SecurityException: Authentication for user weblogic denied
at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
SecurityServiceManager.java:1028)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:1166)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
at weblogic.Server.main(Server.java:32)
The WebLogic Server did not start up properly.
Exception raised:
java.lang.SecurityException: Authentication for user weblogic denied
at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
SecurityServiceManager.java:1028)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:1166)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
at weblogic.Server.main(Server.java:32)
Reason: Fatal initialization exception
Throwable: java.lang.SecurityException: Authentication for user weblogicdenied
java.lang.SecurityException: Authentication for user weblogic denied
at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
SecurityServiceManager.java:1028)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:1166)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
at weblogic.Server.main(Server.java:32)
scott dunbar bea systems,
inc.
[email protected] boulder, co
303 998 2125 usa -
Solaris 10 client - ldap_search: Can't connect to LDAP server
Hello
I have following configuration:
- openLDAP server in Solaris 10 zone called ldap
- native LDAP client in different Solaris 10 zone called mail on the same SPARC machine
I can't get ldapsearch results after ldapclient initialization.
[root@mail ~]# ldapsearch -b dc=pov,dc=pl objectclass=*
ldap_search: Can't connect to the LDAP server - Connection refused
But I am able to get data from LDAP server if address of the server is specified:
[root@mail ~]# ldapsearch -b dc=pov,dc=pl -h 192.168.1.40 objectclass=*
version: 1
dn: ou=users,dc=pov,dc=pl
objectClass: organizationalUnit
ou: Users
Here is ldapclient config:
[root@mail ~]# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 192.168.1.40
NS_LDAP_SEARCH_BASEDN= dc=pov,dc=pl
NS_LDAP_AUTH= none
NS_LDAP_CACHETTL= 0
What am I missing?Hi, I'm no exprert but I will try to help you. Are you still working on this?
This what my stuff looks like:
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=proxyagent,ou=People,dc=deathnote,dc=net
NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
NS_LDAP_SERVERS= 10.0.1.21:389
NS_LDAP_SEARCH_BASEDN= dc=deathnote,dc=net
NS_LDAP_AUTH= none
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=deathnote,dc=net
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=deathnote,dc=net
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=deathnote,dc=net
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
[root@light migration]# cat user00.ldif
dn: uid=user00,ou=People,dc=deathnote,dc=net
uid: user00
cn: user00
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 805
gidNumber: 501
homeDirectory: /home/user00
gecos: ldap user
Also update you hosts file and add your server to the domain.
I hope this helps.
Edited by: CyberNinja on Oct 22, 2011 12:37 PM -
Novell-named failed to start / 2nd DSFW server
Posting this here in case anyone else runs into this and it took me some tinkering to figure it out.
I was busy installing a 2nd DSFW server and ran into a named error during the provisioning where it would start successfully but fail in the 'is it really running' check.
When manually starting novell-named it gives a successful start but then exits after a second or so.
When checking /etc/opt/novell/named/ it turned out that there was no named.conf even after configuring the dns server from imanager.
/var/opt/novell/log/named/named.run had
Code:
07-Mar-2012 16:26:07.277 general: main: notice: starting BIND 9.3.2 -u named
07-Mar-2012 16:26:07.319 general: dns/db: critical: Unable to login Error code:-223
07-Mar-2012 16:26:07.320 general: dns/db: critical: Failed to load RRs of rootserver zone with error -112
07-Mar-2012 16:26:07.320 general: dns/hints: warning: Loading Root data from directory Failed
07-Mar-2012 16:26:07.321 general: server: info: loading configuration from '/etc/opt/novell/named/named.conf'
07-Mar-2012 16:26:07.321 config: isccfg/parser: error: none:0: open: /etc/opt/novell/named/named.conf: file not found
07-Mar-2012 16:26:08.359 general: dns/db: critical: Unable to login Error code:-223
07-Mar-2012 16:26:08.359 network: interfacemgr: info: dns_edir_get_multival has returned error inside store_dnsserver_ip_address:25
07-Mar-2012 16:26:08.359 network: interfacemgr: error: Error occured while updating the IP list of the DNS server object:25
07-Mar-2012 16:26:08.359 general: server: critical: loading configuration: file not found
07-Mar-2012 16:26:08.359 general: server: critical: exiting (due to fatal error)
What I ended up doing was copied the options { } bit from the already up and running DSFW server into the new one, adjusted the edir object names and then novell-named would start and keep running.
It was however still giving login errors in the logfile, after remembering it used the servers commonproxy user I ran '/opt/novell/proxymgmt/bin/change_proxy_pwd.sh -A yes' (you can find this in crontab already) and then everything started to work for real after restarting novell-named.
Somewhere along the line it lost the correct password for the proxy user but there is hardly any indication of this, it gave me enough searching around to post this :-)
The manual creation of the named.conf file is *probably* not needed, but mentioning it just in case.
also, it is safe to ignore the 'unable to authenticate to ldap with <insert AD with DC= credentials here>' error you get when your eDir ldap server you are using to install eDir is not a DSFW server, this gave me a 'hmmmm' moment too.It most likely is a problem with the casa credential. It could be the credentials are there but their is a mismatch with with the Common Proxy user's password.
You can verify the common proxy user's password with
common-proxy-casa-repair-tool
Then run the novell-dns-casa-repair-tool to sync up the dns casa keys with the correct credentials. -
Software Update without being logged in through LDAP
Can you configure a computer to use the software update even though its logged into a local user but the directory is setup in the directory utility?
Or does a user have to be logged in through the LDAP?Hi
Yes. Push the preference out using Computer groups. Make sure (as you've stated) the computer is joined to the LDAP node using the LDAPv3 plug-in (/Applications/Directory Utility). Make sure the LDAP Server is listed in the search order.
WGM > Computer Groups. Create a Computer Groups select Members click the diaresis button and you should see the bound hardware. Select it and add it to the Group. Define the necessary preference from there.
Tony -
How to change LDAP server setting in Access Manager 6.2
Hi,
We have initially set authentication as a SunONE Directory Server 5.1 (master DS1) in Sun Java System Access Manager 6.2. In both /etc/opt/SUNWam/config/serverconfig.xml
/etc/opt/SUNWam/config/AMConfig.properties
conf files, DS1 was set initially. Also on console's Service Configuration ->LDAP->Primary LDAP Server was set as "DS1"
Now the problem is that I am not able to change the DS1 to the other master "DS2". I set DS2 in both above conf files and also the Service Configuration page as Primary LDAP Server. I restarted the server. When I stopped the DS1, I couldn't login access manager console with any user. It looks like it is still trying to get authentication from DS1.
Does anybody know what I am missing here?
Regards,After hopeless tries, I finally made it work;) The trick was actually updating the sunKeyValue attribute of the entry:
"dn:ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthLDAPService,ou=ser
vices,dc=company,dc=com" in one of the master DS I have.
Even though I set DS2 and loadBalancer hosts in all conf files and in Primary LDAP conf in amconsole's Service Configuration, it just didn't work until I inserted loadBalancer host in sunKeyValue attribute.
Hope it helps to someone....
-Bora
Maybe you are looking for
-
Multiple page PDF's for iTunes playlists
In the past I've been able to create multiple page PDF's of playlists, but for some reason in iTunes 10.1 it will only show me the first page. At the bottom of that page it'll say page 1 of 10, but the other 9 pages do not appear in the sidebar. I al
-
Billing cancellation need to create Block at SO
Hello All, when have situation here like when CSR rep cancel the billing document , then the sale order should be blocked. where can i make changes in config or user exit. Please let me know how can i start. Thanks Raju.
-
I do not want to pay for extra storage,But i do want a backup to remain on my iMac
I am happy to use icloud for 5gb of free data . As I neared the maximum amount I was e mailed by Apple to ask if i wanted to buy more cloud space . Not wishing to do that but threatened with loosing my ability to use my me.com e mail account I decide
-
Siri and messages with attachments
Does anybody know if it is possible to send messages (SMS or emails) containing attachments with SIRI? I have tried to open the Photos application and say something like "Send this photo to xxx". Siri effectively recognizes my contact name but asks m
-
Is the August update available in Windows InTune
Is the August update to Windows 8.1 Update 1 available in InTune?