Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 6 months
Re: [389-users] get base dn from ldapsearch
by Angel Bosch Mora
> Maybe I am understanding this wrong but could you not just check in
> the config what the search base is set to on the client side? What is
> the problem you are trying to solve?
>
yes, you're right. i can just take a look at ldap.conf but there's several places to look:
- debian/ubuntu uses /etc/ldap/ldap.conf
- RHEL/CentOS uses /etc/openldap/ldap.conf
- custom compilations can use any path. ex: /usr/local/ldap/ldap.conf
- windows openldap uses... i don't really know :P
so what im trying to do is resolving configured base without knowing anything about the client.
for example, this command gives me the server even if i dont know anything about the conf:
ldapsearch -d1 -x -LLL "(uid=example)" uid 2>&1 | grep ldap_connect_to_host
im just a little bit surprised that i can't find any debuglevel that gives me the BASE
abosch
12 years, 8 months
issues with 1.2.7.5
by Robert Viduya
I'm having problems trying to get a clean install of 1.2.7.5 working. We're running RHEL5 and I have the EPEL5.4 repositories configured on it. Yum installed the following when I installed 389-ds:
389-admin.x86_64 1.1.13-1.el5 installed
389-admin-console.noarch 1.1.5-1.el5 installed
389-admin-console-doc.noarch 1.1.5-1.el5 installed
389-adminutil.x86_64 1.1.8-4.el5 installed
389-console.noarch 1.1.4-1.el5 installed
389-ds.noarch 1.2.1-1.el5 installed
389-ds-base.x86_64 1.2.7.5-1.el5 installed
389-ds-base-devel.x86_64 1.2.7.5-1.el5 installed
389-ds-console.noarch 1.2.3-1.el5 installed
389-ds-console-doc.noarch 1.2.3-1.el5 installed
389-dsgw.x86_64 1.1.5-1.el5 installed
idm-console-framework.noarch 1.1.5-4.el5 installed
After installation, I ran /usr/sbin/setup-ds-admin.pl to set up the initial configuration. Immediately after that, if I run 389-console, login as "cn=Directory Manager", navigate to "Directory Server" window and then try to open the "Configuration" tab, I get a dialog box that says: "Insufficient Permissions / The user cn=Directory Manager does not have permission to perform this operation.". Clicking the OK button gets me a new login window, but re-entering the Directory Manager credentials doesn't do anything. All I get is a blank page instead of what's supposed to be under the Configuration tab.
I've done the install a few times already to make sure I wasn't messing things up. There's nothing out of the ordinary in either the admin server error log or the directory server error log. The directory server access log shows only a few err=32, all under "ou=Global Preferences", which is probably expected on a completely new install.
The terminal window I ran 389-console shows a java stack trace, but only after I click past the error dialog box:
Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException
at com.netscape.admin.dirserv.panel.ServerSettingsPanel$ReferralText.show(Unknown Source)
at com.netscape.admin.dirserv.panel.DSEntrySet.getAttributes(Unknown Source)
at com.netscape.admin.dirserv.panel.DSEntrySet.show(Unknown Source)
at com.netscape.admin.dirserv.panel.BlankPanel.refresh(Unknown Source)
at com.netscape.admin.dirserv.panel.BlankPanel.select(Unknown Source)
at com.netscape.admin.dirserv.panel.ContainerPanel.stateChanged(Unknown Source)
at javax.swing.JTabbedPane.fireStateChanged(JTabbedPane.java:417)
at javax.swing.JTabbedPane$ModelListener.stateChanged(JTabbedPane.java:270)
at javax.swing.DefaultSingleSelectionModel.fireStateChanged(DefaultSingleSelectionModel.java:133)
at javax.swing.DefaultSingleSelectionModel.setSelectedIndex(DefaultSingleSelectionModel.java:67)
at javax.swing.JTabbedPane.setSelectedIndexImpl(JTabbedPane.java:616)
at javax.swing.JTabbedPane.setSelectedIndex(JTabbedPane.java:591)
at javax.swing.JTabbedPane.insertTab(JTabbedPane.java:730)
at javax.swing.JTabbedPane.addTab(JTabbedPane.java:797)
at com.netscape.admin.dirserv.panel.DSTabbedPanel.addTab(Unknown Source)
at com.netscape.admin.dirserv.panel.RootPanel.<init>(Unknown Source)
at com.netscape.admin.dirserv.node.RootResourceObject.getCustomPanel(Unknown Source)
at com.netscape.management.client.ResourceModel.getCustomPanel(Unknown Source)
at com.netscape.management.client.ResourcePage.valueChanged(Unknown Source)
at javax.swing.JTree.fireValueChanged(JTree.java:2826)
at javax.swing.JTree$TreeSelectionRedirector.valueChanged(JTree.java:3197)
at javax.swing.tree.DefaultTreeSelectionModel.fireValueChanged(DefaultTreeSelectionModel.java:646)
at javax.swing.tree.DefaultTreeSelectionModel.notifyPathChange(DefaultTreeSelectionModel.java:1095)
at javax.swing.tree.DefaultTreeSelectionModel.setSelectionPaths(DefaultTreeSelectionModel.java:304)
at javax.swing.JTree.setSelectionPaths(JTree.java:1616)
at javax.swing.JTree.setSelectionRows(JTree.java:1689)
at javax.swing.JTree.setSelectionRow(JTree.java:1664)
at com.netscape.management.client.ResourcePage.pageSelected(Unknown Source)
at com.netscape.admin.dirserv.DSResourcePage.pageSelected(Unknown Source)
at com.netscape.management.client.Framework$TabChangeListener.stateChanged(Unknown Source)
at javax.swing.JTabbedPane.fireStateChanged(JTabbedPane.java:417)
at javax.swing.JTabbedPane$ModelListener.stateChanged(JTabbedPane.java:270)
at javax.swing.DefaultSingleSelectionModel.fireStateChanged(DefaultSingleSelectionModel.java:133)
at javax.swing.DefaultSingleSelectionModel.setSelectedIndex(DefaultSingleSelectionModel.java:67)
at javax.swing.JTabbedPane.setSelectedIndexImpl(JTabbedPane.java:616)
at javax.swing.JTabbedPane.setSelectedIndex(JTabbedPane.java:591)
at javax.swing.plaf.basic.BasicTabbedPaneUI$Handler.mousePressed(BasicTabbedPaneUI.java:3631)
at java.awt.Component.processMouseEvent(Component.java:6105)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3267)
at java.awt.Component.processEvent(Component.java:5873)
at java.awt.Container.processEvent(Container.java:2105)
at java.awt.Component.dispatchEventImpl(Component.java:4469)
at java.awt.Container.dispatchEventImpl(Container.java:2163)
at java.awt.Component.dispatchEvent(Component.java:4295)
at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4461)
at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4122)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4055)
at java.awt.Container.dispatchEventImpl(Container.java:2149)
at java.awt.Window.dispatchEventImpl(Window.java:2478)
at java.awt.Component.dispatchEvent(Component.java:4295)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:604)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:275)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:200)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:190)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:185)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:177)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:138)
13 years
Re: [389-users] Sync AD with 389-DS Unable to parse response
by Rich Megginson
> Date:
> Fri, 21 Jan 2011 10:25:56 +0100
> To:
> "General discussion list for the 389 Directory server project."
> <389-users(a)lists.fedoraproject.org>
>
>
> Hi Rich,
>
> Thanks for this usefull link.
>
> I have successfully initiate replica between Windows AD and my server
> 389-DS. Ldapsearch is working. But even if everything seems to be ok,
> the update does not work and I do not see any error in the log
> files... So, my AD server stay empty, the accounts are not migrate...
>
> Here you have my access log file which is more verbose...
> (mydomain.com <http://mydomain.com> for the example) :
<snip>
> Obviously I am connecting to the server 389-DS itself whereas it can
> resolve the DNS name of my Windows server... There is no error in the
> AD event viewer while I could see errors on it when it was
> misconfigured (like DirSync errors)... So, basically, the Windows
> server is contacted to my DS-Server over 2 different networks.
>
> Do you think I have to open the ports described in my message ?
>
> -Regards.
I don't know. There is no winsync information in the access log. Note
that the access log records client accesses to the directory server, and
in winsync, the directory server itself acts as a client to AD, so
winsync will log nothing in the access log. The errors log could be
helpful, and especially using the replication log level (which is also
used for winsync logging). The Windows Event Viewer is useless for
winsync issues.
13 years, 1 month
Re: [389-users] Replication with 1.2.7.5
by Rich Megginson
> Hi all,
> I compiled, built and installed the 389 DS 1.2.7.5 release.
> I tried to configure a mm scenario (by using my customized
administration application, which works with any 1.1.x release).
Have you successfully used it with any 1.2.x release?
> When I initialize the agreement, nothing happens and I do not see any
logs in errors, although I changed the error log level to 8192.
> My application creates the cn=changelog5, cn=config entry as well as
the cn=replica entry and the agreement cn=<agreement>,cn=replica entry
underneath the cn=<suffix>,cn=mapping tree, cn=config entry.
> Did the administration of replication (and agreements) change?
No - can you post excerpts from your access logs showing the operations
that add these entries, along with the results of those operations?
There is nothing in the error log showing any problems?
Thanks,
-Reinhard
13 years, 1 month
"onewaysync" attr.
by Juan Carlos Camargo
Hi everyone,
I'm working with the new attribute "onewaysync" to manage replication
between our AD domain and 389ds. To start with I've created a windows
repl. agreement, then set that attribute the value "fromWindows" .So far
it seems to work. My question is, which method you find better, in order
to protect the Active Directory objects from potential modifications
made by 389?
a) Use a proxy user for the repl. agreement with tailored permissions?
If so, which permissions are you using?
b) Leave it as such, without the "onewaysync" attr. Besides, it is a
consumer replica, so by design it wasnt meant to send updates.
Which other choices you have in mind or have already implemented? And
finally, is there a way to select a subset of windows attributes to be
sync'd to 389?
Regards!!
13 years, 1 month
Mapping AD names to unix names
by Zebee Johnstone
I want to, amongst other things, qury our Active Directory server for passwords. So use 389 as a directory server (using NIS scheme and netgroups) with AD passwords.
Problem is... our AD uses usernames of First Last and a kerberos principle of first.last. Where as the unix (linux, AIX, HPUX, Solaris) boxes use 8char usernames.
The password sync stuff I've seen isn't very clear. Does the AD samAccountName have to be the same as the unix username? Or is there somewhere on 389 or on AD where I can do a lookup?
This http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Admin... seems to say there's a field ntUserDomainId that would do that job, is that used in the sync?
Is there any documentation on setting this up?
Zebee
13 years, 1 month
MultiMaster with SSL
by Jose Schenone
Hi, my name is Jose Schenone.
In the school of my children I installed 2 instances of 389-DS
configured as multimaster. Both work perfectly, but I need to add a
little more security. For it I was following the link
http://directory.fedoraproject.org/wiki/Howto:SSL but I'm not able to
understand how to apply to both instances.
There will be a tutorial on how to do this operation but with 2
multimaster and ssl?
Thank you very much!
--
Jose Maria Schenone
http://schenone.com.ar
13 years, 1 month
RHEL6 support
by Aaron Hagopian
It looks like EPEL is now stable on RHEL6 but I do not see any 389ds
packages in the epel or epel-testing repos. Any idea when that is
happening? I'm setting up a new machine and wanted to start using RHEL6 if
possible to take advantage of some of the new fun features of RHEL6.
Thanks for all your hard work, 389ds is great!
Sincerely,
Aaron Hagopian
13 years, 1 month
Re: [389-users] RHEL6 support
by Maurice James
Isn't it possible to use Red Hat Directory Service
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Aaron
Hagopian
Sent: Wednesday, January 26, 2011 2:25 PM
To: General discussion list for the 389 Directory server project.
Subject: [389-users] RHEL6 support
It looks like EPEL is now stable on RHEL6 but I do not see any 389ds
packages in the epel or epel-testing repos. Any idea when that is
happening? I'm setting up a new machine and wanted to start using RHEL6 if
possible to take advantage of some of the new fun features of RHEL6.
Thanks for all your hard work, 389ds is great!
Sincerely,
Aaron Hagopian
13 years, 1 month