Hello James,
thanks for replying giving us your opinion. Sometimes I thought I was the only person who has the problem you're talking of. I am in the same dilemma as you are, using SLES11 /w SP1 and have a not working solaris nativ ldap client oder downgrading to SLES1 /wo SP1 but using a rather outdated version of OpenLDAP 2.4.12 but seems to work with the solaris ldap client and your outlook 2003 client.
The problem is, Novell won't release any package changes in endless time, probably für SP2 at earliest point in time. To get/keep it working you have to stay on the older version and I have to downgrade. This is a quite annoying state of a problem we have here.
I'll point out the problem to my boss, maybe there is something I can do about it, but for my own laziness, I don't want to regurlarly check for/download/recompile the OpenLDAP package in the lifetime of the server to fix some particular security issues.
So what are we going to do in the meantime? At my site, everything except listing of user/groups is working on the client side, not that big of an issue, but thats also true for dynamic lists that I wanted to use and thats a big issue. :/
How is your state and how big is the problem?
Bye, Benjamin.
PS: Dieter, I tried to get the list of supported controls from the server via the solaris client, but had not luck.
On Thu, Oct 28, 2010 at 17:54, James Bagley Jr james.bagley@state.or.us wrote:
Benjamin,
We have a similar problem where upgrading to OpenLDAP 2.4.20 on SLES 11 causes Outlook 2003 clients to not work right with an ldap address book on OpenLDAP. Microsoft has this documented here:
http://support.microsoft.com/kb/555536
In this case, the reg hack works.
I can't say whether the actual issue is Outlook's (or Solaris Native LDAP in your case) miss-use of this server side control or the sssvlv overlay. Regardless of the root cause, I don't *need* the server side controls provided by the sssvlv overlay and would just assume disable it.
Unfortunately, Novell does not compile OpenLDAP overlays as modules in their SuSE Linux distribution so the overlay can't be disabled. I am in the same position that it seems a lot of people are with being unable to compile OpenLDAP myself without losing the paid-for Novell support. We have already contacted Novell, explained our position, and asked for them to change their configuration of this package. It seems as though they might be more likely to do so if several customers contact them.
Hope that helps,
James Bagley Jr
On 10/28/10 7:04 AM, "Benjamin Griese" der.darude@gmail.com wrote:
While further searching the web I found this nice conclusion of how to debug a Solaris 10 Native LDAP-Client or more general, what is neccessary to know if you want to work with solaris native ldap client.
http://wiki.genunix.org/wiki/index.php/Native_LDAP_Product_Support_Document#... at_are_the_requirements_for_Directory_server_to_support_Solaris_Native_LDAP_cl ients.3F I am a little bit concerned about the VLV support of OpenLDAP, I don't know how to disable this feature without compiling my own packages and disable that by configure.
This discussion is about disabling VLV to be able to work with the solaris native ldap client and AD: http://old.nabble.com/Solaris-native-ldap-client-to-Windows-Active-Directory... Netgroups-don't-work-because-of-control-critical-statement-tt23075436.html#a23 075436
Can somebody agree to that problem with VLVs and the solaris native ldap client?
Thanks and bye.
On Thu, Oct 28, 2010 at 15:12, Benjamin Griese der.darude@gmail.com wrote:
Correction: -w <passwd> or -w - instead of -W
On Thu, Oct 28, 2010 at 15:02, Benjamin Griese der.darude@gmail.com wrote:
Hello Günther,
sorry for my late reply, I hate sun cluster panics after patching those beasts. :(
Here is the content of solaris_profile:
dn: cn=solaris_profile,ou=profile,dc=example,dc=de objectClass: DUAConfigProfile objectClass: top cn: solaris_profile authenticationMethod: simple bindTimeLimit: 10 credentialLevel: proxy defaultSearchBase: dc=example,dc=de defaultSearchScope: sub defaultServerList: exampleldap01 exampleldap02 (syncrepl, configured to mirrormode) followReferrals: FALSE profileTTL: 3600 searchTimeLimit: 30 serviceSearchDescriptor: sudoers:ou=SUDOers,dc=example,dc=de?sub serviceSearchDescriptor: group:ou=groups,dc=example,dc=de?sub serviceSearchDescriptor: passwd:ou=people,dc=example,dc=de?sub
Regarding to the sorting I found this in man ldapsearch:
"-F sep
Use sep as the field separator between attribute names and values. If this option has been specified, the -L option is ignored.
-S [-]attribute
Specify an attribute for sorting the entries returned by the search. The sort criteria is alphabetical on the attribute's value or reverse alphabetical with the form -attribute. You can give multiple -S options to refine the sorting, For example:
-S sn -S givenname
By default, the entries are not sorted. Use the -x option to perform server-side sorting."
If I use -x for server side sorting, I get the complete list of uid-Objects, but not sorted in any obvious way: # ldapsearch -v -x -b dc=example,dc=de -h exampleldap01 -D cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
ldapsearch: started Thu Oct 28 12:16:49 2010 ldap_init( exampleldap01, 389 ) filter pattern: (uid=*) returning: ALL filter is: (uid=*) version: 1
If I use this string I get the complete list of uid-objects sorted by uidNumber # ldapsearch -v -S uidnumber -b dc=example,dc=de -h exampleldap01 -D cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
ldapsearch: started Thu Oct 28 12:37:11 2010 ldap_init( exampleldap01, 389 ) filter pattern: (uid=*) returning: ALL filter is: (uid=*) version: 1
If I try to search with -x and -S uidnumber I get the same message that appears in the OpenLDAP logfile: # ldapsearch -v -x -S uidNumber -b dc=example,dc=de -h exampleldap01 -D cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
ldapsearch: started Thu Oct 28 12:25:50 2010 ldap_init( exampleldap01, 389 ) filter pattern: (uid=*) returning: ALL filter is: (uid=*) ldap_search: Inappropriate matching ldap_search: additional info: serverSort control: No ordering rule ldap_parse_sort_control: Requested LDAP control not found
Finally I still have no clue how to prevent the client from doing these kinds of searches. And I couldn't find any templates regarding the ldapclient on my test machine.
Any other clues or ideas?
Bye, Benjamin.
On Sat, Oct 23, 2010 at 19:17, Dieter Kluenter dieter@dkluenter.de wrote:
Benjamin Griese der.darude@gmail.com writes:
Hey thanks for quick reply,
I put the config of the ldapclient on the ML some days ago, but I can't figure out how I may have set such a rule on client side. Probably it is something hardcoded.
ldapclient config: NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyuser,ou=system,ou=people,dc=example,dc=de NS_LDAP_BINDPASSWD= secret NS_LDAP_SERVERS= ldap01 NS_LDAP_SEARCH_BASEDN= dc=example,dc=de NS_LDAP_AUTH= simple NS_LDAP_SEARCH_REF= FALSE NS_LDAP_SEARCH_SCOPE= sub NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 60 NS_LDAP_PROFILE= solaris_profile NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=people,dc=example,dc=de?sub NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=example,dc=de?sub NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=SUDOers,dc=example,dc=de?sub
That's all I setup, its like defaultest of the defaultest I guess :)
And thanks for describing EQUALITY.
I must admit I am not that familiar with old netscape tools, but the openldap log ist quite clear, there is a request for a Server Side Sorting extended operation, which in fact is quite unusual. You really should check Solaris 10 setup for appropriate templates, i.e. what is the content of solaris_profile? By the way, AFAIR the flag for sss is -F so you may check any templates, Redhat provides these in /usr/share/dirsrv, Solaris might be different.
-Dieter
-- Dieter Klünter | Systemberatung sip: 7770535@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
-- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
-- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra