[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Error 18: Solaris 10 Native LDAP-Client



Benjamin,

We have a similar problem where upgrading to OpenLDAP 2.4.20 on SLES 11
causes Outlook 2003 clients to not work right with an ldap address book on
OpenLDAP.  Microsoft has this documented here:

http://support.microsoft.com/kb/555536

In this case, the reg hack works.

I can't say whether the actual issue is Outlook's (or Solaris Native LDAP in
your case) miss-use of this server side control or the sssvlv overlay.
Regardless of the root cause, I don't *need* the server side controls
provided by the sssvlv overlay and would just assume disable it.

Unfortunately, Novell does not compile OpenLDAP overlays as modules in their
SuSE Linux distribution so the overlay can't be disabled.  I am in the same
position that it seems a lot of people are with being unable to compile
OpenLDAP myself without losing the paid-for Novell support.  We have already
contacted Novell, explained our position, and asked for them to change their
configuration of this package.  It seems as though they might be more likely
to do so if several customers contact them.

Hope that helps,

James Bagley Jr


On 10/28/10 7:04 AM, "Benjamin Griese" <der.darude@gmail.com> wrote:

> While further searching the web I found this nice conclusion of how to
> debug a Solaris 10 Native LDAP-Client or more general,
> what is neccessary to know if you want to work with solaris native ldap
> client.
> 
> http://wiki.genunix.org/wiki/index.php/Native_LDAP_Product_Support_Document#Wh
> at_are_the_requirements_for_Directory_server_to_support_Solaris_Native_LDAP_cl
> ients.3F
> I am a little bit concerned about the VLV support of OpenLDAP, I don't
> know how to disable this feature without compiling my own packages and
> disable that by configure.
> 
> 
> This discussion is about disabling VLV to be able to work with the
> solaris native ldap client and AD:
> http://old.nabble.com/Solaris-native-ldap-client-to-Windows-Active-Directory:-
> Netgroups-don't-work-because-of-control-critical-statement-tt23075436.html#a23
> 075436
> 
> Can somebody agree to that problem with VLVs and the solaris native ldap
> client?
> 
> Thanks and bye.
> 
> 
> On Thu, Oct 28, 2010 at 15:12, Benjamin Griese <der.darude@gmail.com> wrote:
>> Correction:
>> -w <passwd> or -w - instead of -W
>> 
>> On Thu, Oct 28, 2010 at 15:02, Benjamin Griese <der.darude@gmail.com> wrote:
>>> Hello Günther,
>>> 
>>> sorry for my late reply, I hate sun cluster panics after patching
>>> those beasts. :(
>>> 
>>> Here is the content of solaris_profile:
>>> 
>>> dn: cn=solaris_profile,ou=profile,dc=example,dc=de
>>> objectClass: DUAConfigProfile
>>> objectClass: top
>>> cn: solaris_profile
>>> authenticationMethod: simple
>>> bindTimeLimit: 10
>>> credentialLevel: proxy
>>> defaultSearchBase: dc=example,dc=de
>>> defaultSearchScope: sub
>>> defaultServerList: exampleldap01 exampleldap02 (syncrepl, configured
>>> to mirrormode)
>>> followReferrals: FALSE
>>> profileTTL: 3600
>>> searchTimeLimit: 30
>>> serviceSearchDescriptor: sudoers:ou=SUDOers,dc=example,dc=de?sub
>>> serviceSearchDescriptor: group:ou=groups,dc=example,dc=de?sub
>>> serviceSearchDescriptor: passwd:ou=people,dc=example,dc=de?sub
>>> 
>>> 
>>> Regarding to the sorting I found this in man ldapsearch:
>>> 
>>> "-F sep
>>> 
>>>         Use sep as the field separator between  attribute  names
>>>         and  values.  If  this option has been specified, the -L
>>>         option is ignored.
>>> 
>>> 
>>> -S [-]attribute
>>> 
>>>         Specify an attribute for sorting the entries returned by
>>>         the  search.  The  sort  criteria is alphabetical on the
>>>         attribute's value or reverse alphabetical with the  form
>>>         -attribute.  You  can give multiple -S options to refine
>>>         the sorting, For example:
>>> 
>>>         -S sn -S givenname
>>> 
>>>         By default, the entries  are  not  sorted.  Use  the  -x
>>>         option to perform server-side sorting."
>>> 
>>> If I use -x for server side sorting, I get the complete list of
>>> uid-Objects, but not sorted in any obvious way:
>>> # ldapsearch -v -x -b dc=example,dc=de -h exampleldap01 -D
>>> cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
>>> 
>>> ldapsearch: started Thu Oct 28 12:16:49 2010
>>> ldap_init( exampleldap01, 389 )
>>> filter pattern: (uid=*)
>>> returning: ALL
>>> filter is: (uid=*)
>>> version: 1
>>> 
>>> If I use this string I get the complete list of uid-objects sorted by
>>> uidNumber
>>> # ldapsearch -v -S uidnumber -b dc=example,dc=de -h exampleldap01 -D
>>> cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
>>> 
>>> ldapsearch: started Thu Oct 28 12:37:11 2010
>>> ldap_init( exampleldap01, 389 )
>>> filter pattern: (uid=*)
>>> returning: ALL
>>> filter is: (uid=*)
>>> version: 1
>>> 
>>> If I try to search with -x and -S uidnumber I get the same message
>>> that appears in the OpenLDAP logfile:
>>> # ldapsearch -v -x -S uidNumber -b dc=example,dc=de -h exampleldap01
>>> -D cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
>>> 
>>> ldapsearch: started Thu Oct 28 12:25:50 2010
>>> ldap_init( exampleldap01, 389 )
>>> filter pattern: (uid=*)
>>> returning: ALL
>>> filter is: (uid=*)
>>> ldap_search: Inappropriate matching
>>> ldap_search: additional info: serverSort control: No ordering rule
>>> ldap_parse_sort_control: Requested LDAP control not found
>>> 
>>> Finally I still have no clue how to prevent the client from doing
>>> these kinds of searches.
>>> And I couldn't find any templates regarding the ldapclient on my test
>>> machine.
>>> 
>>> Any other clues or ideas?
>>> 
>>> Bye, Benjamin.
>>> 
>>> On Sat, Oct 23, 2010 at 19:17, Dieter Kluenter <dieter@dkluenter.de> wrote:
>>>> Benjamin Griese <der.darude@gmail.com> writes:
>>>> 
>>>>> Hey thanks for quick reply,
>>>>> 
>>>>> I put the config of the ldapclient on the ML some days ago,
>>>>> but I can't figure out how I may have set such a rule on client side.
>>>>> Probably it is something hardcoded.
>>>>> 
>>>>> ldapclient config:
>>>>> NS_LDAP_FILE_VERSION= 2.0
>>>>> NS_LDAP_BINDDN= cn=proxyuser,ou=system,ou=people,dc=example,dc=de
>>>>> NS_LDAP_BINDPASSWD= secret
>>>>> NS_LDAP_SERVERS= ldap01
>>>>> NS_LDAP_SEARCH_BASEDN= dc=example,dc=de
>>>>> NS_LDAP_AUTH= simple
>>>>> NS_LDAP_SEARCH_REF= FALSE
>>>>> NS_LDAP_SEARCH_SCOPE= sub
>>>>> NS_LDAP_SEARCH_TIME= 30
>>>>> NS_LDAP_CACHETTL= 60
>>>>> NS_LDAP_PROFILE= solaris_profile
>>>>> NS_LDAP_CREDENTIAL_LEVEL= proxy
>>>>> NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=people,dc=example,dc=de?sub
>>>>> NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=example,dc=de?sub
>>>>> NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=SUDOers,dc=example,dc=de?sub
>>>>> 
>>>>> That's all I setup, its like defaultest of the defaultest I guess :)
>>>>> 
>>>>> And thanks for describing EQUALITY.
>>>> 
>>>> I must admit I am not that familiar with old netscape tools, but the
>>>> openldap log ist quite clear, there is a request for a Server Side
>>>> Sorting extended operation, which in fact is quite unusual. You really
>>>> should check Solaris 10 setup for appropriate templates, i.e. what is
>>>> the content of solaris_profile? By the way, AFAIR the flag for sss is
>>>> -F so you may check any templates, Redhat provides these in
>>>> /usr/share/dirsrv, Solaris might be different.
>>>> 
>>>> -Dieter
>>>> 
>>>> --
>>>> Dieter Klünter | Systemberatung
>>>> sip: 7770535@sipgate.de
>>>> http://www.dpunkt.de/buecher/2104.html
>>>> GPG Key ID:8EF7B6C6
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To
>>> be is to do -- Sartre | Do be do be do -- Sinatra
>>> 
>> 
>> 
>> 
>> --
>> To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To
>> be is to do -- Sartre | Do be do be do -- Sinatra
>> 
> 
>