http://permalink.gmane.org/gmane.comp.ldap.umich hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://permalink.gmane.org/gmane.comp.ldap.umich/3225 So you are trying to authenticate desktop users from LDAP, right? Please give more details, such as which version of LDAP, OS/distribution used, a brief description about your LDAP structure, etc.. Your description is too vague to give you an accurate solution. 2008/12/2 akhil bhardwaj <akhil.bhardwaj< at >orkash.com>: Manilal K M 2008-12-02T07:44:43 http://permalink.gmane.org/gmane.comp.ldap.umich/3224 2008/12/2 Akhil Bhardwaj <akhil.bhardwaj< at >orkash.com>: How did you tried to change the password? Manilal K M 2008-12-02T07:30:23 http://permalink.gmane.org/gmane.comp.ldap.umich/3223 Dear, I am new for ldap am configuring open ldap as a domain controller my clients are also working fine but my open ldap users cannot change our own password please help me about this problem Akhil Bhardwaj 2008-12-02T07:26:41 http://permalink.gmane.org/gmane.comp.ldap.umich/3222 Mark, Finally got to give this a try, One small mistake on your part. It's _ldap._tcp.domain. Corrected queries below. Just pointing this out to not fustrate anyone that finds this thread later. On Mon, Oct 13, 2008 at 11:36 AM, Mark H. Wood <mwood-/Nmu/ALlonGHXe+LvDLADg< at >public.gmane.org> wrote: _ldap._tcp.baz.bar.foo.xcorp.com SRV _ldap._tcp.bar.foo.xcorp.com SRV _ldap._tcp.foo.xcorp.com SRV _ldap._tcp.xcorp.com SRV Justin Dearing 2008-10-25T19:09:27 http://permalink.gmane.org/gmane.comp.ldap.umich/3221 You should probably get a LDAP book or read a few online tutorials. That said, the approach depends on whether you use groups or roles. groups- Do a filter on (&(objectClass=groupOfNames)(cn=TEAM-NAME)) and grab all the member attributes. Then you have to scan through each member in a second pass. roles- Just do a filter on the role itself and you get the members in the first pass. On a side note, while there may be some disagreement on this list about the use of groupOfUniqueNames, the fact is it's used almost interchangeably with groupOfNames these days (I do it) and you should always be ready to support it.  You can do that by writing the appropriate filters: (&(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))(cn=TEAM-NAME)) And then determining how to read the entry (member vs. uniqueMember) or have a configuration file that specifies the filter and attribute to look at. thanks for answering. a lot :-) search for all members of a want to have a list of sn,mail,phone of all memb Dustin Puryear 2008-10-22T15:57:42 http://permalink.gmane.org/gmane.comp.ldap.umich/3220 What you are trying to do is just create a set of users and teams (groups of users). You can use LDAP groups or roles for the team implementation. Let's just use groups. root - users Dustin Puryear 2008-10-22T15:27:03 http://permalink.gmane.org/gmane.comp.ldap.umich/3219 Hello Dustin, thanks for answering. Nice to hear that I do not have to modify a lot :-) But there's one answer left. How can I search for all members of a certain team. e.g.: I want to have a list of sn,mail,phone of all members of team a I have no idea how to create this type of search ? any help appreciated.....GERD..... Am 22.10.2008 um 17:27 schrieb Dustin Puryear: Gerd Koenig 2008-10-22T15:38:06 http://permalink.gmane.org/gmane.comp.ldap.umich/3218 Hello again, in my first email there was an copy-paste error. The dn of the teams are also of the format dn=<teamname>,ou=teams,dc=example,dc=com any help appreciated....GERD.... Gerd König 2008-10-21T06:14:48 http://permalink.gmane.org/gmane.comp.ldap.umich/3217 Hello, I'm going to create a ldap directory for the company to have a central place for user administration. I've started with an example found in the web. First of all I created the top level dc=example,dc=com and the manager (cn=manager,dc=example,dc=com). Afterwards I created 2 organizational units: ou=persons ou=teams and filled them with content (see at bottom of the email). I'm in doubt if this is the correct way to build the directory and "connect" each user to its team. I only set the "ou=" property of each person to its teamname, and added one "member=" entry for each person to the team-object. I'm not happy with such setting. What if a person changes the team, do I have to update the person's "ou=" and the "member=" section of the teams ?? Is this really the way to implement such a company->team->person hierarchy ? any help appreciated....GERD.... dn: cn=Tinky Winky,ou=people,dc=example,dc=com objectclass: inetOrgPerson sn: Tinky cn: Tinky Winky uid: twinky userpassword: twinky ou: support dn Gerd König 2008-10-21T06:01:25 http://permalink.gmane.org/gmane.comp.ldap.umich/3216 Sorry, no. It's irritating but normal for LDAP clients to try several searches until one succeeds, and to not offer a way to turn off searches that the user knows will find nothing. Furthermore "no such object" can mean user misconfiguration - "you must point the group base DN at an actual entry" while no search results is normal. Assuming that group DN is actually configured and necessary, of course. I've lost track of this discussion a bit, but anyway: Possibly it would help to point the group DN at the parent entry so that a search for the "group" will find users too. Depends on whether group searches use subtree scope and filter for groups. Hallvard B Furuseth 2008-10-20T14:09:15 http://permalink.gmane.org/gmane.comp.ldap.umich/3215 WebLogic has a problem which is independent of the LDAP service's behavior: it is searching the wrong context. If this is not the result of misconfiguration by the customer, then they should fix that. I would simply refuse *any* arguments concerning the LDAP response to an incorrect query until the query is corrected. I would keep pointing to the error in WebLogic until it is acknowledged. Mark H. Wood 2008-10-20T13:26:59 http://permalink.gmane.org/gmane.comp.ldap.umich/3214 In any case the LDAP client should also handle noSuchObject more gracefully. Although more thorough analysis should be done I think in this particular case noSuchObject could also be handled the same way like no group entry found. And that's exactly what I meant with "In most cases the handling is mainly the same". Ciao, Michael. Michael Ströder 2008-10-17T14:50:59 http://permalink.gmane.org/gmane.comp.ldap.umich/3213 LOL. You are right, BEA was purchased by Oracle. They are indeed both Oracle products. What I am not sure is whether Oracle Virtual Directory sends the LDAP Error 32 by default; or if it is the implementation of the product at our organization. I suspect it is the latter. Thanks, Sharad Agarwal, Sharad 2008-10-17T14:46:18 http://permalink.gmane.org/gmane.comp.ldap.umich/3212 Looking back to the request's base: String searchBase = "ou=groups,ou=VgnLDAPRealm,dc=vgndomain"; if the ou=groups,ou=VgnLDAPRealm,dc=vgndomain branch does not exist in your LDAP DIT, then you will get a NoSuchObject resultcode. Your LDAP server is compliant if you get this result. Now the funiest part : WebLogic and Oracle Virtual Directory (AFAIR, OctetString product) ar _both_ Oracle products ;) Either Oracle or Oracle is not compliant somewhere... Emmanuel Lecharny 2008-10-17T14:33:19 http://permalink.gmane.org/gmane.comp.ldap.umich/3211 WebLogic is the application in question. WebLogic allows us to define Authenticators (code that connects to the LDAP server). Once an Authenticator is defined, WebLogic offers a UI where all users and groups can be listed. The group listing fails because of some code in WebLogic that tries to find the description of a group. They have a generic function getdescription() that is used for both users and groups. It ends up searching for the group in the user base DN. And our LDAP returns an Error 32. As far as I can tell, WebLogic should not be searching for the group in the user context. But it is doing that. By the same token, the LDAP should not return LDAP Error 32. But it is doing that. And, together, the twain are resulting in the user seeing a stack trace instead of the Group listing. This puts me in a tough predicament. Both parties have a plausible argument. WebLogic complains that the LDAP is not standards compliant. And LDAP complains that WebLogic should not search for groups in the user DN. An Agarwal, Sharad 2008-10-17T14:03:27 http://permalink.gmane.org/gmane.comp.ldap.umich/3210 That's why I wrote "In most cases the handling is mainly the same". ^^^^ ^^^^^^ Most LDAP clients are not nifty interactive clients which try to guide the user what to do next. Most LDAP clients just log an error. While I'm pretty eager with fine-grained error handling in web2ldap I find myself writing the same application-level error handling for 1. noSuchObject and 2. empty result sets for simple cases. Only the log messages differ. So I'd be interested which LDAP clients the original poster is working with and which problems he experienced. Ciao, Michael. Michael Ströder 2008-10-17T11:55:59 http://permalink.gmane.org/gmane.comp.ldap.umich/3209 Good example. I would say the LDAP server was sending back a non-standard response for that situation then. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: Agarwal, Sharad [mailto:Sharad.Agarwal-WAQBmITiDcc< at >public.gmane.org] Sent: Wednesday, October 15, 2008 12:17 PM To: joe; adam-3SybyYu0gLN2ZeWMVSxU7w< at >public.gmane.org; ldap-63aXycvo3TyHXe+LvDLADg< at >public.gmane.org Subject: RE: [ldap] Re: LDAP Error 32 v/s Empty Result Set Hi Joe, Thank you for elaborating on that. I think I was asking too generic a question. Here are two specific queries to the Oracle Virtual Directory server, both using the same bind information. One succeeds, the other fails. The only difference between the two is that one is searching for (uid=vgnadmin) and the other for (uid=foo). Query: ~~~~ String searchBase = "ou=People,dc=fmr,dc=com"; String searchFilter = "(uid=vgnadmin)"; //WORKS ~~~~ Output: ~~~~ LDAPEntry: uid=vgnadmin,ou=Peop joe 2008-10-15T16:18:34 http://permalink.gmane.org/gmane.comp.ldap.umich/3208 RFC-4511, section 4.1.9 Result Message -Dieter Dieter Kluenter 2008-10-15T16:20:15 http://permalink.gmane.org/gmane.comp.ldap.umich/3207 Thanks Joe. Appreciate your patience. Is there some kind of authoritative source I could cite when I have this discussion with the LDAP administrators? They are just telling me that the application should handle the error and that LDAP Error 32 is 'No Such Object'. And since there is no (uid=foo) object, it is standards compliant behavior for the server to return LDAP Error 32. Thanks, Sharad -----Original Message----- From: joe [mailto:joe-VdL7z5lOYoXR7s880joybQ< at >public.gmane.org] Sent: Wednesday, October 15, 2008 12:19 PM To: Agarwal, Sharad; adam-3SybyYu0gLN2ZeWMVSxU7w< at >public.gmane.org; ldap-63aXycvo3TyHXe+LvDLADg< at >public.gmane.org Subject: RE: [ldap] Re: LDAP Error 32 v/s Empty Result Set Good example. I would say the LDAP server was sending back a non-standard response for that situation then. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: Agarwal, Sharad [mailto:Sharad.Agarwal-WAQBmITiDcc< at >public.gmane.org] Sent: Wedne Agarwal, Sharad 2008-10-15T16:22:27 http://permalink.gmane.org/gmane.comp.ldap.umich/3206 Hi Joe, Thank you for elaborating on that. I think I was asking too generic a question. Here are two specific queries to the Oracle Virtual Directory server, both using the same bind information. One succeeds, the other fails. The only difference between the two is that one is searching for (uid=vgnadmin) and the other for (uid=foo). Query: ~~~~ String searchBase = "ou=People,dc=fmr,dc=com"; String searchFilter = "(uid=vgnadmin)"; //WORKS ~~~~ Output: ~~~~ LDAPEntry: uid=vgnadmin,ou=People,dc=fmr,dc=com; LDAPAttributeSet: LDAPAttribute: {type='cn', value='vgnadmin, VDS'} ~~~~ Query: ~~~~ String searchBase = "ou=People,dc=fmr,dc=com"; String searchFilter = "(uid=foo)"; //FAILS ~~~~ Output: ~~~~ Error: LDAPException: No Such Object (32) No Such Object LDAPException: Server Message: LDAP Error 32 : No Such Object ~~~~ -----Original Message----- From: joe [mailto:joe-VdL7z5lOYoXR7s880joybQ< at >public.gmane.org] Sent: Wednesday, October 15, 2008 11:27 AM To: Agarwal, Sharad; a Agarwal, Sharad 2008-10-15T16:16:55 http://permalink.gmane.org/gmane.comp.ldap.umich/3205 On Oct 16, 2008, at 1:19 AM, Emmanuel Lecharny wrote: Actually, there are cases where it is appropriate. For instance, when the user is not authorized to know if the searchBase exists. But this case doesn't seem to apply here. What should be clear is that by returning noSuchObject, the server is reporting that the baseObject of the search does not exist. This quite different than reporting there are no entries which match the search criteria. Kurt Zeilenga 2008-10-16T15:53:14 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.comp.ldap.umich