Cheers
John

I went back through my configuration steps and referenced the three articles here. I have tailed out my Sun Java Directory log files and looked at the searches that are being done, there is not much to the filter:

Attempting to create a weblog:
[31/Jul/2008:15:17:10 -0500] conn=419 op=98 msgId=99 - SRCH base=”dc=wichita,dc=edu” scope=2 filter=”(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(|(uid=g892k662))(|(cn=g892k662))))” attrs=”uid cn uid cn”
[31/Jul/2008:15:17:10 -0500] conn=419 op=98 msgId=99 - RESULT err=0 tag=101 nentries=1 etime=0
[31/Jul/2008:15:17:10 -0500] conn=419 op=99 msgId=100 - ABANDON targetop=NOTFOUND msgid=99

yet in the wikid/error.log I get
Failure: twisted.cred.error.UnauthorizedLogin: Bad username or password: g892k662

Attempting to edit a blog that is not my own: (long… more dialouge below…)
[31/Jul/2008:15:17:57 -0500] conn=419 op=100 msgId=101 - SRCH base=”dc=wichita,dc=edu” scope=2 filter=”(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uidNumber=7003)))” attrs=”uidNumber uid cn gidNumber uidNumber”
[31/Jul/2008:15:17:57 -0500] conn=419 op=100 msgId=101 - RESULT err=0 tag=101 nentries=1 etime=0
[31/Jul/2008:15:17:57 -0500] conn=419 op=101 msgId=102 - ABANDON targetop=NOTFOUND msgid=101
[31/Jul/2008:15:17:57 -0500] conn=419 op=102 msgId=103 - SRCH base=”dc=wichita,dc=edu” scope=2 filter=”(&(|(objectClass=posixGroup))(|(gidNumber=14)))” attrs=”cn gidNumber gidNumber”
[31/Jul/2008:15:17:57 -0500] conn=419 op=102 msgId=103 - RESULT err=0 tag=101 nentries=0 etime=0
[31/Jul/2008:15:17:57 -0500] conn=419 op=103 msgId=104 - ABANDON targetop=NOTFOUND msgid=103
[31/Jul/2008:15:17:57 -0500] conn=419 op=104 msgId=105 - SRCH base=”dc=wichita,dc=edu” scope=2 filter=”(&(|(objectClass=posixGroup))(|(memberUid=f282c439)))” attrs=”cn gidNumber memberUid”
[31/Jul/2008:15:17:57 -0500] conn=419 op=104 msgId=105 - RESULT err=0 tag=101 nentries=0 etime=0
[31/Jul/2008:15:17:57 -0500] conn=419 op=105 msgId=106 - ABANDON targetop=NOTFOUND msgid=105
[31/Jul/2008:15:17:57 -0500] conn=419 op=106 msgId=107 - SRCH base=”dc=wichita,dc=edu” scope=2 filter=”(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(|(uid=unauthenticated))(|(cn=unauthenticated))))” attrs=”uidNumber uid cn gidNumber uid cn”
[31/Jul/2008:15:17:57 -0500] conn=419 op=106 msgId=107 - RESULT err=0 tag=101 nentries=0 etime=0
[31/Jul/2008:15:17:57 -0500] conn=419 op=107 msgId=108 - ABANDON targetop=NOTFOUND msgid=107
[31/Jul/2008:15:17:57 -0500] conn=419 op=108 msgId=109 - SRCH base=”dc=wichita,dc=edu” scope=2 filter=”(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(|(uid=f282c439))(|(cn=f282c439))))” attrs=”uidNumber uid cn gidNumber uid cn”
[31/Jul/2008:15:17:57 -0500] conn=419 op=108 msgId=109 - RESULT err=0 tag=101 nentries=1 etime=0
[31/Jul/2008:15:17:57 -0500] conn=419 op=109 msgId=110 - ABANDON targetop=NOTFOUND msgid=109
[31/Jul/2008:15:17:57 -0500] conn=419 op=110 msgId=111 - SRCH base=”dc=wichita,dc=edu” scope=2 filter=”(&(|(objectClass=posixGroup))(|(cn=com.apple.access_all_services)))” attrs=”cn gidNumber cn”
[31/Jul/2008:15:17:57 -0500] conn=419 op=110 msgId=111 - RESULT err=0 tag=101 nentries=0 etime=0
[31/Jul/2008:15:17:57 -0500] conn=419 op=111 msgId=112 - ABANDON targetop=NOTFOUND msgid=111
[31/Jul/2008:15:17:57 -0500] conn=419 op=112 msgId=113 - SRCH base=”dc=wichita,dc=edu” scope=2 filter=”(&(|(objectClass=posixGroup))(|(cn=com.apple.access_weblog)))” attrs=”cn gidNumber cn”
[31/Jul/2008:15:17:57 -0500] conn=419 op=112 msgId=113 - RESULT err=0 tag=101 nentries=0 etime=0
[31/Jul/2008:15:17:57 -0500] conn=419 op=113 msgId=114 - ABANDON targetop=NOTFOUND msgid=113
[31/Jul/2008:15:17:57 -0500] conn=419 op=114 msgId=115 - SRCH base=”dc=wichita,dc=edu” scope=2 filter=”(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uidNumber=7003)))” attrs=”uidNumber uid cn gidNumber uidNumber”
[31/Jul/2008:15:17:57 -0500] conn=419 op=114 msgId=115 - RESULT err=0 tag=101 nentries=1 etime=0
[31/Jul/2008:15:17:57 -0500] conn=419 op=115 msgId=116 - ABANDON targetop=NOTFOUND msgid=115
[31/Jul/2008:15:17:57 -0500] conn=419 op=116 msgId=117 - SRCH base=”dc=wichita,dc=edu” scope=2 filter=”(&(|(objectClass=posixGroup))(|(gidNumber=14)))” attrs=”cn gidNumber gidNumber”
[31/Jul/2008:15:17:57 -0500] conn=419 op=116 msgId=117 - RESULT err=0 tag=101 nentries=0 etime=0
[31/Jul/2008:15:17:57 -0500] conn=419 op=117 msgId=118 - ABANDON targetop=NOTFOUND msgid=117
[31/Jul/2008:15:17:57 -0500] conn=419 op=118 msgId=119 - SRCH base=”dc=wichita,dc=edu” scope=2 filter=”(&(|(objectClass=posixGroup))(|(memberUid=f282c439)))” attrs=”cn gidNumber memberUid”
[31/Jul/2008:15:17:57 -0500] conn=419 op=118 msgId=119 - RESULT err=0 tag=101 nentries=0 etime=0
[31/Jul/2008:15:17:57 -0500] conn=419 op=119 msgId=120 - ABANDON targetop=NOTFOUND msgid=119
[31/Jul/2008:15:17:57 -0500] conn=419 op=120 msgId=121 - SRCH base=”dc=wichita,dc=edu” scope=2 filter=”(&(|(objectClass=posixGroup))(|(memberUid=_www)))” attrs=”cn gidNumber memberUid”
[31/Jul/2008:15:17:57 -0500] conn=419 op=120 msgId=121 - RESULT err=0 tag=101 nentries=0 etime=0
[31/Jul/2008:15:17:57 -0500] conn=419 op=121 msgId=122 - ABANDON targetop=NOTFOUND msgid=121
[31/Jul/2008:15:18:14 -0500] conn=419 op=122 msgId=123 - SRCH base=”dc=wichita,dc=edu” scope=2 filter=”(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(|(uid=g892k662))(|(cn=g892k662))))” attrs=”uid cn uid cn”
[31/Jul/2008:15:18:14 -0500] conn=419 op=122 msgId=123 - RESULT err=0 tag=101 nentries=1 etime=0
[31/Jul/2008:15:18:14 -0500] conn=419 op=123 msgId=124 - ABANDON targetop=NOTFOUND msgid=123
[31/Jul/2008:15:18:14 -0500] conn=419 op=124 msgId=125 - SRCH base=”dc=wichita,dc=edu” scope=2 filter=”(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=g892k662)(cn=g892k662)))” attrs=”userPassword”
[31/Jul/2008:15:18:14 -0500] conn=419 op=124 msgId=125 - RESULT err=0 tag=101 nentries=1 etime=0
[31/Jul/2008:15:18:14 -0500] conn=419 op=125 msgId=126 - SRCH base=”dc=wichita,dc=edu” scope=2 filter=”(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=g892k662)(cn=g892k662)))” attrs=ALL
[31/Jul/2008:15:18:14 -0500] conn=419 op=125 msgId=126 - RESULT err=0 tag=101 nentries=1 etime=0
[31/Jul/2008:15:18:14 -0500] conn=422 op=-1 msgId=-1 - fd=43 slot=43 LDAP connection from 156.26.180.77:49325 to 156.26.180.85
[31/Jul/2008:15:18:14 -0500] conn=422 op=0 msgId=1 - SRCH base=”" scope=0 filter=”(objectClass=*)” attrs=”supportedSASLMechanisms namingContexts dnshostname krbname”
[31/Jul/2008:15:18:14 -0500] conn=422 op=0 msgId=1 - RESULT err=0 tag=101 nentries=1 etime=0
[31/Jul/2008:15:18:14 -0500] conn=422 op=1 msgId=2 - BIND dn=”uid=g892k662,ou=People,dc=wichita,dc=edu” method=128 version=3
[31/Jul/2008:15:18:14 -0500] conn=422 op=1 msgId=2 - RESULT err=0 tag=97 nentries=0 etime=0

Has anyone tested this? Has anyone had this same expirence? What am I missing?

(&(|(objectclass=apple-configuration)(objectclass=organizationalunit))(|(cn=CollabServices)(ou=CollabServices)))

which i do not have in my ‘OD from scratch’ openldap on Debian. I suspect the missing part is within the apple-xmlplist attribute of the ou=CollabServices record within the cn=Config subtree. Can someone please paste their content from an ‘proper’ OD server?

TIA,

“serveradmin settings teams:enableClearTextAuth = yes”

No, I haven’t yet tried the Calendar server with external accounts. It wasn’t one of our goals. I think I read somewhere that it requires Kerberos, though. Solaris supports Kerberos, but if you don’t already have that set up, you’re looking at a lot of work. Or maybe you could get away with adding the “authAuthority: ;Kerberosv5;0×47f…” attribute to the LDAP records, and populate the Kerberos database on the Apple server with corresponding entries for your iCal users.

Maybe Kerberos has nothing to do with it though, and I’m misremembering… I would start by observing the Sun LDAP access logs while you attempt to authenticate an external user for iCal service. Note whether it’s looking up authAuthority. I’d also compare the contents of the apple attributes of a user in OD that has a calendar and has authenticated to the calendar server. I have in mind one of the attributes that hold XML data, like apple-mcxflags or apple-serviceslocator.

Good luck! I’d love to hear how it goes.

BTW, I think your URL for “this bug” is not what you intended?

I installed the 10.5.3 update today. I was disappointed to see that this bug still hasn’t been fixed.

I didn’t get a crashing OD (I think) after the update, but there were problems relating to the external directory server attribute mappings. There was a Python process that was crashing over and over again, but the functionality of the server seemed OK, except that OD and the CrashReporter process was eating up CPU cycles like I eat chocolate chip cookies. Disabling the external directory stopped the crashing python loop.

I changed the server mappings from “from the server” to “RFC 2307″, re-enabled it, and I can I see all of my external users in WGM just fine. However, authentication to the wiki doesn’t work — it produces an error, “No attribute shortName”, which should be mapped to our ‘uid’ attribute.

I suspect that the 10.5.3 update changed the attributes and/or objectclasses, so the old mappings, stored in the external directory which did not get updated, cause problems. I’ll have to go through the process of dumping the user account LDAP info, and watching the external server’s access logs again to find out what it’s looking for, and accommodate. Or, go with “augmented” local/external hybrids stored in OD, as per the “Cylinder of Destiny” setup mentioned in this thread.

Turns out we had activated the local Open Directory Server on the Mac OS X Server box as a “master”, in order to dump the user account info in step 1 above. As most of you probably know, we should have turned that right back off. Evidently the system does not like getting its settings from another server when there is a local OD master running. (In my defense, a nice error message would have helped, instead of Directory Server crashing on boot…)

Anyway, thanks to all. We are looking forward to fourth article!

Then again, some admins may prefer to have LDAP user account data all in one place, instead of distributed between servers. However, I can’t think of any good technical reasons why one would integrate instead of augment.