Chris Ridd

At some point, the control panel became unable to correctly update schema – see OPENDJ-3410.

I would also strongly suggest using ldapmodify.

The stack traces suggest that you might benefit from adding the largest (but only the largest) static groups into an entry cache. There are examples of creating FIFO or Soft Reference entry caches in the docs.

That will avoid DS repeatedly reading a group out of the database (or database cache), and decoding it into an Entry. Decoding attributes…[Read more]

I can reproduce this. Attempting to add the entry results in:

# The LDAP modify request failed: 17 (Undefined Attribute Type)
# Additional Information: Entry cn=test,dc=example,dc=com can not be added because BER encoding of userSMIMECertificate;binary attribute is not supported


Removing the “;binary” from the attribute descriptions (keep the…[Read more]

Hi, unfortunately no – PBKDF2 will always create new values with a fixed size salt and hash (8 and 20)

However it looks like it is able to compare passwords with values that have longer salts, if that helps.

The PKCS5S2 scheme uses a longer salt and hash (16 and 32) but does not have configurable iterations. Maybe that’s another option for you.

While extensibleObject will work, it allows any attribute. Our Developer’s Guide recommends against it in general.

Perhaps that’s all the hostObject objectClass is, that the OP found.

Our default schema defines the host attribute from RFC 4524, and the account objectClass (also from RFC 4524) allows the use of the host attribute. I don’t know where hostObject is defined.

attributeTypes: ( 0.9.2342.19200300.100.1.9 NAME 'host' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256}…[Read more]

If you set your target users’ password policy on DJ to allow pre-encoded passwords, you should be able to read the password hashes from the ODSEE, and write them as-is into DJ.

You’ll obviously need to make sure that ODSEE is storing its passwords in a compatible way with DJ. We know that things like the salted SHA mechanisms are compatible, but…[Read more]

Yes, you will need to get comfortable using ldapmodify, and the string format of attributeTypes and objectClasses… (I usually take a look at the definitions in the existing schema files first!)

Does the Updating Directory Schema section of the admin guide help at all? Please raise doc bugs if anything is not very clear.

Well, you could set the administration connector to just listen on 127.0.0.1, instead of the default 0.0.0.0.

But, that will cause operational problems and I’d recommend against doing this. Various dsreplication subcommands connect to the administration connectors of remote servers in order to work, so doing this will prevent important things…[Read more]

Your new test entries are different from your original test entries…

As has been pointed out in the other thread, this is because you are using (misusing!) the LDAP “name” attribute type. DS is matching “activityA” in the “ou” attribute type, as “ou” is a subtype of “name”. See RFC 4519 section 2.20

Hi, we have a KB article discussing how to do this.

How do I make DS/OpenDJ (All versions) listen on port 389 without being root?

Hope that helps!

Chris

There are a couple of undocumented system properties that control the archived-configs directory.

org.opends.server.MaintainConfigArchive

If this is unset, or anything apart from “false”, the archive will be maintained.

org.opends.server.MaxConfigArchiveSize

If this is not set, or set to <= 0, then there is no limit on the number of archived…[Read more]

If this is an urgent issue and you have a support subscription, then you should raise a ticket with ForgeRock support.

Start with the link right at the top of this page called “Docs & Learning”.

It looks like your filesystem is read-only, which may be due to it being full.

If you are running as a CTS server then you will almost certainly need to tune OpenDJ to account for the very high number of writes performed by OpenAM. Reducing the size of the changelog by changing the replication purge delay is a simple option, but you will need to…[Read more]

Just as a quick follow-up, we strongly advise anyone in the same situation with a support contract to raise a support ticket.

For details on raising a support ticket please read Contacting ForgeRock support.

Hi,

I can’t find any download links at the moment. Please raise a support ticket with us and we’ll email you a copy in return.

Sorry, I can’t help with that client API. Maybe someone else in the forums uses it…

Hi,

Unfortunately I’m not familiar with that API. The following page at MSDN seems to describe the LDAP dialect of their SQL query language: MSDN LDAP Dialect.

The only obvious problem I can see is that you’re not constructing the DN correctly in the URL – “LDAP://LDAPserver:389/o=organisation/ou=internal/ou=users” should perhaps be…[Read more]