Chapter 2 - Configuring Banyan LDAP for StreetTalk Service
Configuring Directory Synchronization
You must configure both the LDAP for StreetTalk service and the NSDS to support directory synchronization. You can complete the configurations in any order. To learn more about configuring directory synchronization on the Netscape directory server, refer to the section "Overview of Banyan Directory Synchronization" in this guide.
To Configure Directory Synchronization on Banyan LDAP for StreetTalk Services
1. Open LDAP Configuration Manager on the server that will be using directory synchronization.
2. Click the Directory Synchronization tab.
3. Click Netscape.
4. Select the Enable synchronization check box.
5. Enter the Netscape Directory Server configuration information under Netscape Server Configuration.
The Netscape Directory Server must include the Banyan directory synchronization option. Configure the Netscape Directory Server directory synchronization option to synchronize with this LDAP for StreetTalk service. You must configure the Netscape Directory Server as well as the LDAP for StreetTalk server before you can use directory synchronization.
6. Enter the Netscape Directory Server IP address or DNS name to synchronize with the LDAP for StreetTalk directory on this server.
7. Enter the port number. The number you enter must match the port configured on the Netscape Directory Server. Generally, LDAP services use port number 389.
8. Enter the LDAP distinguished name for the root of the LDAP for StreetTalk directory subtree in the Netscape Directory Server directory (the Subtree DN you enter when you configure the NSDS). For more information about distinguished names and LDAP directories, refer to Appendix B, Directory Concepts, in LDAP for StreetTalk Administrator's Guide in your Banyan documentation.
9. Enter the distinguished name (the Authorized DN on NSDS) that is authorized to make changes to the LDAP for StreetTalk directory portion of the Netscape Directory Server.
10. Enter a password to be used in combination with the Authorized DN to allow changes to the LDAP for StreetTalk portion of the LDAP directory on the Netscape Directory Server. Requests to add, modify, or delete entries in the LDAP for StreetTalk portion of the Netscape directory server directory must be accompanied by the authorized DN and the password you enter.
The password can be 1 to 31 alphanumeric characters. Characters must be lower case. Do not use spaces in the password and do not use [ ] * : + | or ".
11. Re-enter the password to verify that you entered the password correctly.
12. Click OK.
13. Close LDAP Configuration Manager.
14. Use StreetTalk Explorer to stop and restart the LDAP for StreetTalk service for the configuration changes to take affect.
To Run Directory Synchronization
When you run directory synchronization, all changes that have been made to the LDAP for StreetTalk database are replicated to the LDAP for StreetTalk subtree of the Netscape Directory Server's database. There are two ways to synchronize the databases on demand:
1. Rebuild STDA on the LDAP for StreetTalk server. Rebuilding STDA writes all directory entries to the LDAP database, and replicates the LDAP database entries to the Netscape Directory Server database.
2. Run the STNSSync application (STNSSYNC.EXE) in the Support\Tools directory on the LDAP for StreetTalk server. STNSSync.exe uses LDAP to read the entries from an LDAP for StreetTalk server, reformats the entries for Netscape Directory Server and writes the entries to the Netscape server.
Subsequent changes to the LDAP for StreetTalk directory, made through STDA builds or LDAP for StreetTalk database modifications, are replicated to the Netscape Directory Server automatically.
To Disable Directory Synchronization
1. Click the Directory Synchronization tab.
2. Click Netscape.
3. Clear the Enable synchronization check box. Your LDAP for StreetTalk and Netscape Directory Server databases will no longer be synchronized by the LDAP for StreetTalk service.
4. Use StreetTalk Explorer to stop and restart the LDAP for StreetTalk service for the configuration change to take affect.
5. Disable directory synchronization on the Netscape Directory Server as well.
Registry Key Configuration Options
There are several registry keys you can add to your LDAP for StreetTalk server to enhance the operation of Banyan Directory Synchronization. The optional registry keys are:
![]()
HKLM\SOFTWARE\Banyan Applications\LDAP\Administration\NSSyncUserObjectclass
Determines which object class attributes are allowed in user synchronization requests.
![]()
HKLM\SOFTWARE\Banyan Applications\LDAP\Administration\NSSyncListObjectclass
Determines which object class attributes are allowed in list synchronization requests.
![]()
HKLM\SOFTWARE\Banyan Applications\LDAP\Administration\NSSyncTypes
Determines whether directory synchronization sends StreetTalk users, lists, or both to the Netscape server for synchronization.
![]()
HKLM\SOFTWARE\Banyan Applications\LDAP\Administration\NSSyncDebugFile
Enables logging of the synchronization activity on the server LDAP for StreetTalk server.
Schema Checking and Registry Keys NSSyncUserObjectclass and NSSyncListObjectclass
StreetTalk user entries that you add to Banyan LDAP for StreetTalk are synchronized to Netscape Directory Server as object class inetOrgPerson. New StreetTalk list entries are synchronized as object class groupOfNames. With schema checking enabled on the Netscape server, only attributes allowed in the object classes inetOrgPerson and groupOfNames are allowed in synchronization requests. You can limit STDA attribute collection to these attributes to ensure that synchronization requests are not rejected as an object class violation.
The StreetTalk vendor/attribute pairs for allowed attributes in object class inetOrgPerson are listed in Table 1.
The vendor/attribute pairs for allowed attributes in object class groupOfNames are listed in Table 2.
Some attributes are collected regardless of STDA configuration; these attributes are listed in Table 3.
If you cannot change the STDA attribute collection settings, assign object classes as values to the registry keys NSSyncUserObjectclass and NSSyncListObjectclass. On startup, Banyan Directory Synchronization reads the attributes for the assigned object classes from the Netscape Directory Server registry and sends only modifications with attributes from these object classes. For example, if the registry key NSSyncUserObjectclass is set to "inetOrgPerson", collected attributes are checked against the attributes allowed in "inetOrgPerson" before being added to modification requests.
Table 1: Allowed Attributes for Object Class inetOrgPerson
Attribute | V:A # | Attribute | V:A # | Attribute | V:A # |
audio | 0:4097 | labeledURI | 0:4220 | secretary | 0:4076 |
businessCategory | 0:4007 | 0:4062 | seeAlso | 0:4019 | |
carLicense | 0:4216 | manager | 0:4069 | sn | 0:4002 |
cn | 0:4001 | mobile | 0:4084 | st | 0:108 |
departmentNumber | 0:4217 | objectClass | 0:4000 | street | 0:106 |
description | 0:1 | ou | 0:4005 | telephoneNumber | 0:111 |
destinationIndicator | 0:4013 | pager | 0:4085 | telexNumber | 0:115 |
employeeNumber | 0:4218 | photo | 0:4066 | telexTerminalIdentifier | 0:116 |
employeeType | 0:4219 | physicalDeliveryOfficeName | 0:4009 | title | 0:101 |
facsimileTelephoneNumber | 0:113 | postalAddress | 0:4008 | uid | 0:4060 |
givenName | 0:4109 | postalCode | 0:110 | userCertificate | 0:4104 |
homePhone | 0:4075 | postOfficeBox | 0:105 | userMimeCertificate | 0:4232 |
homePostalAddress | 0:4082 | preferredDeliveryMethod | 0:4014 | userPassword | 0:4103 |
initials | 0:4110 | preferredLanguage | 0:4231 | userPKCS12 | 0:4272 |
internationaliSDNumber | 0:4011 | registeredAddress | 0:4012 | x121Address | 0:4010 |
jpegPhoto | 0:4099 | roomNumber | 0:4065 | x500uniqueIdentifier | 0:4112 |
l | 0:4003 |
Attribute | V:A # |
businessCategory | 0:4007 |
cn | 0:4001 |
description | 0:1 |
objectClass | 0:4000 |
ou | 0:4005 |
seeAlso | 0:4019 |
LDAP Attribute |
|
|
User | List | |
cn | | |
description | | |
givenName | | |
| ||
objectClass | | |
sn | |
Banyan Directory Synchronization adds user entries as objectClass = {top,person,organizationalPerson,inetOrgPerson}. Banyan Directory Synchronization ensures that each user entry contains the object class inetOrgPerson, a cn attribute, and an sn attribute. If the user entry does not have a cn attribute, the cn from the entry's DN is added to the modification request. If the user entry does not have an sn attribute, Banyan Directory Synchronization creates one from the cn of the entry's DN. If the cn includes one or more spaces, the sn is the string that follows the first space. Otherwise the sn and cn are the same.
Banyan Directory Synchronization adds list entries as objectclass = {top,groupOfNames}. Banyan Directory Synchronization ensures that each entry contains the object class groupOfNames and a cn attribute. If the list does not have a cn attribute, the cn from the entry's DN is added to the modification request.
Limiting Synchronization Types and Registry Key NSSyncTypes
By default, synchronization sends StreetTalk user and list entries to Netscape. Customize the types to send with the registry key NSSyncTypes. Enter a string value of u to synchronize users, l to synchronize lists. If the registry key exists, but does not contain a u or l, no entries are synchronized. If the registry key contains both letters, synchronization sends users and lists.
Logging Activity and Registry Key NSSyncDebugFile
Simple logging of synchronization activity is available by entering a full path and file name in the registry key NSSyncDebugFile. Use the debug file only when it is necessary to monitor closely the activity of Banyan Directory Synchronization on the Banyan LDAP for StreetTalk server. Information is also available in the STDA and Banyan LDAP for StreetTalk log files, and on the Netscape Directory Server access and error logs. Debug output is turned on when the registry key NSSyncDebugFile contains a valid file name and path. The log file is created if it does not exist. As a precaution, debug logging is turned off if the log file grows to 10MB.
Initial Synchronization of the Databases
Once Banyan Directory Synchronization is enabled on the Banyan LDAP and Netscape servers, future database modifications will be synchronized. Rebuilding the STDA database or running the STNSSync.exe application can do the initial synchronization of the entire Banyan LDAP database. When you rebuild STDA, StreetTalk entries are written to the Banyan LDAP for StreetTalk database, and the entries are replicated to the Netscape Directory Server.
To synchronize the directories immediately without rebuilding STDA, use the STNSSync.exe application in the LDAP\Support directory on the Netscape server. STNSSync.exe uses LDAP to read the entries from an LDAP for StreetTalk server, reformats the entries for Netscape Directory Server and writes the entries to the Netscape server. STNSSync.exe reads the local configuration of the Banyan LDAP for StreetTalk Server.
To change the configuration, click "Setup". When ready, click "Synchronize". Each entry read by STNSSync.exe and written to Netscape (successfully or unsuccessfully) appears in the list box. Entries that could not be written to Netscape appear in red in the list. The "Entry" column displays the Netscape DN of each entry. If STNSSync.exe cannot write an entry to NSDS, the "Ret" column in the list displays an LDAP error code in hexadecimal format for the entry.
Synchronization errors are also written to the log files. You can cancel synchronization at any time, but entries synchronized prior to cancellation are retained on the Netscape Directory Server. When STNSSync finishes synchronizing the directories, a message box reports the number of entries read from LDAP for StreetTalk and the number of entries written to Netscape Directory Server. For each entry that was read, but not written to NSDS, review the log files to determine the LDAP error code and the cause of the write error. Correct any error conditions and rerun STNSSync.exe. For a listing of the LDAP error codes, refer to Table 4. For more information, refer to RFC 1777, Lightweight Directory Access Protocol.
Description | Error Code (Hexadecimal) | Error Code (Decimal) |
LDAP_SUCCESS | 0x00 | 0 |
LDAP_OPERATIONS_ERROR | 0x01 | 1 |
LDAP_PROTOCOL_ERROR | 0x02 | 2 |
LDAP_TIMELIMIT_EXCEEDED | 0x03 | 3 |
LDAP_SIZELIMIT_EXCEEDED | 0x04 | 4 |
LDAP_COMPARE_FALSE | 0x05 | 5 |
LDAP_COMPARE_TRUE | 0x06 | 6 |
LDAP_AUTH_METHOD_NOT_SUPPORTED | 0x07 | 7 |
LDAP_STRONG_AUTH_NOT_SUPPORTED | 0x07 | 7 |
LDAP_STRONG_AUTH_REQUIRED | 0x08 | 8 |
LDAP_PARTIAL_RESULTS | 0x09 | 9 |
LDAP_REFERRAL | 0x0a | 10 |
LDAP_ADMINLIMIT_EXCEEDED | 0x0b | 11 |
LDAP_UNAVAILABLE_CRITICAL_EXTENSION | 0x0c | 12 |
LDAP_CONFIDENTIALITY_REQUIRED | 0x0d | 13 |
LDAP_SASL_BIND_IN_PROGRESS | 0x0e | 14 |
LDAP_NO_SUCH_ATTRIBUTE | 0x10 | 16 |
LDAP_UNDEFINED_TYPE | 0x11 | 17 |
LDAP_INAPPROPRIATE_MATCHING | 0x12 | 18 |
LDAP_CONSTRAINT_VIOLATION | 0x13 | 19 |
LDAP_TYPE_OR_VALUE_EXISTS | 0x14 | 20 |
LDAP_INVALID_SYNTAX | 0x15 | 21 |
LDAP_NO_SUCH_OBJECT | 0x20 | 32 |
LDAP_ALIAS_PROBLEM | 0x21 | 33 |
LDAP_INVALID_DN_SYNTAX | 0x22 | 34 |
LDAP_IS_LEAF | 0x23 | 35 |
LDAP_ALIAS_DEREF_PROBLEM | 0x24 | 36 |
LDAP_INAPPROPRIATE_AUTH | 0x30 | 48 |
LDAP_INVALID_CREDENTIALS | 0x31 | 49 |
LDAP_INSUFFICIENT_ACCESS | 0x32 | 50 |
LDAP_BUSY | 0x33 | 51 |
LDAP_UNAVAILABLE | 0x34 | 52 |
LDAP_UNWILLING_TO_PERFORM | 0x35 | 53 |
LDAP_LOOP_DETECT | 0x36 | 54 |
LDAP_SORT_CONTROL_MISSING | 0x3C | 60 |
LDAP_INDEX_RANGE_ERROR | 0x3D | 61 |
LDAP_NAMING_VIOLATION | 0x40 | 64 |
LDAP_OBJECT_CLASS_VIOLATION | 0x41 | 65 |
LDAP_NOT_ALLOWED_ON_NONLEAF | 0x42 | 66 |
LDAP_NOT_ALLOWED_ON_RDN | 0x43 | 67 |
LDAP_ALREADY_EXISTS | 0x44 | 68 |
LDAP_NO_OBJECT_CLASS_MODS | 0x45 | 69 |
LDAP_RESULTS_TOO_LARGE | 0x46 | 70 |
LDAP_AFFECTS_MULTIPLE_DSAS | 0x47 | 71 |
LDAP_OTHER | 0x50 | 80 |
LDAP_SERVER_DOWN | 0x51 | 81 |
LDAP_LOCAL_ERROR | 0x52 | 82 |
LDAP_ENCODING_ERROR | 0x53 | 83 |
LDAP_DECODING_ERROR | 0x54 | 84 |
LDAP_TIMEOUT | 0x55 | 85 |
LDAP_AUTH_UNKNOWN | 0x56 | 86 |
LDAP_FILTER_ERROR | 0x57 | 87 |
LDAP_USER_CANCELLED | 0x58 | 88 |
LDAP_PARAM_ERROR | 0x59 | 89 |
LDAP_NO_MEMORY | 0x5a | 90 |
LDAP_CONNECT_ERROR | 0x5b | 91 |
LDAP_NOT_SUPPORTED | 0x5c | 92 |
LDAP_CONTROL_NOT_FOUND | 0x5d | 93 |
LDAP_NO_RESULTS_RETURNED | 0x5e | 94 |
LDAP_MORE_RESULTS_TO_RETURN | 0x5f | 95 |
LDAP_CLIENT_LOOP | 0x60 | 96 |
LDAP_REFERRAL_LIMIT_EXCEEDED | 0x61 | 97 |