GW 2014 R2 SP1 MTA LDAP bug?

My organization has a third party developed system that builds a single global address book between the internal GroupWise and Exchange systems. This has been in place for many years, long before Novell's GroupWise / Exchange sync product.

Our system uses the eDirectory "nGWVisibility" attribute to determine if the user is valid and should be added to the global address list. Since we've upgraded to GW 2014 R2 SP1, new users created in GroupWise no longer create this attribute. These new users get left off the global address list of our Exchange systems unless we go in to iManager and manually create this attribute and set the right value. This is cumbersome because it's an extra step when we create new users, and when we disable GW accounts. (We usually leave GW accounts disabled for 2 or 3 months with visibility set to none before we delete.)

Anyway, I started experimenting with the GW LDAP that you can enable from a 2014 R2 SP1 MTA. Here's what I find:

1. If I connect to this GW MTA with an ldap browser, I can see ALL accounts, disabled, enabled, visibility set to none, etc. When I view the attributes of the GW accounts, I don't see any attribute that shows visibility or enabled/disabled.

2. If I connect to this GW MTA with an Outlook 2016 client configured to use this ldap server as an address book, I don't see any disabled or visibility none accounts, which seems to be working correctly.

Our system that builds a global address list runs a query each night. That query if pointed to our GW MTA LDAP sees and pulls all accounts regardless of disabled and/or visibility.

So, how does this work correctly in Outlook, but does not work correctly when querying or ldap browsing?

What attribute(s) does Outlook see or not see that tells it to only show the proper enabled, "system" visibility accounts? I've had a ticket opened with support, but they have not been able to help.

Thanks!
  • Hi,

    Our system uses the eDirectory "nGWVisibility" attribute to determine if the user is valid and should be added to the global address list. Since we've upgraded to GW 2014 R2 SP1, new users created in GroupWise no longer create this attribute.


    With GroupWise 2014 being completely directory agnostic the only attribute that is written back to any associated directory is the email address. Thus you will no longer have the nGWxxxx attributes created in eDirectory.

    You can query user's visibility using the REST API. I just don't have the full syntax on hand at this moment.

    Cheers,

  • The GW LDAP server will show the visibility of objects based on who is bound to the LDAP service. You get the visibility as you would as the same user in the GW client.



    As Laura mentioned, you could change your system to use the REST API instead of LDAP. Without a fill REST tutorial here, the endpoint/url to get user details is:



    https://10.10.10.10:9710/gwadmin-service/domains/userdom/postoffices/userpo/users/username



    the resulting xml would look like: (lots of info removed)

    <user>


    <id>USER.Utah.Provo.abby</id>


    <name>abby</name>



    <preferredAddressFormat>


    <inherited>true</inherited>

    <inheritedFrom>UtahSys</inheritedFrom>

    <inheritedValue>USER</inheritedValue>

    <value>USER</value>

    </preferredAddressFormat>

    <description>my test account</description>

    <directoryId>edir202</directoryId>

    <domainName>Utah</domainName>

    <visibility>SYSTEM</visibility>



    </user>

    --etc..



    you can also request the data to be returned in json format, which I prefer cause it's easier to parse



    --Morris



    My organization has a third party developed system that builds a single



    global address book between the internal GroupWise and Exchange systems.

    This has been in place for many years, long before Novell's GroupWise /

    Exchange sync product.




    Our system uses the eDirectory "nGWVisibility" attribute to determine if

    the user is valid and should be added to the global address list. Since

    we've upgraded to GW 2014 R2 SP1, new users created in GroupWise no

    longer create this attribute. These new users get left off the global

    address list of our Exchange systems unless we go in to iManager and

    manually create this attribute and set the right value. This is

    cumbersome because it's an extra step when we create new users, and when

    we disable GW accounts. (We usually leave GW accounts disabled for 2 or

    3 months with visibility set to none before we delete.)




    Anyway, I started experimenting with the GW LDAP that you can enable

    from a 2014 R2 SP1 MTA. Here's what I find:




    1. If I connect to this GW MTA with an ldap browser, I can see ALL

    accounts, disabled, enabled, visibility set to none, etc. When I view

    the attributes of the GW accounts, I don't see any attribute that shows

    visibility or enabled/disabled.




    2. If I connect to this GW MTA with an Outlook 2016 client configured

    to use this ldap server as an address book, I don't see any disabled or

    visibility none accounts, which seems to be working correctly.




    Our system that builds a global address list runs a query each night.

    That query if pointed to our GW MTA LDAP sees and pulls all accounts

    regardless of disabled and/or visibility.




    So, how does this work correctly in Outlook, but does not work correctly

    when querying or ldap browsing?




    What attribute(s) does Outlook see or not see that tells it to only show

    the proper enabled, "system" visibility accounts? I've had a ticket

    opened with support, but they have not been able to help.




    Thanks!







    --

    plessm

    ------------------------------------------------------------------------
    plessm's Profile: https://forums.novell.com/member.php?userid=23126


    View this thread: https://forums.novell.com/showthread.php?t=500204
  • Hi.

    Am 12.09.2016 um 19:14 schrieb plessm:
    > 1. If I connect to this GW MTA with an ldap browser, I can see ALL
    > accounts, disabled, enabled, visibility set to none, etc. When I view
    > the attributes of the GW accounts, I don't see any attribute that shows
    > visibility or enabled/disabled.
    >
    > 2. If I connect to this GW MTA with an Outlook 2016 client configured
    > to use this ldap server as an address book, I don't see any disabled or
    > visibility none accounts, which seems to be working correctly.
    >
    > Our system that builds a global address list runs a query each night.
    > That query if pointed to our GW MTA LDAP sees and pulls all accounts
    > regardless of disabled and/or visibility.
    >
    > So, how does this work correctly in Outlook, but does not work correctly
    > when querying or ldap browsing?


    Personally, I'd take a Lan Trace of the LDAP communication to see if
    it's something in the query Outlook does, or if it's a filter Outlook
    applies after having received them all. At any rate, there must be a
    difference visible.

    CU,
    --
    Massimo Rosen
    Micro Focus Knowledge Partner
    No emails please!
    http://www.cfc-it.de
  • Thank you everyone for your helpful replies! I'm trying to figure out how I want to proceed. Thanks again!
  • I spend a long time working with the LDAP config over the last 2 days. We use LDAP to populate our email security as a service provider, Mimecast. There were a couple of things that are weird. One was the service isn't in the MTA, or it's not controlled by the MTA. It's tied to the gwadminservice. The log is in /var/log/novell/groupwise/gwadmin/gwldap.log. My big problem was making it work over SSL. The key to getting it to work was using an ssl certificate with a password. None of our certificates are password protected. I couldn't understand it until I found the logs. Looked like this

    2016-09-21 19:09:52 GwLdapServer [INFO] Starting LDAP listener
    2016-09-21 19:09:52 GwLdapServer [INFO] Creating LDAP connection to /mail/domain
    2016-09-21 19:09:52 GwLdapDomainConnection [INFO] Connecting to domain /mail/domain
    2016-09-21 19:09:54 OidRegistry [ERROR] ERR_04287 There is no SchemaObject associated with OID '1.2.840.113556.1.2.146'
    2016-09-21 19:09:54 OidRegistry [ERROR] ERR_04287 There is no SchemaObject associated with OID '1.2.840.113556.1.2.18'
    2016-09-21 19:09:54 OidRegistry [ERROR] ERR_04287 There is no SchemaObject associated with OID '2.16.840.1.113719.1.9.4.15'
    2016-09-21 19:09:54 GwLdapServer [INFO] Creating LDAP listener for 0.0.0.0:636
    2016-09-21 19:09:55 GwLdapServer [ERROR] Exception while initializing GwLdapServer
    java.security.UnrecoverableKeyException: Password must not be null
    at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:132)
    at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
    at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
    at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
    at java.security.KeyStore.getKey(KeyStore.java:1023)
    at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
    at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
    at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
    at org.apache.directory.server.ldap.LdapServer.loadKeyStore(LdapServer.java:401)
    at com.novell.gw.ldap.server.GwLdapServer.init(GwLdapServer.java:440)
    at com.novell.gw.ldap.server.GwLdapServer.start(GwLdapServer.java:557)
    at com.novell.gw.api.main.GwAdminServiceListener.start(GwAdminServiceListener.java:687)
    at com.novell.gw.api.main.GwAdminService.start(GwAdminService.java:1434)
    at com.novell.gw.api.main.GwAdminService.main(GwAdminService.java:274)
    I've yet to find any kind of template for the service that says what attributes are showing. I suspect it's in one of the jar files.

    Hope this helps