Highlighted
Absent Member.
Absent Member.
1541 views

GW 2014 R2 SP1 MTA LDAP bug?

My organization has a third party developed system that builds a single global address book between the internal GroupWise and Exchange systems. This has been in place for many years, long before Novell's GroupWise / Exchange sync product.

Our system uses the eDirectory "nGWVisibility" attribute to determine if the user is valid and should be added to the global address list. Since we've upgraded to GW 2014 R2 SP1, new users created in GroupWise no longer create this attribute. These new users get left off the global address list of our Exchange systems unless we go in to iManager and manually create this attribute and set the right value. This is cumbersome because it's an extra step when we create new users, and when we disable GW accounts. (We usually leave GW accounts disabled for 2 or 3 months with visibility set to none before we delete.)

Anyway, I started experimenting with the GW LDAP that you can enable from a 2014 R2 SP1 MTA. Here's what I find:

1. If I connect to this GW MTA with an ldap browser, I can see ALL accounts, disabled, enabled, visibility set to none, etc. When I view the attributes of the GW accounts, I don't see any attribute that shows visibility or enabled/disabled.

2. If I connect to this GW MTA with an Outlook 2016 client configured to use this ldap server as an address book, I don't see any disabled or visibility none accounts, which seems to be working correctly.

Our system that builds a global address list runs a query each night. That query if pointed to our GW MTA LDAP sees and pulls all accounts regardless of disabled and/or visibility.

So, how does this work correctly in Outlook, but does not work correctly when querying or ldap browsing?

What attribute(s) does Outlook see or not see that tells it to only show the proper enabled, "system" visibility accounts? I've had a ticket opened with support, but they have not been able to help.

Thanks!
Labels (1)
0 Likes
5 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: GW 2014 R2 SP1 MTA LDAP bug?

Hi,

Our system uses the eDirectory "nGWVisibility" attribute to determine if the user is valid and should be added to the global address list. Since we've upgraded to GW 2014 R2 SP1, new users created in GroupWise no longer create this attribute.


With GroupWise 2014 being completely directory agnostic the only attribute that is written back to any associated directory is the email address. Thus you will no longer have the nGWxxxx attributes created in eDirectory.

You can query user's visibility using the REST API. I just don't have the full syntax on hand at this moment.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: GW 2014 R2 SP1 MTA LDAP bug?


The GW LDAP server will show the visibility of objects based on who is bound to the LDAP service. You get the visibility as you would as the same user in the GW client.



As Laura mentioned, you could change your system to use the REST API instead of LDAP. Without a fill REST tutorial here, the endpoint/url to get user details is:



https://10.10.10.10:9710/gwadmin-service/domains/userdom/postoffices/userpo/users/username



the resulting xml would look like: (lots of info removed)

<user>


<id>USER.Utah.Provo.abby</id>


<name>abby</name>



<preferredAddressFormat>


<inherited>true</inherited>

<inheritedFrom>UtahSys</inheritedFrom>

<inheritedValue>USER</inheritedValue>

<value>USER</value>

</preferredAddressFormat>

<description>my test account</description>

<directoryId>edir202</directoryId>

<domainName>Utah</domainName>

<visibility>SYSTEM</visibility>



</user>

--etc..



you can also request the data to be returned in json format, which I prefer cause it's easier to parse



--Morris



My organization has a third party developed system that builds a single



global address book between the internal GroupWise and Exchange systems.

This has been in place for many years, long before Novell's GroupWise /

Exchange sync product.




Our system uses the eDirectory "nGWVisibility" attribute to determine if

the user is valid and should be added to the global address list. Since

we've upgraded to GW 2014 R2 SP1, new users created in GroupWise no

longer create this attribute. These new users get left off the global

address list of our Exchange systems unless we go in to iManager and

manually create this attribute and set the right value. This is

cumbersome because it's an extra step when we create new users, and when

we disable GW accounts. (We usually leave GW accounts disabled for 2 or

3 months with visibility set to none before we delete.)




Anyway, I started experimenting with the GW LDAP that you can enable

from a 2014 R2 SP1 MTA. Here's what I find:




1. If I connect to this GW MTA with an ldap browser, I can see ALL

accounts, disabled, enabled, visibility set to none, etc. When I view

the attributes of the GW accounts, I don't see any attribute that shows

visibility or enabled/disabled.




2. If I connect to this GW MTA with an Outlook 2016 client configured

to use this ldap server as an address book, I don't see any disabled or

visibility none accounts, which seems to be working correctly.




Our system that builds a global address list runs a query each night.

That query if pointed to our GW MTA LDAP sees and pulls all accounts

regardless of disabled and/or visibility.




So, how does this work correctly in Outlook, but does not work correctly

when querying or ldap browsing?




What attribute(s) does Outlook see or not see that tells it to only show

the proper enabled, "system" visibility accounts? I've had a ticket

opened with support, but they have not been able to help.




Thanks!







--

plessm

------------------------------------------------------------------------
plessm's Profile: https://forums.novell.com/member.php?userid=23126


View this thread: https://forums.novell.com/showthread.php?t=500204
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: GW 2014 R2 SP1 MTA LDAP bug?

Hi.

Am 12.09.2016 um 19:14 schrieb plessm:
> 1. If I connect to this GW MTA with an ldap browser, I can see ALL
> accounts, disabled, enabled, visibility set to none, etc. When I view
> the attributes of the GW accounts, I don't see any attribute that shows
> visibility or enabled/disabled.
>
> 2. If I connect to this GW MTA with an Outlook 2016 client configured
> to use this ldap server as an address book, I don't see any disabled or
> visibility none accounts, which seems to be working correctly.
>
> Our system that builds a global address list runs a query each night.
> That query if pointed to our GW MTA LDAP sees and pulls all accounts
> regardless of disabled and/or visibility.
>
> So, how does this work correctly in Outlook, but does not work correctly
> when querying or ldap browsing?


Personally, I'd take a Lan Trace of the LDAP communication to see if
it's something in the query Outlook does, or if it's a filter Outlook
applies after having received them all. At any rate, there must be a
difference visible.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: GW 2014 R2 SP1 MTA LDAP bug?

Thank you everyone for your helpful replies! I'm trying to figure out how I want to proceed. Thanks again!
0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: GW 2014 R2 SP1 MTA LDAP bug?

I spend a long time working with the LDAP config over the last 2 days. We use LDAP to populate our email security as a service provider, Mimecast. There were a couple of things that are weird. One was the service isn't in the MTA, or it's not controlled by the MTA. It's tied to the gwadminservice. The log is in /var/log/novell/groupwise/gwadmin/gwldap.log. My big problem was making it work over SSL. The key to getting it to work was using an ssl certificate with a password. None of our certificates are password protected. I couldn't understand it until I found the logs. Looked like this

2016-09-21 19:09:52 GwLdapServer [INFO] Starting LDAP listener
2016-09-21 19:09:52 GwLdapServer [INFO] Creating LDAP connection to /mail/domain
2016-09-21 19:09:52 GwLdapDomainConnection [INFO] Connecting to domain /mail/domain
2016-09-21 19:09:54 OidRegistry [ERROR] ERR_04287 There is no SchemaObject associated with OID '1.2.840.113556.1.2.146'
2016-09-21 19:09:54 OidRegistry [ERROR] ERR_04287 There is no SchemaObject associated with OID '1.2.840.113556.1.2.18'
2016-09-21 19:09:54 OidRegistry [ERROR] ERR_04287 There is no SchemaObject associated with OID '2.16.840.1.113719.1.9.4.15'
2016-09-21 19:09:54 GwLdapServer [INFO] Creating LDAP listener for 0.0.0.0:636
2016-09-21 19:09:55 GwLdapServer [ERROR] Exception while initializing GwLdapServer
java.security.UnrecoverableKeyException: Password must not be null
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:132)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
at java.security.KeyStore.getKey(KeyStore.java:1023)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
at org.apache.directory.server.ldap.LdapServer.loadKeyStore(LdapServer.java:401)
at com.novell.gw.ldap.server.GwLdapServer.init(GwLdapServer.java:440)
at com.novell.gw.ldap.server.GwLdapServer.start(GwLdapServer.java:557)
at com.novell.gw.api.main.GwAdminServiceListener.start(GwAdminServiceListener.java:687)
at com.novell.gw.api.main.GwAdminService.start(GwAdminService.java:1434)
at com.novell.gw.api.main.GwAdminService.main(GwAdminService.java:274)
I've yet to find any kind of template for the service that says what attributes are showing. I suspect it's in one of the jar files.

Hope this helps
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.