Can't get LDAP to work

[Rick Copeland]

I'm using the latest version of Office and running 10.2.8. I've
successfully connected and have been using Entourage with our Exchange 2000
server since the Office 10.1.4 update came out last year. I can send and
receive mail, all my contacts and calendar events are synchronized--I can
even get the "free/busy" scheduling info to appear.

What I can't figure out is LDAP. I cannot get Directory Services to work.

We have tried everything, and I've read every related article I can find.
Yes, I've tried everything suggested by http://www.entourage.mvps.org. Many
times. I've played with every LDAPv2 and LDAPv3 setting on my iMac. I've
found the Microsoft support bulletin ("Microsoft Knowledge Base Article -
824887") that describes the error I get ("-3260: LDAP Server error, a
connection failure has occurred"). I've checked with our system
administrator here, and everything that we can think of appears to be
running OK on the Exchange 2000 server.

We've tried different port settings, authentication settings... You name it.
I've scoured every newsgroup I could think of through Google Groups. I've
tried every suggestion I found--but nothing works.

What are we overlooking? Does anyone have suggestions? Is there a switch on
the Exchange server that you've found that's not obvious---that needs to be
enabled for LDAP to work? Again, remember that everything else about the
Entourage / Exchange connection is working fine for me, INCLUDING
"free/busy" scheduling information.

Any help greatly appreciated.

Thanks,
Rick

 

[Adam Bailey]

What I can't figure out is LDAP. I cannot get Directory Services to work.

We have tried everything, and I've read every related article I can find.
Yes, I've tried everything suggested by http://www.entourage.mvps.org. Many
times. I've played with every LDAPv2 and LDAPv3 setting on my iMac. I've
found the Microsoft support bulletin ("Microsoft Knowledge Base Article -
824887") that describes the error I get ("-3260: LDAP Server error, a
connection failure has occurred").

What happens if you add your Exchange server as a separate LDAP server?

Does your LDAP server require authentication? There's an AppleScript that
stops Entourage from authenticating with an LDAP server that doesn't require
it.

 

[Rick Copeland]

Tried both already. But just to be sure, I tried them both again. Same
result, same error message.

Rick

 

[Adam Bailey]

Tried both already. But just to be sure, I tried them both again. Same
result, same error message.

Does Apple's Address Book application work with the server?

 

[Rick Copeland]

That's one thing I forgot to mention in my original post. No, the Address
Book doesn't work, either. Never has.

Rick

 

[Corentin Cras-Méneur [MVP]]

That's one thing I forgot to mention in my original post. No, the Address
Book doesn't work, either. Never has.

I had a similar problem up until I decided to dig in the system settings
through the Directory Access application.
I configured the WINS settings (through the SMB settings), enabled
Active Directory as well as the LDAP settings in there (including the
authentication) and since then I have access to the LDAP server (you
need to reboot).

Did you do that ??


Corentin

 

[Rick Copeland]

Corentin,

Well, I've certainly played around in Directory Access enough... But what
you've suggested hasn't worked, either. Same error. Also, there are many,
many settings in Directory Access. Can you be more specific about what
you've used? I know my network is obviously going to be different than
yours, but if I know the details of your settings, perhaps I can alter mine
accordingly.

For example, under the SMB settings, do you have a workgroup specified? Are
you using LDAPv2 or LDAPv3 (or both)? Under LDAPv3, are you using a
DHCP-supplied LDAP server? Is your "LDAP Mapping" set to "Active
Directory"? What Search Base Suffix do you use (if any)? Have you made any
modifications to "Search and Mappings"? And so on...

Feel free to e-mail me directly if you feel that we should take this
discussion off-line for a while. I'm not trying to exclude the newsgroup (I
will post the final answer) but I don't want to bore everyone with the
details, either.

Thanks in advance. I really appreciate your help. This has been driving me
crazy for months!

Rick

 

[Corentin Cras-Méneur [MVP]]

Corentin,

Well, I've certainly played around in Directory Access enough... But what
you've suggested hasn't worked, either. Same error. Also, there are many,
:-<

many settings in Directory Access. Can you be more specific about what
you've used? I know my network is obviously going to be different than
yours, but if I know the details of your settings, perhaps I can alter mine
accordingly.

I enabled
- Active directory (no specific setting)

- LDAPv3 (add a configuration with port and authentication info and
mapped through Active Directory - use "Modify" for the details)

- SMB (with the proper group and WINS host).

For example, under the SMB settings, do you have a workgroup specified? Are
Yes.

you using LDAPv2 or LDAPv3 (or both)? Under LDAPv3, are you using a
DHCP-supplied LDAP server? Is your "LDAP Mapping" set to "Active
Directory"? What Search Base Suffix do you use (if any)? Have you made any
modifications to "Search and Mappings"? And so on...

I'm using v3, LDAP through Active directory (no path specified), not
through DHCP, I added the address and port of the server manually, as
well as my login and password which are required here to access the
server.

Feel free to e-mail me directly if you feel that we should take this
discussion off-line for a while. I'm not trying to exclude the newsgroup (I
will post the final answer) but I don't want to bore everyone with the
details, either.

Well, these details might be interesting/helpful for other people with
similar problems. It's not the first time the problem rizes and probably
not the last time either. It took me a very long time to get this to
work here. These settings are not so obvious and even on our Network, I
couldn't find a net-admin with all the information I needed to set that
up properly.

Thanks in advance. I really appreciate your help. This has been driving me
crazy for months!

Yeah, I know the feeling :-\


Corentin

 

[Rick Copeland]

Corentin,

Sigh... Still not working. I have followed everything you suggested. I
rebooted. Still no LDAP connectivity from Entourage or Address Book.

I'm struggling to even ask the right questions, since I'm not sure what's
really "broken"... But two things come to mind:

(1) You mentioned "LDAPv3 (add a configuration with port and authentication
info and mapped through Active Directory - use "Modify" for the details)"...
I didn't see a "Modify" option; plus, what details, specifically?

(2) Would your net-admin be able to tell me what are the specific settings
that were enabled on the Exchange Server?

And finally, I know this is a lot to ask, but is there any way you can send
me screen shots of your settings in Directory Access?? That would provide
me with all the details (without you having to type them) and would ensure
that I'm doing things exactly as you describe them... If this is too much
trouble, I understand.

Thanks in advance,
Rick

 

[Corentin Cras-Méneur [MVP]]

Corentin,

Hi Rick,

Sigh... Still not working. I have followed everything you suggested. I
rebooted. Still no LDAP connectivity from Entourage or Address Book.

I'm struggling to even ask the right questions, since I'm not sure what's
really "broken"... But two things come to mind:

(1) You mentioned "LDAPv3 (add a configuration with port and authentication
info and mapped through Active Directory - use "Modify" for the details)"...
I didn't see a "Modify" option; plus, what details, specifically?

Sorry, it's Edit (my version says modify in French, I just checked back
in English).
You only have this option once you have created an entry for an LDAP
server in LDAPv3.

(2) Would your net-admin be able to tell me what are the specific settings
that were enabled on the Exchange Server?

Our net-admin refused to tell me... I had to figure it out most of the
settings myself. I stole some ideas from the PCs we have around here and
gathered some more from Outlook 2001. It was all very empirical :-\

And finally, I know this is a lot to ask, but is there any way you can send
me screen shots of your settings in Directory Access?? That would provide
me with all the details (without you having to type them) and would ensure
that I'm doing things exactly as you describe them... If this is too much
trouble, I understand.

I'll do that, but I'll have to blur some fields.

Corentin
r

 

[Rick Copeland]

Corentin,

First, thanks for the screen shots! I really appreciate it... For a while
this morning, I think I got closer, as the error message changed from "3260"
to "3170". Then I tried something else and it went back to the "3260"
error... So, it's still not working, but:

(1) The biggest difference between our configurations is that you have a
Directory Service "service" called "Active Directory"--and I don't! (I
think this is a "plug in"...) Are you running Panther (10.3.x)? That could
be the difference.

(2) Lacking the "Active Directory" service, I went looking for why on the
Apply support site. I found the link for and downloaded the "Mac OSX Server
Administrator's Guide (for 10.2.3 and earlier)". I'm not sure it will help,
but I'm starting to read it...

(3) In the meantime, I've tried changing my "LDAPv3" service settings. No
luck so far. I will try to steal ideas from our PCs here, too.

I REALLY appreciate your help so far. If you can think of anything else,
please let me know.

Thanks,
Rick

 

[Bob Bernstein]

Rick:

Was having the same problem as you and eventually got fixed (initially
playing with the Apple Address Book settings first (you can change settings
on he fly and try them).

I tried the script first and having no experience with Apple scripts, I
wasn't sure if it was doing anything or not.

This morning, while looking at the script, I noticed the script says LDAP
server 1 to false.

The settings for directory services had my LDAP server as the second one in
the list. I changed the script and made it server 2, then tried it and it
worked.

Going back to the Apple address book, my biggest issue was the search base.
I finally tried o=<my company name> and it started to work. That's when I
turned my focus to Entourage.

Being new to Apple OS, I'm not sure how to launch a script automatically (or
if I need to) when the system or Entourage starts. Part of the fun I guess.

Perhaps some of this will help. It's been a long two weeks playing with the
settings. In the mean time, I've become quite a fan of Apple OS.

Take care.


tell application "Microsoft Entourage"
set requires authentication of LDAP server 2 to false
end tell

 

[Rick Copeland]

Bob, thanks for you suggestions! Unfortunately, they did not work for me.

Regards,
Rick

 

[Corentin Cras-Méneur [MVP]]

Corentin,

First, thanks for the screen shots! I really appreciate it... For a while

Sure, no problem.

this morning, I think I got closer, as the error message changed from "3260"
to "3170". Then I tried something else and it went back to the "3260"
error... So, it's still not working, but:

(1) The biggest difference between our configurations is that you have a
Directory Service "service" called "Active Directory"--and I don't! (I
think this is a "plug in"...) Are you running Panther (10.3.x)? That could
be the difference.

I am on Panther, but as far as I remember, I was also able to connect
from Jaguar.

(2) Lacking the "Active Directory" service, I went looking for why on the
Apply support site. I found the link for and downloaded the "Mac OSX Server
Administrator's Guide (for 10.2.3 and earlier)". I'm not sure it will help,
but I'm starting to read it...

(3) In the meantime, I've tried changing my "LDAPv3" service settings. No
luck so far. I will try to steal ideas from our PCs here, too.

I REALLY appreciate your help so far. If you can think of anything else,
please let me know.

:-\ Well, I' starting to run out of options. If ever I can find
anything, I'll post back here.

Corentin

 

[Paul Berkowitz]

Being new to Apple OS, I'm not sure how to launch a script automatically (or
if I need to) when the system or Entourage starts. Part of the fun I guess.

Perhaps some of this will help. It's been a long two weeks playing with the
settings. In the mean time, I've become quite a fan of Apple OS.

Take care.


tell application "Microsoft Entourage"
set requires authentication of LDAP server 2 to false
end tell

Good going. You can set it to run at startup by running it from an Entourage
schedule. Tools/Schedules/New/At Startup/Run AppleScript. Click Script...
button and navigate to the saved script preferably in Entourage Script Menu
Items folder in ~/Documents/Microsoft User Data/. You must save the script
as a Script, not an Application.

--
Paul Berkowitz
MVP Entourage
Entourage FAQ Page: <http://www.entourage.mvps.org/toc.html>
AppleScripts for Entourage: <http://macscripter.net/scriptbuilders/>

Please "Reply To Newsgroup" to reply to this message. Emails will be
ignored.

PLEASE always state which version of Entourage you are using - 2001 or X.
It's often impossible to answer your questions otherwise.

 

[Rick Copeland]

Well, I finally got LDAP to work in Entourage (10.1.5 Office with OS
10.2.8), but I needed to install ADmitMac
(http://www.thursby.com/products/admitmac.html) to do it. Then I had to
examine the settings in ADmitMac and create a new Directory Service account
in Entourage that matched. But it did work, at last.

I'm just running the evaluation license of ADmitMac for now, but I'll
probably purchase it since it enables other, desirable functionality as
well.

Thanks to EVERYONE who tried to help!! Your support encouraged me to
persevere!

Regards,
Rick

 

[Corentin Cras-Méneur [MVP]]

Hi Rick,

Thanks a lot for posting back and letting everyone know how you did it.

Well, I finally got LDAP to work in Entourage (10.1.5 Office with OS
10.2.8), but I needed to install ADmitMac
(http://www.thursby.com/products/admitmac.html) to do it. Then I had to
examine the settings in ADmitMac and create a new Directory Service account
in Entourage that matched. But it did work, at last.

I'm just running the evaluation license of ADmitMac for now, but I'll
probably purchase it since it enables other, desirable functionality as
well.

Thanks to EVERYONE who tried to help!! Your support encouraged me to
persevere!

Corentin