[389-users] Problem browsing LDAP with Outlook

Andrey Ivanov andrey.ivanov at polytechnique.fr
Sun Nov 8 15:14:18 UTC 2009

Hi, we have no problem using outlook to browse LDAP as you describe it. We
have approximately 10000 entries in our LDAP. The only additional tuning we
have made is the optimisation by VLV index and a little change in the ACI
for the  VLV Request Control:

# Replace ldap:///all (authentified users) by ldap:///anyone (everyone,
including anonymous)
# old aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control";
allow(read ,search, compare) userdn = "ldap:///all";)
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
changetype: modify
replace: aci
aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control";
allow(read,search,compare) userdn = "ldap:///anyone";)

# Add a special index for Outlook VLV
dn: cn=Outlook Browse,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: Outlook Browse
objectClass: top
objectClass: vlvsearch
aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control";
allow(read,search,compare) userdn = "ldap:///anyone";)
vlvBase: ou=Users,dc=example,dc=com
vlvFilter: (&(mail=*)(cn=*))
vlvScope: 2

dn: cn=Outlook Browse Index,cn=Outlook Browse,cn=userRoot,cn=ldbm
changetype: add
cn: Outlook Browse Index
objectClass: top
objectClass: vlvindex
aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control";
allow(read,search,compare) userdn = "ldap:///anyone";)
vlvEnabled: 1
vlvSort: cn


2009/11/5 Chris Bryant <cbryant-ical at corp.usa.net>

>    When configuring Microsoft Outlook (not Outlook Express) to access an
> LDAP directory, there is an option to 'Enable Browsing (requires server
> support)'.  If this option is chosen and the directory server supports it,
> then you should be able to open the LDAP address book and page up and down
> through the results.  I have been unable to get this working properly with
> 389 DS.
> When I try to browse from Outlook against the 389 DS directory, I am able
> to see the first page of results perfectly.  However, if I move to the next
> page, only the first object returned will have any attributes included, and
> all of the rest of the objects in the page will have no attributes.  I have
> a test perl script that duplicates this functionality as well.
> I can get this to work properly with an older version of Netscape Directory
> Server, and I can get it working with OpenDS.  Since 389 DS advertises
> support for the controls that are required for this to work, just like the
> other two servers, then I would expect it to work there also.
> Has anyone out there gotten this to work with 389 DS?  If so, can you share
> if there was anything special that you needed to do to get this to work?
> I'm trying to determine if this is a bug in the server, or if I'm just
> missing something in the configuration.
> Thanks,
> Chris
> * USA.NET*
> *You Run Your Business.  We'll Run Your Email.®*
> This message is for the sole use of the intended recipient(s) and may
> contain confidential and/or privileged information of USA.NET<http://www.usa.net/>,
> Inc.  Any unauthorized review, use, copying, disclosure, or distribution is
> prohibited.  If you are not the intended recipient, please immediately
> contact the sender by reply email and delete all copies of the original
> message.
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20091108/bbc6a77e/attachment.htm>

More information about the Fedora-directory-users mailing list