Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Microsoft Outlook Express LDAP Client

13 views
Skip to first unread message

Frank Grewe

unread,
Jan 14, 1999, 3:00:00 AM1/14/99
to
Here's the latest, hot off the press, information on configuring
and using the Microsoft Outlook Express LDAP client. Of course,
you must have Outlook Express installed on your PC to use this...


Adding a new LDAP Directory
---------------------------

1) From the "Start" button, select "Find"/"People". This brings up
the LDAP client.

2) The "Look in" pull down menu shows all of the LDAP directories
configured for your client. Use the right mouse button on this
field and select "Directory Services".

3) This brings up a window allowing you to add, remove and change
the properties of LDAP servers. Select the "Add" function to
start the "Internet Connection Wizard".

4) The first panel asks for the name of the "Internet directory
(LDAP) server". Enter the value: "x500.umn.edu". Leave the
box titled "My LDAP server requires me to log on" unchecked,
you are configuring your client to talk with our "anonymous"
service. Press the "Next>" button.

5) The second panel asks "Do you want to check addresses using
this directory service?". I have not tested Outlook Express
with this option selected as yet (I use a different brand).
If someone wishes to check "yes" and give Outlook a try, go
ahead, however I recommend selecting "no" until we have had
the chance to test this option.

6) The third panel allows you to pick a friendly name for this
service. By default it is set to the Internet service name.
If you like, enter a name such as "University of Minnesota".
Then press the "Next>" button.

7) The fourth panel confirms you have finished adding a new LDAP
service. Press the "Finish" button.

8) Now you are back at the panel in step 3. The new LDAP server
should be highlighted (highlight it if it is not). You need
to select the "Properties" button to modify the default settings
used by Microsoft.

9) There should be no need to modify the values of the "General"
tab. The value displayed in the "Directory Service Account"
should be the friendly name you entered in step 6. Under
"Server Information", the "Server Name" should show "x500.umn.edu",
and the option "This server requires me to log on" should be
unchecked. The status of "Check names against this server when
sending mail" matches the value you entered in step 5 above.
Until we have a chance to check this functionality of Outlook
Express I recommend the casual (non technical) user leave it
unchecked.

10) Make sure the "Advanced" tab has the following values. Under
"Server Port Number", the value of "Directory service (LDAP)"
should be "389". The option "This server requires a secure
connection (SSL)" must be left unchecked (only public information
is ever sent out over this service). Under "Search", set the
"Search time-out" to its smallest value (30 seconds). Leave
the "Maximum number of matches to return" set to "100". In
the empty field titled "Search base", enter:

"o=University of Minnesota,c=US"

The option "Use simple search filter" must be left unchecked.

11) Press the "OK" button, then "Close" the "Internet Accounts"
panel.


Searching using the University of Minnesota LDAP Service
--------------------------------------------------------

1) Again, from the "Start" button, select "Find", then "People"
to start the Microsoft LDAP client. Make sure our directory
is the one listed in the "Look in" field.

2) Searches may be performed by either "Name" or "Email" or both.

3) "Name" search anomalies:

a) If you type in just one word, like "Johnson", a rather simple
(and quick) search is executed for any directory entries with
that string of characters in either their name or e-mail
address. As long as the person you are looking for has a
relatively uncommon last name, this is the quickest way to
find them. But, you can be suprised! Try "Yen" as an example
of a search that returns far more matches than you might
expect (reread the "rules").

b) If you type in two words, like "Fred Bucko", a very complex
search is generated. Although convoluted technically, from
a logical perspective it is very simple. The search will
find two groups of matches:

i) People with the string "Fred" in their first name AND
"Bucko" in their last name, OR
ii) People with the string "Bucko" in their first name AND
"Fred" in their last name.

From the standpoint of narrowing down your matches, this
algorithm is very good and will produce a good match list
for you. However, from a server perspective, the search
is VERY inefficient!!!!! We need to work with our software
vendor to improve the performance of this search. If it
became commonplace for people to execute this type of search,
our X.500 servers would be overloaded quickly.

So, I am asking for some consideration... If this type of
search causes your client to "time out", please, please
realize that you are using EXCESSIVE server resources and
modify your search string before trying again!

c) I'll get into the logic generated with three "words" and
more at the next Technical Coordinators meeting, but in
simple terms it looks for matches on all of "First Name",
"Initials" and "Last Name". The searches get progressively
more convoluted, and progressively more inefficient! Again,
I ask for consideration when a search "times out" that you
do not repeatedly resubmit it!

4) "Email" searches can be simplified to be only the "username"
portion of the address. To find me, search for "fjg", or better
yet, "fjg@". This is an efficient search.

5) When you get your match results, double click on an entry to
bring up a panel which will show you detailed information about
the person. The Microsoft client doesn't fill in several of the
available fields. This is due to the client not requesting the
information (go figure), not our server failing to provide the
values. We will be asking HR to review the data returned to
insure that the best possible values from PeopleSoft are populating
each of the fields, expect a few changes over the next month or so.
Rules for data suppression are followed, so not everyone will have
a home address or phone displayed.

Have fun! Just take it EASY with those complex searches for now!

Frank

Chris Bongaarts

unread,
Jan 14, 1999, 3:00:00 AM1/14/99
to
As Frank Grewe once put it so eloquently:

> Here's the latest, hot off the press, information on configuring
> and using the Microsoft Outlook Express LDAP client. Of course,
> you must have Outlook Express installed on your PC to use this...

[...]


> Searching using the University of Minnesota LDAP Service
> --------------------------------------------------------

[...]


> 3) "Name" search anomalies:
>
> a) If you type in just one word, like "Johnson", a rather simple
> (and quick) search is executed for any directory entries with
> that string of characters in either their name or e-mail
> address. As long as the person you are looking for has a

[...]


> b) If you type in two words, like "Fred Bucko", a very complex
> search is generated. Although convoluted technically, from
> a logical perspective it is very simple. The search will
> find two groups of matches:
>
> i) People with the string "Fred" in their first name AND
> "Bucko" in their last name, OR
> ii) People with the string "Bucko" in their first name AND
> "Fred" in their last name.

[...]


> 4) "Email" searches can be simplified to be only the "username"
> portion of the address. To find me, search for "fjg", or better
> yet, "fjg@". This is an efficient search.

Just a tiny clarification: Microsoft's search filters look for a
string of characters at the *beginning* of a field. Thus, searching
for "Francis Grewe" or "Fran Grew" will both find Frank, but neither
"ancis grewe" nor "Fran Rewe" will work. This is true of pretty much
all their searches, so the same rules apply to the "email" matching,
too.

%% Christopher A. Bongaarts %% c...@tc.umn.edu
%% ADCS - Internet Enterprise %% http://umn.edu/~cab
%% University of Minnesota %% +1 (612) 625-1809

Douglas E Gogerty

unread,
Jan 14, 1999, 3:00:00 AM1/14/99
to
> Here's the latest, hot off the press, information on configuring
> and using the Microsoft Outlook Express LDAP client. Of course,
> you must have Outlook Express installed on your PC to use this...
>
>
>
<--SNIP-->

Anyone have any idea why this setup will not work on the Macintosh?
Although the setup procedure is different, I would guess that I have
all the right values in all the right places, but I get the same error
every time no matter what I search for. "LDAP Server Error. LDAP error.
The search cannot be carried out." I'm trying it on version 4.01 if that
makes a difference. Just curios...


--

Douglas E. Gogerty No, I'm from Iowa...
d...@boombox.micro.umn.edu I just work in outer space.
-James T. Kirk

Please direct your help questions and comments to he...@tc.umn.edu

Stephen E Collins

unread,
Jan 14, 1999, 3:00:00 AM1/14/99
to
>5) The second panel asks "Do you want to check addresses using
> this directory service?". I have not tested Outlook Express
> with this option selected as yet (I use a different brand).
> If someone wishes to check "yes" and give Outlook a try, go
> ahead, however I recommend selecting "no" until we have had
> the chance to test this option.


This option just saves you a couple of extra steps when you need
to "find" a person's e-mail address.

If you check this box, then you can address your message to the
person by name and Outlook will automatically do a "FIND" when
you post the message.

For example, if you type "stephen collins" in the "To:" field of
your message, Outlook will automatically do a "Find" for you, put
up a selection of the "hits" and you can just pick which entry
and Outlook will automatically use that e-mail address.

The impact on the server won't be any different between
doing this and doing a "Find" manually.

We've encouraged our users in the College of Education to make
use of this option for our LDAP server.

Stephen E. Collins
s...@web66.umn.edu

Stephen E Collins

unread,
Jan 14, 1999, 3:00:00 AM1/14/99
to
Frank:

Thanks a million for starting to resolve the problems with
the University's LDAP service. This will really help our
users.

With regard to your comments about HR data, what would
really help is if you could (for staff at least) populate
an "OU" field or two with their organizational units. That
way, we could configure an LDAP service to find people
within just our department in addition to the entry for
the entire U.

That is, say you populated with "ou=College of Education",
then we could configure an LDAP service for the entire
University and a second for "College of Education", just
by setting the search base to:

"ou=College of Education,o=University of Minnesota,c=US"

This makes Directory Services even better. Then if you
search the "departmental" entry, your search for "collins"
would turn up only the entry or two in the department,
instead of the 150 "collins" entries in the entire U.

Stephen E. Collins
s...@web66.umn.edu


>----- Forwarded Message Starts Here -----


>
>From: f...@tc.umn.edu
>Date: Thu, 14 Jan 1999 13:39:10 -0600
>To: ema...@tc.umn.edu
>Subject: Microsoft Outlook Express LDAP Client
>
>Here's the latest, hot off the press, information on configuring
>and using the Microsoft Outlook Express LDAP client. Of course,
>you must have Outlook Express installed on your PC to use this...
>
>

>5) When you get your match results, double click on an entry to
> bring up a panel which will show you detailed information about
> the person. The Microsoft client doesn't fill in several of the
> available fields. This is due to the client not requesting the
> information (go figure), not our server failing to provide the
> values. We will be asking HR to review the data returned to
> insure that the best possible values from PeopleSoft are populating
> each of the fields, expect a few changes over the next month or so.
> Rules for data suppression are followed, so not everyone will have
> a home address or phone displayed.
>
>Have fun! Just take it EASY with those complex searches for now!
>
>Frank
>

>----- Forwarded Message Ends Here -----
>
>========================================================================
> Philip H. Kachelmyer voice: (612) 625-6821
> Academic and Distributed Computing Services fax: (612) 625-6817
> University of Minnesota e-mail: p...@tc.umn.edu
> 190 Shepherd Labs
> 100 Union St. SE People don't fail, they give up
> Minneapolis, MN 55455 USA
>
>
>
>

Frank Grewe

unread,
Jan 14, 1999, 3:00:00 AM1/14/99
to
Stephen E Collins wrote:
>
> Frank:
>
> Thanks a million for starting to resolve the problems with
> the University's LDAP service. This will really help our
> users.

Douglas E Gogerty wrote:

> Although the setup procedure is different, I would guess that I have
> all the right values in all the right places, but I get the same
> error every time no matter what I search for. "LDAP Server Error.
> LDAP error.
> The search cannot be carried out." I'm trying it on version 4.01 if
> that makes a difference. Just curios...

Karin Teder wrote:

> I had the same experience with Outlook on a PC as well as a Mac.
> And also didn't have any luck with Macintosh Netscape,
> on two separate machines. Tried two different versions
> of Netscape, too.

You MUST have the latest and greatest versions of the LDAP client!
Older versions of the LDAP client were, to put it politely, "brain
dead". I use Netscape Communicator 4.5, it is the first version
of Netscape to do it close to right, don't even bother with older
versions!!!!!!!

The issue with LDAP has been (and still is, but to a far lesser
degree) that no two clients wanted the same response from the
server. It was the "non-standard standard"!

Frank

Stephen E. Collins

unread,
Jan 15, 1999, 3:00:00 AM1/15/99
to
>Stephen E Collins wrote:
>>
>> Frank:
>>
>> Thanks a million for starting to resolve the problems with
>> the University's LDAP service. This will really help our
>> users.
[SNIP]

>The issue with LDAP has been (and still is, but to a far lesser
>degree) that no two clients wanted the same response from the
>server. It was the "non-standard standard"!

Well, I don't mean to be argumentative, but we've been using various
LDAP clients with other LDAP services successfully for well
over a year without many problems. That includes Four11,
SwitchBoard, BigFoot, etc, and our own college LDAP server . It is
only the University's LDAP service which has been problematic.

Realizing there are differences in the way clients and servers
populate their data fields, if all these other LDAP services (including
our college) can successfully provide LDAP information connectivity, is
it expecting too much for the University's LDAP service to work as well?

Before you blame problems on the client instead of the U server,
you might want to try that client against other servers first.


>You MUST have the latest and greatest versions of the LDAP client!
>Older versions of the LDAP client were, to put it politely, "brain
>dead". I use Netscape Communicator 4.5, it is the first version
>of Netscape to do it close to right, don't even bother with older
>versions!!!!!!!

We've been successful with older versions of Netscape, and with
older versions of Outlook Express, all the way back to Microsoft
Internet Mail. The biggest problem we've seen is that users
must specify the search base absolutely correctly--no extra
spaces, no puncuation changes, etc.


Stephen E Collins
s...@web66.umn.edu

Chris Bongaarts

unread,
Jan 15, 1999, 3:00:00 AM1/15/99
to
As Stephen E Collins once put it so eloquently:

> With regard to your comments about HR data, what would
> really help is if you could (for staff at least) populate
> an "OU" field or two with their organizational units. That
> way, we could configure an LDAP service to find people
> within just our department in addition to the entry for
> the entire U.
>
> That is, say you populated with "ou=College of Education",
> then we could configure an LDAP service for the entire
> University and a second for "College of Education", just
> by setting the search base to:
>
> "ou=College of Education,o=University of Minnesota,c=US"
>
> This makes Directory Services even better. Then if you
> search the "departmental" entry, your search for "collins"
> would turn up only the entry or two in the department,
> instead of the 150 "collins" entries in the entire U.

Because our LDAP server is really just a frontend to the X.500
directory, we are constrained by the existing structure of the
directory. (You can browse the directory structure most easily using
the Gopher interface - gopher://x500.umn.edu/. IE4 doesn't seem to
like it; NS4.5 does.)

Note also that this structure will be changing once students are moved
into Peoplesoft and consolidation of entries begins (since people
exist once in Peoplesoft regardless of student/staff status).

Also note that even though the ou in the distinguished name does not
contain the department, the entry itself does have an ou= field that
is populated with the department name of your primary department.
Thus, while you cannot set the search base to limit the scope, LDAP
clients that allow you to specify an advanced search (such as NS4.5)
can use their "department" field to limit matches. Of course, you have
to know what text Peoplesoft uses for a department code to do this
sort of search. :/

0 new messages