Fedora directory users - Aug 2005 - What next?

Hi, hello:

I''ve just installed the Fedora Directory Server (on a Fedora 3 machine)
and
I seem to have all modules up and running. I''ve created one user and I
can
"browse" the DS server from another machine using a Java based tool. 

What isn''t clear to me is where do I go from here? What entries do I
need to
create in the Directory Console so that the user can (for example) access a 
Thunderbird contact list in the DS? Or a ''favorites'' url list?

thanks,
Chris Curran

On Tue, 2005-08-02 at 13:59 -0400, Chris Curran wrote:
> Hi, hello:
> 
> I''ve just installed the Fedora Directory Server (on a Fedora 3
> machine) and I seem to have all modules up and running. I''ve
created
> one user and I can "browse" the DS server from another machine
using a
> Java based tool. 
> 
> What isn''t clear to me is where do I go from here? What entries do
I
> need to create in the Directory Console so that the user can (for
> example) access a Thunderbird contact list in the DS? Or a
''favorites''
> url list?
> 
> thanks,
> Chris Curran
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
Hey Chris,

You should check out the administrator''s guide :

http://www.redhat.com/docs/manuals/dir-server/ag/7.1/adminTOC.html

adam

Thanks Adam - I have consulted the Admin Guide. I don''t see anything in
there that covers any specific need - like how to add entries that will be 
used as a contact list from Thunderbird (what schema, what object class, 
what attributes?).

The admin guide seems very generic... Did I miss something?

thanks,
Chris Curran

On 8/2/05, Adam Stokes <astokes@redhat.com> wrote:
> 
> Hey Chris,
> 
> You should check out the administrator''s guide :
> 
> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/adminTOC.html
> 
> adam
> 
>

Chris Curran wrote:
> Thanks Adam - I have consulted the Admin Guide. I don''t see
anything
> in there that covers any specific need - like how to add entries that 
> will be used as a contact list from Thunderbird (what schema, what 
> object class, what attributes?).
>
> The admin guide seems very generic... Did I miss something?
No.  You should check the Thunderbird docs or try a tbird mailing list 
or IRC channel.
>
> thanks,
> Chris Curran
>
> On 8/2/05, Adam Stokes <astokes@redhat.com 
> <mailto:astokes@redhat.com>> wrote:
>
>     Hey Chris,
>
>     You should check out the administrator''s guide :
>
>     http://www.redhat.com/docs/manuals/dir-server/ag/7.1/adminTOC.html
>
>     adam
>
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Rich,

Thanks - I tried that route before posting here. There seems to be plenty of 
help if you''re using Tbird and OpenLDAP, but I find none for Tbird and 
FDS... 

thanks,
Chris Curran

On 8/2/05, Rich Megginson <rmeggins@redhat.com> wrote: 
> No. You should check the Thunderbird docs or try a tbird mailing list or 
> IRC channel.
>

On Tue, 2005-08-02 at 15:15 -0400, Chris Curran wrote:
> Rich,
> 
> Thanks - I tried that route before posting here. There seems to be
> plenty of help if you''re using Tbird and OpenLDAP, but I find none
for
> Tbird and FDS... 
> 
> thanks,
> Chris Curran
> 
> On 8/2/05, Rich Megginson <rmeggins@redhat.com> wrote: 
>         No.  You should check the Thunderbird docs or try a tbird
>         mailing list or IRC channel.
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
Sounds like a good wiki entry, if I can find some time ill get something
posted other than that a default install of FDS should listen on port
389 so its just a matter of configuring TBird to use the base dn and
correct port. In my experience the entries should contain the
inetorgperson objectclass

Chris Curran wrote:
> Rich,
>
> Thanks - I tried that route before posting here. There seems to be 
> plenty of help if you''re using Tbird and OpenLDAP, but I find none
for
> Tbird and FDS...
The information for OpenLDAP is generally applicable to FDS, especially 
the schema which can be easily translated - 
http://directory.fedora.redhat.com/wiki/Howto:OpenLDAPMigration
>
> thanks,
> Chris Curran
>
> On 8/2/05, Rich Megginson <rmeggins@redhat.com 
> <mailto:rmeggins@redhat.com>> wrote:
>
>     No.  You should check the Thunderbird docs or try a tbird mailing
>     list or IRC channel.
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

It all depends on your client apps.  Client apps, in this case, are 
pretty much anything that talks to the directory server (i.e. 
thunderbird, a mail server that uses ldap for user info, etc.).

In the case of using thunderbird as an addressbook client:
1.  click on the addressbook button.
2.  under the file menu, select new->LDAP Directory
3.  For the name, put a name, like "Corporate directory".  For
hostname,
put the name of your ldap server.  For basedn, put the suffix (top of 
your tree).  Set the port number to whatever you configed directory 
server for (probably leave as 389).
4.  If you don''t have anonymous access (I think the default
aci''s leave
it on), enter the dn of your account (probably something like 
uid=jdoe,ou=people,dc=example,dc=com).

Save that, and you should now be able to use that directory when 
composing email (by clicking "contacts").

That configs thunderbird to look at the directory.  You have to populate 
the directory server with users then, and there are lots of ways to do 
that, such as console, ldif, etc.  I think Thunderbird probably only 
looks at objectclass=person or something like that - look at the 
directory server access logs to see exactly what it is looking for to 
find entries, then put users in that match that and meet schema 
requirements.

For a purely contact type entry, probably something that is objectclass 
top, person, organizationalperson, and inetorgperson would do it.  Then 
populate things like givenname, cn, sn, mail, telephonenumber, 
facsimiletelephonenumber, mobile (aka cell), pager, l (aka city), st, 
street, postaladdress, postalcode, etc.  Start with creating a user in 
console, then figure out what data you want to see, then figure out what 
attribute is appropriate and add it.

 - Jeff

Chris Curran wrote:
> Thanks Adam - I have consulted the Admin Guide. I don''t see
anything
> in there that covers any specific need - like how to add entries that 
> will be used as a contact list from Thunderbird (what schema, what 
> object class, what attributes?).
>
> The admin guide seems very generic... Did I miss something?
>
> thanks,
> Chris Curran
>
> On 8/2/05, *Adam Stokes* <astokes@redhat.com 
> <mailto:astokes@redhat.com>> wrote:
>
>     Hey Chris,
>
>     You should check out the administrator''s guide :
>
>     http://www.redhat.com/docs/manuals/dir-server/ag/7.1/adminTOC.html
>
>     adam
>
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Thanks Jeff. I already have Tbird logging into FDS - what I don''t have
is
any info showing up in Tbird. Further, I tried to export my current data so 
that I could see what FDS is expecting, but it errors out on
''userroot'' with
"export failed (-1)". 

As to digging around in the log files... That''s not really an option.
We
were evaluating FDS with the object being to purchase RHDS... Being fresh 
back from an hour long meeting, well, the edict from above is to find 
complete documentation on how to make FDS/RHDS interoperate with Tbird or 
drop the project.

thanks,
 Chris Curran

On 8/2/05, Jeff Clowser <jclowser@unitedmessaging.com>
wrote:
> 
> It all depends on your client apps. Client apps, in this case, are
> pretty much anything that talks to the directory server (i.e.
> thunderbird, a mail server that uses ldap for user info, etc.).
> 
> In the case of using thunderbird as an addressbook client:
> 1. click on the addressbook button.
> 2. under the file menu, select new->LDAP Directory
> 3. For the name, put a name, like "Corporate directory". For
hostname,
> put the name of your ldap server. For basedn, put the suffix (top of
> your tree). Set the port number to whatever you configed directory
> server for (probably leave as 389).
> 4. If you don''t have anonymous access (I think the default
aci''s leave
> it on), enter the dn of your account (probably something like
> uid=jdoe,ou=people,dc=example,dc=com).
> 
> Save that, and you should now be able to use that directory when
> composing email (by clicking "contacts").
> 
> That configs thunderbird to look at the directory. You have to populate
> the directory server with users then, and there are lots of ways to do
> that, such as console, ldif, etc. I think Thunderbird probably only
> looks at objectclass=person or something like that - look at the
> directory server access logs to see exactly what it is looking for to
> find entries, then put users in that match that and meet schema
> requirements.
> 
> For a purely contact type entry, probably something that is objectclass
> top, person, organizationalperson, and inetorgperson would do it. Then
> populate things like givenname, cn, sn, mail, telephonenumber,
> facsimiletelephonenumber, mobile (aka cell), pager, l (aka city), st,
> street, postaladdress, postalcode, etc. Start with creating a user in
> console, then figure out what data you want to see, then figure out what
> attribute is appropriate and add it.
> 
> - Jeff
>

Chris,

The mozilla website lists what LDAP attributes Thunderbird uses on this 
page:

    http://www.mozilla.org/projects/thunderbird/specs/ldap.html

You can add users through the console by going into the "Directory"
tab,
right clicking on the container that you want to create your user in, 
and selecting "new -> user".  This will allow you to fill in all of
the
basic data that Thunderbird will look for.  If you want to add some 
other attribute, just click on the "advanced" button in the new user 
dialog to add it to the entry.

-NGK

Chris Curran wrote:
> Thanks Jeff. I already have Tbird logging into FDS - what I don''t
have
> is any info showing up in Tbird.  Further, I tried to export my 
> current data so that I could see what FDS is expecting, but it errors 
> out on ''userroot'' with "export failed (-1)".
>
> As to digging around in the log files... That''s not really an
option.
> We were evaluating FDS with the object being to purchase RHDS... Being 
> fresh back from an hour long meeting, well, the edict from above is to 
> find complete documentation on how to make FDS/RHDS interoperate with 
> Tbird or drop the project.
>
> thanks,
> Chris Curran
>
> On 8/2/05, *Jeff Clowser* <jclowser@unitedmessaging.com 
> <mailto:jclowser@unitedmessaging.com>> wrote:
>
>     It all depends on your client apps.  Client apps, in this case, are
>     pretty much anything that talks to the directory server (i.e.
>     thunderbird, a mail server that uses ldap for user info, etc.).
>
>     In the case of using thunderbird as an addressbook client:
>     1.  click on the addressbook button.
>     2.  under the file menu, select new->LDAP Directory
>     3.  For the name, put a name, like "Corporate directory". 
For
>     hostname,
>     put the name of your ldap server.  For basedn, put the suffix (top of
>     your tree).  Set the port number to whatever you configed directory
>     server for (probably leave as 389).
>     4.  If you don''t have anonymous access (I think the default
aci''s
>     leave
>     it on), enter the dn of your account (probably something like
>     uid=jdoe,ou=people,dc=example,dc=com).
>
>     Save that, and you should now be able to use that directory when
>     composing email (by clicking "contacts").
>
>     That configs thunderbird to look at the directory.  You have to
>     populate
>     the directory server with users then, and there are lots of ways to do
>     that, such as console, ldif, etc.  I think Thunderbird probably only
>     looks at objectclass=person or something like that - look at the
>     directory server access logs to see exactly what it is looking for to
>     find entries, then put users in that match that and meet schema
>     requirements.
>
>     For a purely contact type entry, probably something that is
>     objectclass
>     top, person, organizationalperson, and inetorgperson would do
>     it.  Then
>     populate things like givenname, cn, sn, mail, telephonenumber,
>     facsimiletelephonenumber, mobile (aka cell), pager, l (aka city), st,
>     street, postaladdress, postalcode, etc.  Start with creating a user in
>     console, then figure out what data you want to see, then figure
>     out what
>     attribute is appropriate and add it.
>
>     - Jeff
>
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Chris Curran wrote:
> Thanks Jeff. I already have Tbird logging into FDS
Tbird logging into FDS?  What does that mean?
> - what I don''t have is any info showing up in Tbird.  Further, I
tried
> to export my current data
 From what system?  From OpenLDAP?
> so that I could see what FDS is expecting, but it errors out on 
> ''userroot'' with "export failed (-1)".
Can you tell me how to reproduce this error?
>
> As to digging around in the log files... That''s not really an
option.
> We were evaluating FDS with the object being to purchase RHDS... Being 
> fresh back from an hour long meeting, well, the edict from above is to 
> find complete documentation on how to make FDS/RHDS interoperate with 
> Tbird or drop the project.
There does not exist "officially supported" documentation either from 
Fedora or Red Hat or Mozilla.  You might be able to find something with 
Google.  I would be surprised if there were officially supported 
documentation from any Directory Server vendor with respect to 
Thunderbird integration since it''s relatively new.
>
> thanks,
> Chris Curran
>
> On 8/2/05, Jeff Clowser <jclowser@unitedmessaging.com 
> <mailto:jclowser@unitedmessaging.com>> wrote:
>
>     It all depends on your client apps.  Client apps, in this case, are
>     pretty much anything that talks to the directory server (i.e.
>     thunderbird, a mail server that uses ldap for user info, etc.).
>
>     In the case of using thunderbird as an addressbook client:
>     1.  click on the addressbook button.
>     2.  under the file menu, select new->LDAP Directory
>     3.  For the name, put a name, like "Corporate directory". 
For
>     hostname,
>     put the name of your ldap server.  For basedn, put the suffix (top of
>     your tree).  Set the port number to whatever you configed directory
>     server for (probably leave as 389).
>     4.  If you don''t have anonymous access (I think the default
aci''s
>     leave
>     it on), enter the dn of your account (probably something like
>     uid=jdoe,ou=people,dc=example,dc=com).
>
>     Save that, and you should now be able to use that directory when
>     composing email (by clicking "contacts").
>
>     That configs thunderbird to look at the directory.  You have to
>     populate
>     the directory server with users then, and there are lots of ways to do
>     that, such as console, ldif, etc.  I think Thunderbird probably only
>     looks at objectclass=person or something like that - look at the
>     directory server access logs to see exactly what it is looking for to
>     find entries, then put users in that match that and meet schema
>     requirements.
>
>     For a purely contact type entry, probably something that is
>     objectclass
>     top, person, organizationalperson, and inetorgperson would do
>     it.  Then
>     populate things like givenname, cn, sn, mail, telephonenumber,
>     facsimiletelephonenumber, mobile (aka cell), pager, l (aka city), st,
>     street, postaladdress, postalcode, etc.  Start with creating a user in
>     console, then figure out what data you want to see, then figure
>     out what
>     attribute is appropriate and add it.
>
>     - Jeff
>
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Rich,

Tbird logging into FDS? What does that mean?


I have a LDAP server setup in my Tbird Address Book. To test the connection, 
in Tbird addr book I choose the ''Offline'' tab then
''Download Now''. It asks
me for a username and password - I enter them and at that point I''m
back
where I began in Tbird. I check the log files in FDS (access) and there are 
a number of entries - all those beginning with "RESULT" have
"err=0".
Therefore, I conclude that I am logging into FDS without error.

 >From what system? From OpenLDAP?

>From FDS.
Can you tell me how to reproduce this error?


Choose the ''Export'' option on the ''Tasks''
tab. Any permutation that I tried
resulted in the same error (userroot).

There does not exist "officially supported" documentation either from
Fedora 
> or Red Hat or Mozilla. You might be able to find something with Google. I 
> would be surprised if there were officially supported documentation from
any
> Directory Server vendor with respect to Thunderbird integration since
it''s
> relatively new.

Uhh... Tbird/Mozilla Mail has been around for a number of years and 
certainly can''t be called "new". I don''t know about
other vendors; this is
the first Directory Server I have evaluated (although the Sun salesperson I 
spoke to told me they support Tbird - how I don''t know - we''ll
find out next
week).

thanks,
Chris Curran

Chris Curran wrote:
> Rich,
>
>      Tbird logging into FDS?  What does that mean?
>
>
> I have a LDAP server setup in my Tbird Address Book. To test the 
> connection, in Tbird addr book I choose the ''Offline'' tab
then
> ''Download Now''. It asks me for a username and password -
I enter them
> and at that point I''m back where I began in Tbird. I check the log
> files in FDS (access) and there are a number of entries - all those 
> beginning with "RESULT" have "err=0". Therefore, I
conclude that I am
> logging into FDS without error.
How did you populate your FDS database?
>
>     >From what system?  From OpenLDAP?
>
>
> >From FDS.
>
>     Can you tell me how to reproduce this error?
>
>
> Choose the ''Export'' option on the
''Tasks'' tab. Any permutation that I
> tried resulted in the same error (userroot).
>
>     There does not exist "officially supported" documentation
either
>     from Fedora or Red Hat or Mozilla.  You might be able to find
>     something with Google.  I would be surprised if there were
>     officially supported documentation from any Directory Server
>     vendor with respect to Thunderbird integration since it''s
>     relatively new.
>
>
> Uhh... Tbird/Mozilla Mail has been around for a number of years and 
> certainly can''t be called "new". I don''t know
about other vendors;
> this is the first Directory Server I have evaluated (although the Sun 
> salesperson I spoke to told me they support Tbird - how I don''t
know -
> we''ll find out next week).
There are several folks in the FDS community who have successfully used 
FDS as their Tbird address book.  So I know FDS supports it.  It''s just
that we don''t have any official documentation.
>
> thanks,
> Chris Curran
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

> -----Original Message-----
> From: fedora-directory-users-bounces@redhat.com 
> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf 
> Of Chris Curran
> Sent: Tuesday, August 02, 2005 4:03 PM
> To: fedora-directory-users@redhat.com
> Subject: Re: [Fedora-directory-users] What next?
> 
> Rich,
> 
> 
> 
> 	 Tbird logging into FDS?  What does that mean?
> 
> 
> I have a LDAP server setup in my Tbird Address Book. To test 
> the connection, in Tbird addr book I choose the ''Offline''
tab
> then ''Download Now''. It asks me for a username and
password -
> I enter them and at that point I''m back where I began in 
> Tbird. I check the log files in FDS (access) and there are a 
> number of entries - all those beginning with "RESULT" have 
> "err=0". Therefore, I conclude that I am logging into FDS 
> without error.
> 
> 
> 
> 	>From what system?  From OpenLDAP?
> 
> 
> >From FDS.
Why are you trying to export data from FDS?  I thought you didn''t have
any
data in FDS and that this was your problem?

It really sounds to me like you simply don''t have any users with the
correct
objectclasses/attributes in FDS - there is nothing special about any mail
client that speaks LDAP that needs to be "supported" in the server, so
exactly the same schema used for openldap, or Sun DS will work for FDS.

There have been a number of posts all with reasonable suggestions on getting
things going: what objectclasses to add, what attributes thunderbird looks
for, how to add users using the console - it is all there.  You would need
to do the same thing on any LDAP server, and from the looks of it, every
LDAP server would already be configured out of the box to support Tbird.

The documentation for enabling SSL for Fedora DS at
http://directory.fedora.redhat.com/wiki/Howto:SSL includes instructions for
creating an LDIF file at /tmp/ssl_enable.ldif.  That file contains a section
that reads:

dn: cn=RSA,cn=encryption,cn=config
changetype: modify
add: nsSSLPersonalitySSL
nsSSLPersonalitySSL: Server-Cert

That means, it seems, to modify the dn: cn=RSA,cn=encryption,cn=config.  That
RSA section does not seem to exist so running the ldif generates errors.  I do
see cn=encryption,cn=config, but not cn=RSA,cn=encryption,cn=config

I know some of you have SSL working already.  How did you do it?  

I installed Fedora-DS, went through the Samba How-to, configured Pam to
authenticate through LDAP and that all worked.  I then tried the SSL How-to and
ran into this problem.  It is possible that I missed a step, but I
don''t think so because I went through it twice.


Thanks,

Darren Fulton

On Wed, 2005-08-03 at 06:30 -0500, Darren Fulton wrote:
> The documentation for enabling SSL for Fedora DS at
http://directory.fedora.redhat.com/wiki/Howto:SSL includes instructions for
creating an LDIF file at /tmp/ssl_enable.ldif.  That file contains a section
that reads:
> 
> dn: cn=RSA,cn=encryption,cn=config
> changetype: modify
> add: nsSSLPersonalitySSL
> nsSSLPersonalitySSL: Server-Cert
> 
> That means, it seems, to modify the dn: cn=RSA,cn=encryption,cn=config. 
That RSA section does not seem to exist so running the ldif generates errors.  I
do see cn=encryption,cn=config, but not cn=RSA,cn=encryption,cn=config
> 
> I know some of you have SSL working already.  How did you do it?  
> 
> I installed Fedora-DS, went through the Samba How-to, configured Pam to
authenticate through LDAP and that all worked.  I then tried the SSL How-to and
ran into this problem.  It is possible that I missed a step, but I
don''t think so because I went through it twice.
> 
> 
> Thanks,
> 
> Darren Fulton
> 
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
Hey Darren,

Thanks for pointing that out please create an ldif /tmp/addrsa.ldif and
have the following :

dn: cn=RSA,cn=encryption,cn=config
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)

Use ldapadd to add the entry into the directory server.. Ill fix the
how-to now as well :)

adam

Chris Curran wrote:
> I have a LDAP server setup in my Tbird Address Book. To test the 
> connection, in Tbird addr book I choose the ''Offline'' tab
then
> ''Download Now''. It asks me for a username and password -
I enter them
> and at that point I''m back where I began in Tbird. I check the log
> files in FDS (access) and there are a number of entries - all those 
> beginning with "RESULT" have "err=0". Therefore, I
conclude that I am
> logging into FDS without error.
This just means there was no error when it did what you asked it for.  
It doesn''t necessarily mean you (i.e. tbird) asked it for the right 
thing. :)

If you grep the access log on conn=#, where # is the connection # from 
thunderbird, you''ll see a number of things:
1.  What thunderbird connected as - either a dn, or "" (i.e.
anonymous).
2.  What basedn it is searching on - this needs to match something that 
is in your directory.
3.  The search filter you used - this needs to match some data in your 
directory.
4.  The number of results that matched the search - if this is 0, and 
err is also 0, it means you did a valid search, but didn''t match 
anything in the directory.
5.  The error result - err=0 just means the search you did was
"valid",
though it might not be what you want.

Note also that there are multiple operations within one session, each of 
which can have an error.


The following is a sample output of the logs from thunderbird for a 
typical online search:
==========================================================The initial
connection:
[03/Aug/2005:11:04:42 -0400] conn=28 fd=71 slot=71 connection from 
192.168.1.181 to 192.168.1.201

The bind - in this case, I have tbird binding as anonymous.  err=0 means 
the bind was successful
[03/Aug/2005:11:04:42 -0400] conn=28 op=0 BIND dn="" method=128
version=3
[03/Aug/2005:11:04:42 -0400] conn=28 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""

The search.  In this cases, my directory server''s base dn is o=isp.  
Thunderbird searches for all entries that contain what you typed in 
mail, cn, givenname, or sn.  The access log also shows the list of 
attributes tbird is asking the directory to return.  Includes a number 
of custom tbird attributes (which you''d have to extend your schema to 
support) as well as a number of standard attributes, such as mail, cn, 
sn, givenname, telephonenumber, etc).  err=0, so the search was 
successful, but nentries also equals 0, meaning that I had no matching 
data in my server (which is true - I haven''t put anything in this
server
I pointed at yet).
[03/Aug/2005:11:05:06 -0400] conn=28 op=1 SRCH base="o=isp" scope=2
   filter="(|(mail=*jeff*)(cn=*jeff*)(givenName=*jeff*)(sn=*jeff*))" 
attrs="modifyTimestamp
   xmozillausehtmlmail description notes custom4 custom3 custom2 custom1 
birthyear homeurl
   workurl nscpaimscreenname c company o departmentNumber department 
orgunit ou title c
   zip postalCode region st l l street postOfficeBox carphone cellphone 
mobile pagerphone pager
   facsimileTelephoneNumber facsimileTelephoneNumber homePhone 
telephoneNumber
   xmozillasecondemail mail xmozillanickname displayName cn cn sn sn 
givenName"
[03/Aug/2005:11:05:06 -0400] conn=28 op=1 RESULT err=0 tag=101 
nentries=0 etime=0

Note that this showed 3 operations, of which any could contain an 
error.  Also, note that thunderbird has the option to add a custom 
filter (on the advanced tab), so you can limit searches to, say, 
objectclass=person (default is objectclass=*, which is all entries in 
the directory).



One thing that''s different - you said you are downloading for offline
use.
I added a test user, and did what you did - clicked on properties, 
offline, then download now.  It asks for a username and password, and 
here''s what the logs show:
=============================================================================Initial
connection:
[03/Aug/2005:11:20:22 -0400] conn=51 fd=77 slot=77 connection from 
192.168.1.181 to 192.168.1.201

Binds as anonymous (''cause I didn''t enter a DN to bind as):
[03/Aug/2005:11:20:22 -0400] conn=51 op=0 BIND dn="" method=128
version=3
[03/Aug/2005:11:20:22 -0400] conn=51 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""

Searches for the "username" I entered.  Looking at the logs,
thunderbird
looks at the mail attrbute to match username to an entry.  So - the 
"username" you have to enter is the email address of whoever you want
to
log in as.  Once I did that, it worked (err=0, and nentries=1, which 
means it found my entry).
[03/Aug/2005:11:20:33 -0400] conn=51 op=1 SRCH base="o=isp" scope=2 
filter="(mail=jclowser@example.com)"
attrs="cn"[03/Aug/2005:11:20:33
-0400] conn=51 op=1 RESULT err=0 tag=101 nentries=1 etime=0

Once it finds my entry, it unbinds and closes the connection:
[03/Aug/2005:11:20:34 -0400] conn=51 op=2 UNBIND
[03/Aug/2005:11:20:34 -0400] conn=51 op=2 fd=77 closed - U1

Opens a new connection:
[03/Aug/2005:11:20:34 -0400] conn=52 fd=79 slot=79 connection from 
192.168.1.181 to 192.168.1.201

Binds as the DN of my entry (what it found above).  err=0, so it binds 
successfully with my password:
[03/Aug/2005:11:20:34 -0400] conn=52 op=0 BIND dn="uid=jclowser,o=isp"
method=128 version=3
[03/Aug/2005:11:20:34 -0400] conn=52 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn="uid=jclowser,o=isp"

The following is interesting, and maybe meaningless against FDS (I guess 
it''s looking for some kinda of changelog indicator, so it only
dl''s new
stuff)?  FDS provides the dataversion, but not the others, and adding 
users doesn''t seem to change dataversion, so not sure if this is 
meaningful against FDS (and it''s probably just for efficiency anyway,
so
nothing critical):
[03/Aug/2005:11:20:34 -0400] conn=52 op=1 SRCH base="" scope=0 
filter="(objectClass=*)" attrs="changeLog firstchangenumber 
lastchangenumber dataversion"
[03/Aug/2005:11:20:34 -0400] conn=52 op=1 RESULT err=0 tag=101 
nentries=1 etime=0

Next, searches the directory for all the entries.  In my case, this is 
successful and returns 4 entries,
[03/Aug/2005:11:32:10 -0400] conn=52 op=2 SRCH base="o=isp" scope=2 
filter="(objectClass=*)" attrs=ALL
[03/Aug/2005:11:32:10 -0400] conn=52 op=2 RESULT err=0 tag=101 
nentries=4 etime=0

My guess is that thunderbird will search against the live directory if 
you are online, or against what was downloaded if you are offline.  Note 
that if your directory has a lot of users, you may very well hit the 
sizelimit, and not get the entire directory.  You probably want to add 
nsSizeLimit to any users that do this, and set it to -1 (or at least to 
the number of users in your directory), and further set the objectclass 
to something other than objectclass=* in mozilla (say, 
"objectclass=person", or 
"(|(objectclass=person)(objectclass=mailgroup)), or "(mail=*)" or
something appropriate to your data) for efficiency.


 - Jeff