How to authenticate outgoing FW users by Windows group membership
Hi,
I need to authenticate all (windows) users who access the internet through an IOS firewall. Applies not only to web traffic (which is easy to do), but also to other applications (e.g. some telebanking programs, RDP sessions etc.)
Basically, I need to use dynamic access lists, and use a different access list for each Windows user group.
Is there any way to do this?
Hans van der Poel
Consultant
NextiraOne
You can do this with the help of an authentication server.
Similar Messages
-
Getting list of all users and their group memberships from Active Directory
Hi,
I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
==================
import javax.naming.*;
import java.util.Hashtable;
import javax.naming.directory.*;
public class GetUsersGroups{
public static void main(String[] args){
String[] attributeNames = {"memberOf"};
//create an initial directory context
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "p8admin");
try {
// Create the initial directory context
DirContext ctx = new InitialDirContext(env);
//get all the users list and their group memberships
NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
while (contentsEnum.hasMore()){
NameClassPair ncp = (NameClassPair) contentsEnum.next();
String userName = ncp.getName();
System.out.println("User: "+userName);
try{
System.out.println("am here....1");
Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
System.out.println("am here....2");
Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
System.out.println("-----"+groupsAttribute.size());
if (groupsAttribute != null){
// memberOf is a multi valued attribute
for (int i=0; i<groupsAttribute.size(); i++){
// print out each group that user belongs to
System.out.println("MemberOf: "+groupsAttribute.get(i));
}catch(NamingException ne){
// ignore for now
System.err.println("Problem encountered....0000:" + ne);
//get all the groups list
} catch (NamingException e) {
System.err.println("Problem encountered 1111:" + e);
=================
The following exception gets thrown at every user entry:
User: CN=Administrator
am here....1
Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
]; remaining name 'CN=Administrator'
I think it gets thrown at this line in the code:
Attributes attrs = ctx.getAttributes(userName, attributeNames);
Any idea how to overcome this and where am I wrong?
Thanks in advance,
Regards.In this sentence:
Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
userName + ",CN=Users,DC=filenetp8,DC=com"
But I still have some problem with it.
Hope it will be useful for you. -
Windows 10 Poll: When and how are you moving your users to Windows 10?
1. When/If you move your users to Windows 10, how will you do it?
A) In-place upgrade
B) Clean wipe and load
2. When will you start moving your users to Windows 10?
A) 0-3 months after release
B) 3-12 months after release
C) More than a year after release
D) Never!
Bonus: What tools do you plan to use?
This topic first appeared in the Spiceworks Community1. When/If you move your users to Windows 10, how will you do it?
A) In-place upgrade
B) Clean wipe and load
2. When will you start moving your users to Windows 10?
A) 0-3 months after release
B) 3-12 months after release
C) More than a year after release
D) Never!
Bonus: What tools do you plan to use?
This topic first appeared in the Spiceworks Community -
Authenticate users by Windows group using ACS
Currently we are using Windows IAS/RADIUS to authenticate users onto out wireless network and it is set to allow users in a certain Windows group to connect.
Is there a way to do this with ACS?
Please note that we are using ACS Solution Engine, not ACS for Windows.
Thanks.Use Remote Agent for Windows user authentication feature or configure Windows AD as the LDAP on ACS SE.
then configure group mapping, and put the restrictions accordingly.
Regards,
Prem
Please rate if it helps! -
Need to know how to better manage revolving users in a group
I have a new Beehive Online group set up for a external partner collaboration. Members of the group are only from Oracle or that external partner. While the BHO group is new, the collaboration has been in place for a long time (since 2007). Initially at Sun Microsystems, and now Oracle.
In my description here... when I say "collaboration" you can translate that to roughly equivalent to "BHO Group"....
The nature of the collaboration is that both companies move people to/from the collaboration, depending on the work in progress. I'm not saying there are changes daily, but there can be changes every month or so. It also happens that people working on the collaboration may be moved from it for many months or longer, and then get moved back to the collaboration at a later time. Ie, the may revolve in and out of the collaboration. Trouble is, when they are moved from the collaboration there is no guarantee that they ever get moved back to it. When a person is not part of the collaboration, their access to collaboration info is taken away.
So my problem is understanding how to manage this better in BHO.
I need to allow a user to be removed from a group, with the possibility (but not certainty) of adding them again.
-- my understanding that delete user would then require SysAd intervention to add them back.
-- I also am not clear on whether deleting the user affects their other group memberships.
I tried to find out more about locking a user
-- but it seems like that affects more then the group.
Whats the recommended way to deal with this?
Thx!I tried deleting the "verified" user using the group creation/manage tool.
- click "View members"
- select the checkbox next to the user
- click the button "Delete (non-Verified Users)"
Doing that, the user is not removed AND I get an error message in red at the top of the page that says:
'Only selected non-"Verified" member(s) have been deleted. Go to https://beehiveonline.oracle.com/BOLAdmin.html to delete "Verified" users'
So I went to the Admin tool:
- selected my group,
- selected the user from the list
- clicked the "Delete User" button above the list.
Got the warning pop-up about the user needing to be added back by SysAd, ignored it and clicked "OK".
Got a success pop-up with all kinds of internal response tracking stuff in it. Clicked "OK"
And the user is gone from the group in the Admin tool. HOWEVER, the user still shows up in the group list in the group create/manage tool.
Will the user disappear from that list? If not, the list would be misleading.
Thx!
--Resii -
Export Users data with group membership
Hey Guys,
I'm using csvde to export users data for management reports.
I'm asked to add to the exported data the group membership of the users and I'm having problem doing that.
My current script is:
csvde.exe -s 192.168.xx.xx -d "ou=CS,dc=Domain,dc=com" -r objectClass=user -l "Company,DisplayName,sAMAccountName,title,lastlogon,pwdLastSet" -f c:\usersonly-Users.csv
Can anyone help me adding column with groups the user is member of?
Thanks
NirAdd the memberOf attribute to the list of attribute values to retrieve.
Richard Mueller - MVP Directory Services -
How to find logged in user from Windows Registry?
Hi,
am developing a windows store 8.1 app using C# and xaml.
In my app i want to find logged in user name from Windows Registry.
How can i get that from C# code?
Anybody please help me.
Regards,
Santhoshfrom aa store app you don't have access to the windows registry.
Microsoft Certified Solutions Developer - Windows Store Apps Using C# -
HT1203 How do you share between users with Windows 8
I have two user accounts on my computer.
How do I share my music between them with iTunes with Windows 8.There's a couple of ways to get through to the authorisation controls in the 11.0.x versions.
The control is still in the Store menu, but first (if you're using iTunes versions 11.0.x) you might need to bring up the menu bar to see the Store menu.
If you're using 11.0.x, click on the wee boxy icon up in the top-left corner of your iTunes to see the "Show Menu Bar" control, as per the following screenshot:
Then you'll find the control in the Store menu:
Alternatively, if you don't want to bring up the menu bar, it's still possible to get into the authorise controls via nested menus accessible from the wee boxy icon. Here's a screenshot of where to find them: -
How to authenticate (JAAS) a user programmatically for batch processing
HI,
We're struggling to get our batch user proper authenticated and authorized to enable the batch user to execute various jobs. The Jobs are initially executed by a Quartz scheduler which in turn invokes to execute method on the specific batch job controller class. In this class we'll like to login the batch user before the processing starts and again logout the user before the jobs ends. The batch job processing does some updates on security protected entities - that's where the problems starts. To be able to update certain ADF Entities, the batch user must be in "batch-role". The permissions is configured in the jazn-data.xml file. ADF Security is enabled for the project and various entities is security protected. The application is deployed in one EAR file in into Weblogic 10.3.5. We're using JDeveloper 11.1.2.1.
When we login to the application through the login form in the application, then the security permissions is applied as they should and only users with the correct roles is able to update certain security protected entities. The login form uses something like this, to authenticate the user:
Subject subject = weblogic.security.services.Authentication.login(handler);
weblogic.servlet.security.ServletAuthentication.runAs(mySubject, request);
We'd like to do the same kind of authentication in the batch controller class, like:
Subject subject = weblogic.security.services.Authentication.login(new BatchLoginCallBackHandler());
weblogic.security.Security.runAs(subject,
new PrivilegedAction() {
public Object run() {
try {
executeJob(jec);
} catch (JobExecutionException e) {
e.printStackTrace();
return null;
But this doesn't work. When the job accesses ADFContext.getSecurityContext() it isn't the correct user which is logged in (actually it is the users which initially started the scheduler). And even thouth
boolean inBatchRole = aDFContext.getSecurityContext().isUserInRole("batch-role");
returns true, the user is not allowed to update entities which requires this role to allow an update. It some how seems to, that the login does affect the ADF application module (ADF Context).
We've tried a lot of other things but we're not able to login the batch user in the same way as the ADF Faces are.
Can anyone please help us?
Regards
JacobWe have the same requirement.
We've tried these approaches, with no success:
AuthenticationService vAuthenticationService = AuthenticationServiceUtil.getAuthenticationService();
vAuthenticationService.login("user", "password");
resulting in Caused By: oracle.adf.share.security.ADFSecurityRuntimeException: EXC_UNSUPPORTED_AUTHENTICATION_OPERATION
and JAASAuthenticationService authService = new JAASAuthenticationService();
authService.login("user", "password");
Caused By: java.security.AccessControlException: access denied (oracle.security.jps.JpsPermission AppSecurityContext.setApplicationID.default)
If I test these methods in a simple java class's main method, they work.
I feel I'm missing something, could somebody please tell me if I'm thinking wrong: We have an application made of a Model project, a UI project(ADF) and a scheduler project(Quartz). Both the UI project and the scheduler use the Model project(ADF BC). We deploy 2 ears, one for the UI and one for the scheduler. The UI application's security is working just fine, and it's about time we enforce security for the scheduler. Scheduler has a Listener that extends QuartzListener, witch implements ServletContextListener. In the contextInitialized we launch different jobs using quartz. How could we make these jobs authenticate using some predefined user credentials? -
How do I create a user using Windows system image manager?
My goal is to have a reference image that I can install on machines for several different companies. The image needs to have an identical user for all the computers that I will install to. Here is the unattend file. As it is, it creates an administrator
account, with the password I chose. But it does not give the profile the name I want to give it.
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="windowsPE">
<component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SetupUILanguage>
<UILanguage>en-US</UILanguage>
</SetupUILanguage>
<InputLocale>en-US</InputLocale>
<SystemLocale>en-US</SystemLocale>
<UILanguage>en-US</UILanguage>
<UserLocale>en-US</UserLocale>
</component>
<component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<DiskConfiguration>
<Disk wcm:action="add">
<CreatePartitions>
<CreatePartition wcm:action="add">
<Order>1</Order>
<Type>Primary</Type>
<Extend>true</Extend>
</CreatePartition>
</CreatePartitions>
<DiskID>0</DiskID>
<WillWipeDisk>true</WillWipeDisk>
</Disk>
<WillShowUI>OnError</WillShowUI>
</DiskConfiguration>
<ImageInstall>
<OSImage>
<InstallTo>
<DiskID>0</DiskID>
<PartitionID>1</PartitionID>
</InstallTo>
<InstallToAvailablePartition>false</InstallToAvailablePartition>
<WillShowUI>OnError</WillShowUI>
</OSImage>
</ImageInstall>
<UserData>
<AcceptEula>true</AcceptEula>
</UserData>
</component>
</settings>
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<OOBE>
<HideEULAPage>true</HideEULAPage>
<NetworkLocation>Work</NetworkLocation>
<ProtectYourPC>1</ProtectYourPC>
</OOBE>
<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>
<Value>**************************************=</Value>
<PlainText>false</PlainText>
</Password>
<Description>Admin</Description>
<DisplayName>NameIWant</DisplayName>
<Group>administrators</Group>
<Name>NameIWant</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
<TimeZone>Eastern Standard Time</TimeZone>
</component>
<component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Reseal>
<Mode>Audit</Mode>
</Reseal>
</component>
</settings>
<cpi:offlineImage cpi:source="wim://computer/users/administrator/downloads/new%20folder/install.wim#Windows 7 PROFESSIONAL" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>Hi,
For this issue, i think you may ask in:
http://social.technet.microsoft.com/Forums/en-US/home?category=w7itpro&filter=alltypes&sort=lastpostdesc
Regards.
Vivian Wang -
How to authenticate AD LDAP user in Oracle ADF login?
Hi All,
I have some requirement in ADF web-application.here one simple adf application they want to authenticate with AD LDAP user, and they want to see logged user details from LDAP.
for example after user logged in from adf login page, in next page he can able to see his details like first name,last-name,email,group,role, working phone like some details in next page.
let me know possibles, to active this requirements.give me some solution to make this simple.
Thanks,
Sivathanks for quick reply!
yeah just now i went through the same blow.so i decided to follow java base integration.here we need to pass username and password from UI right,while i am trying the something. I had some here with rich text binding.
I am unable to set the username and password dynamic if I use Richtext type input text in ADF login page.
I am newable to this integration.can you please point to some example to LDAP integration with adf using java. or if not complex can you please send me LDAP integration example which u executed(to my mail) u can get from my profile.
thanks & Regards
Siva -
How to authenticate oracle application user from third party application -
Hi All!
I am using OC4J as a J2EE container with an Oracle Applications setup (11.5.10, LINUX version). This is for an application which gets called from Oracle Applications. We need the user, responsibility and session information of Oracle applications to be passed on to our application which is running on a different port in OC4J. We are unable to get the information when we call our application from a menu option in Oracle Applications.
Various papers have been mentioning mod_oc4j.so module, which we are unable to find in our Oracle Applications setup.
Any help as to
(1) where we can download and install mod_oc4j.so from and
(2) passing the above mentioned information to our application running on the OC4J port will be greatly appreciated.
Thank you
Narasimha Rao M L VHi,
thanks for your reply, but i don't wanna see that user in my list then what should i do??? This is not possible, you cannot delete the user from the application.
if i set end for that user in that form then anyway the user will be there and visible....am i right??? please correct me if i am wrong...Correct.
is it so that when the end date is passed, the user will be deleted from list which is shown in user management form??No, you will still see the user in the form/table.
Regards,
Hussein -
How does one assign a user to several groups?
I am a student learning Databases, Oracle to be exact, and am trying to install a developer's copy on my MAC G4 running OS X 10.4.11. To do this I need to assign user oracle to several user groups. Trouble is, although I know UNIX fairly well I don't know Sys Adim commands well at all. Can am one help with this one?
Thank you for your posting, however I did try this before I posted here, can assign a user to one (1) group, but can not figure out how to assign a user to more than one (1+) group. That is the root cause of my problem. Do you know how to assign more than one group? Again thank you for your input.
-
How to get Portal Login user ID and Groups using UME API in JSPDynpages
Hi Experts,
How can I get the portal logged user ID and bsed on that ID need to get his assigend groups.
For this Initially I need to get the logged user ID using UME API.
Can you drop the code to write and display using JSP Dynpages?
Thanks
Venkat.Hi,
Try the below code
IUserFactory userfact=UMFactory.getUserFactory();
IUser user=userfact.getUserByUniqueName(request.getUser().getUserId());
String usrid=user.getUniqueName();
And also you can get the groups assigned to user by using the below code
Iterator groups = user.getParentGroups(true);
while (groups.hasNext()) {
String groupstr = (String) groups.next();
IGroup g = UMFactory.getGroupFactory().getGroup(groupstr);
response.write("Group name "g.getUniqueName()"<br>");
Regards
Suresh -
How to list contact or user in a Group especial in DL by command-line?
I know some commands can list contacts or users in a OU such as
squery user OU-DN
OR
dsquery contact OU-DN
list a group and mark with SecGroup or DL can use by:
dsquery group OU-DN | dsget group -dn -secgrp
and list all members of a group by:
dsget group GroupDN -members
But the list cannot tell me who are contacts and who are users.
Are there any ways can check which members of Group are contacts or users in command-line?
ThanksThis isn't pretty, but it works:
dsquery * -filter "(memberOf=cn=Mygroup,ou=Sales,dc=MyDomain,dc=com)" -attr distinguishedName objectClass
The objectClass attribute indicates whether each member is a user, contact, group, or computer.
Richard Mueller
MVP ADSI
Maybe you are looking for
-
"boot device not found. please install an operating system on your hard disk error on Dm3 1030us
Hi I have the following computer: name: hp pavilion Dm3 1030us serial number: {Removed for privacy} product number: VM073UA#ABA when i boot up my laptop it says "boot device not found. please install an operating system on your hard disk." this lapto
-
Why is it that my MBP always see's the PC (win7) on my home wifi|cat5 network yet no matter how many times I go finder|go|server|192.168... etc. It mounts the drive and it becomes explorable and then the MBP loses the connection and the mount fails?
-
Maximum size of record store on PalmOS?
Good days, I am using MIDP which run on the Palm device. I have some problems regarding the RMS on MIDP. I hope someone who has valuable ideas can share this with me. How many total records (or maximum size) that Palm OS can be held? Or what is the m
-
Hi All, Please bear with me as I'm new to this forum. Final Cut Pro won't open on my computer and as a message, a window appear and says: "the waver form cache files folder does not have read/write access. Please select a new folder in the system set
-
when i tried to open IDM 5.1 to access the 4215 sensor, it give me not enough heap memory, and i also do as the help said to chanage it by add the -Xmx256m in the Java RunTime Parameters field but it still didn't work, can any body help me in this ca