LDAP binding

Similar Messages

• LDAP Bind Failure: Can't contact LDAP server in Presentation Server

  I have configured LDAP configuration in the RPD and am able to connect to the LDAP from the BI server. Its returning the information i need when i test through the admin tool. But when i try to log in from the PS using the same network id and password, it gives me the below error:
  State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused. [53003] LDAP bind failure: Can't contact LDAP server. (08004).
  I know for sure, the network connectivity is working as i get my results back from the BI Server. Please advise, if i need to change other configurations on the Presentation end. As my network folks have run out of ideas. Thx!

  user9125812 wrote:
  Yes, i am pinging from OBIEE Server through the RPD and i am successful.Pinging the OBIEE Server through the RPD? Ping is a DOS command, how can oyu "ping through the RPD".
  Can you go to the server, open a CMD windows and do "ping nsldap.companyname.com" and see if it works. If it works it could be that the LDAP port is blocked by a firewall or OBIEE is not able to make a connection. Make sure you are using the correct port as well. Install an LDAP client in your OBIEE Server and test that you can connect to your LDAP server from your OBIEE Server, not from the RPD. You can use this:
  http://jxplorer.org/

• Problem removing LDAP binding

  Hello,
  When we set up our 10.6 server we did not know about the message it broadcasts offering to give "services" to clients, ie bind them to LDAP. Last fall several of our boarding students chose this option on their personal macs and they got our school login window and got restricted access to their computer. I showed them how to option-login and deselect management and remember the choice. I then went to the login options and unjoined them from the server.
  On at least one machine, this has not reverted the machine to the usual, unmanaged login box. I have trashed all mcx preferences to no avail. How can I remove all traces of the LDAP binding from this machine?
  Thank you,
  Kevin Kopchynski

  OK, I think I have gotten this done.
  The student actually used their full name on their computer account, which of course we also have on our Open Directory setup. I changed this on his computer so that there will be no conflict.
  I have also determined that the network information such as the green light will show up on a computer that has never been bound to LDAP.
  But it will NOT, as this student's had been, offer the local admin to bypass management or even respond to the option key at login.
  After changing the account I ran through all of the deletions mentioned by Antonio, still got the option to bypass management, but I hit "remember" and refresh preferences. That seemed to be the finishing touch. The machine no longer responds to the option key at login.
  By the time I did this mcxquery showed "no information available"
  Thanks again for the help.
  Kevin Kopchynski

• LDAP Bind Failure

  Hi All,
  We are facing the issue "LDAP bind failure:Cant contact LDAP server".
  We are facing for now and then....Can you guys tell me the corrective action to correct this?
  Our LDAP server is Novel e-directory.
  RMD

  Try referring http://rnm1978.wordpress.com/2010/12/02/troubleshooting-obiee-ldap-adsi-authentication/
  Hope it helps

• How to catch the return value of ldap- bind?

  For net::ldap,
  my $ldap = Net::LDAP->new( .. );
  $ldap->bind($DN,$password);
  if the bind failed, what's the returned value for this?
  Many examples I read suggested "undef" is returned, but looks like it's not the case on Sun Solaris.
  Marg8

  somehow "undef" is not returned.
  for ldap->bind($DN,$password) or die "can't bind";
  it always continue no matter what DN or password you put in.
  So looks to me it returned something else.
  Marg8

• OVD Custom LDAP Bind Plugin

  I need to build a java plug-in for ovd in order to implement a custom ldap bind operation. In my case I am using ovd database adapter to expose a legacy hr application as a ldap directory but the legacy hr application uses the php crypto() function to store a DES hash based version of the end user password into a database table. Any help is more than appreciated.

  i was abe to implement the custom bind plug-in using the following documentation
  http://www.oracle.com/technetwork/middleware/id-mgmt/virtual-directory-custom-plugins-wp-188785.pdf
  http://docs.oracle.com/cd/E21764_01/oid.1111/e10046/adv_cust.htm#CEGJCFGE
  Custom Plug-in Code
  package br.gov.funasa.siarh.vde;
  import com.asn1c.core.Bool;
  import com.octetstring.vde.Credentials;
  import com.octetstring.vde.chain.Chain;
  import com.octetstring.vde.chain.ChainException;
  import com.octetstring.vde.syntax.BinarySyntax;
  import com.octetstring.vde.syntax.DirectoryString;
  import com.octetstring.vde.util.DirectoryException;
  public class CustomBindPlugin extends com.octetstring.vde.chain.BasePlugin {
  public CustomBindPlugin() {
  super();
  public void bind(Chain chain, Credentials creds, DirectoryString dn,
  BinarySyntax password, Bool result) throws DirectoryException,
  ChainException {
  //TO DO: Add equivalent code to check the password using the legacy hr application custom hash algorithm
  result.setValue(true);
  vde-properties.txt file that must be appended in MANIFEST.MF Jar file
  vde-package-classname: br.gov.funasa.siarh.vde.CustomBindPlugin
  vde-package-type: 0
  vde-package-version: 1
  vde-package-description: Custom bind for Siarh tha uses DES to check the user password
  vde-package-name: SiarhCustomBindPlugin
  vde-package-ops-add: false
  vde-package-ops-delete: false
  vde-package-ops-bind: true
  vde-package-ops-modify: false
  vde-package-ops-rename: false
  vde-package-ops-get: false

• PAS with LDAP bind

  Hi,
  I have a similar requirement re PAS with LDAP bind. Is anybody on SCN able to share your solution?
  Thanks & regards
  Anthony
  Message was edited by: Oisin ONidh
  Branched to a NEW thread as was posted onto an OLD thread. Modify thread to reflect this change
  ITS SCN Moderator

  Hello Anthony,
  Can you provide further details on your query and also it's relation to using ITS/WEBGUI?
  Regards,
  Oisin

• Ldap bind mechanism in java

  Hello all,
  Im facing find solution for ldap bind similar to [ldap_bind|http://php.net/manual/en/function.ldap-bind.php] function in php.
  it seems easy and nice.
  I had look around the web and some forums and got direction to use this
  But this is not similar solution as in php.
  ldap_bind use only conection, userName and password dont know nothing about password hash method and will verify credentials as valid or invalid.
  Anyone have informaiton or ideas how to do it in java?
  Petr, cz
  Edited by: PetrCZ on May 19, 2010 11:22 PM
  Edited by: PetrCZ on May 19, 2010 11:23 PM

  You don't need to know the LDAP hash at all to do a bind and user password check. That's against security - why would a administrator let anyone know what hashing he uses - thats letting an important piece of your security out (even though thesemodern hashes are pretty much ir-reversible)
  All you need is use Sun JNDI code to do a bind , use authentication method Simple and then gives user's id and password in clear-text. Directory server will itself take care of converting clear text password passed by you and comparing it with hashed user password in LDAP.
  From your code perspective if you get a DirContext back - your bind was successful otherwise you will get a NamingEnumeration exception.
  try reading through DirContext InitialDirContext ... just do a random search and you should get numerous helper code over internet.

• Augmented users LDAP bind

  Is there a way to bind augmented users, say via "ldapsearch", or make a web authentication by LDAP bind.
  How is apple's collaboration suite authenticating Augmented users.
  Have tried most compinations and just cant bind Augmented users via LDAP.

  Sorry, I posted at wrong location.

• LDAP Binding issue.

  Hi,
  I've been testing out the novell ldap library against an openldap
  server and found an issue with the binding.
  When I try to do the following (c#):
  Code:
  string password = "MyPass"
  LdapConnection conn = new LdapConnection();
  conn.Connect("ldap", 389);
  conn.Bind("uid="michael",ou=people,o=myfirm", password + "test"); // should not authenticate as I add test to the password string.
  This seems to authenticate me all fine and don't give me a ldap
  exception that I get if "MyPass" is wrong. So as long as the password is
  correct I can add whatever chars to the end and it will still
  authenticate.
  Am I doing something wrong or is this a bug?
  Regards,
  Michael.
  mikeso
  mikeso's Profile: http://forums.novell.com/member.php?userid=48915
  View this thread: http://forums.novell.com/showthread.php?t=367505

  Did some more testing with our operations deparment and this seems to be
  an error on our ldap server with some users.
  Sorry for taking up your time.
  Regards,
  Michael.
  mikeso
  mikeso's Profile: http://forums.novell.com/member.php?userid=48915
  View this thread: http://forums.novell.com/showthread.php?t=367505

• Restrict LDAP bind/authenticate to a specific host

  I'm trying to construct an ACI for an account that will only allow that id to successfully authenticate from a given host. I'm not sure if the ACI I constructed is wrong, or if its possibly be undercut by other ACI's at the parent (or grandparent) levels. This is the ACI I created on the specific account.
  (targetattr = "*")
  (version 3.0;acl "allow login from host abc only";
  allow (all)
  (userdn = "ldap:///self")
  and (ip="xxx.xxx.xxx.xxx")
  and (dns="hostabc.xxx.com")
  If I view the effective rights, nothing is enabled/allowed, but the account can still bind/authenticate from any workstation/server.

  ACIs are used to restrict access to particular entries/attibues.
  What you are doing is restricting access to everything based upon the IP/DNS name from which the bind takes place -- note the user is bound and trying to access something.
  ACIs apply to the data, not to the bind itself.
  So its normal that the users can bind from anywhere other than the IP/DNS addresses you define, they just won't be able to see anything.
  I don't believe there is any way to be able to control binding itself.
  On placement of ACIs:
  Essentially it doesn't matter. The way ACIs work is as follows:
  Tracing the path from the suffix root to the targeted enty, all ACIs on that path are collected.
  They are then sorted into two "buckets", a DENY bucket for rules which deny access, and an ALLOW bucket for rules which allow access.
  DENY always has precedence, so the ACIs in the DENY bucket are evaluated -- if any of them match, thats it, the request is denied -- even if an ALLOW is still sitting in the ALLOW bucket.
  If we get to the end of the DENY bucket and havn't found a matching DENY rule we start processing the entries in the ALLOW bucket.
  If an ALLOW rule matches, the ACI processing stops and access is allowed.
  If we get to the end of the ALLOW bucket and didn't find a matching rule, there is an implicit DENY rule, and the access is denied.

• LDAP binding to OSX4.7 server  - Tiger vs. Panther.

  For the purpose of re-imaging, I am in the process of creating disk images to be deployed from external firewire drives as well as Netinstall onto all my clients over the summer. Due to the fact that some of my clients are incapable of running OSX4 Tiger (no firewire, as well as other hardware limitations), I am creating two disk images - one "Full Tiger" and one "Limited Panther".
  I have ran into problems with the LDAP settings for my two images: The Tiger image (OSX4.6) connects fine to the Open Directory (OSX Server 4.7) server, but the Panther image (OSX 3.9) doesn't. I have been rummaging around in all the nooks and crannies of the LDAP settings and they seem to be set identically in the two images, but yet, the Panther image does not bind to OD.
  Are there substantial differences in how Panther and Tiger connect, beyond basic settings, via LDAP to OD OSX.4 server that I may be unaware of?
  I already tried to delete and recreate the LDAP connection details on the Panther.
  Thanks.
  Sigurd
  Panther Tiger Mac OS X (10.4.6) LDAP Bindings

  Got some help from my IT Dept. and they took care of it.

• Final Cut Pro installed on an image interfearing with multiple LDAP Binds??

  Hi guys, have an issue here a bit different from anything I have been able to find concerning binding to LDAP.
  The situation is this: I am tasked with administering about 90 iMac's and 3 xServes in 3 labs in our school district. 30 of these machines have Final Cut Pro installed. Therefore I have 2 images created and successfully served by one of our xServes. The other xServe is didicated to Open Directory, and the 3rd is just a file share server. The non Final Cut Images have been applied and bound to LDAP and AD successfully, however, when it come sto the images WITH Final Cut Pro, I was only able to bind one machine to LDAP. The remainig machines tell me that the object allready exists (which it should not because these are all new machines and have never been bound, imaged, or configured in any way prior to this) and it gives me the option to "Overwrite". When I choose overwrite, it creates the machine in Workgroup Manager, but never bindes the machine to LDAP and gives me an "Unknown Error".
  Now it seems to me, that this is a problem specific to Final Cut Pro. What do you guys suggest?
  It is worth mentioning that we do have a vollume license for FC Pro and it is the default installation with no modifacations made to the install configuration.
  I have also posted this issue in the xServe forums.

  Look here - http://www.apple.com/universal/crossgrade/
  And remember "Search" is your friend. This topic has been discussed ad nauseum on this forum.
  K

• LDAP bind using the userpassword attribute value

  I'm trying to prove that I can bind to OID using an SHA password digest, so I'm binding as follows:
  ./ldapbind -h ipaddress -p myport -D cn=myuser,cn=users,dc=xxxx -w myuserspassword
  This works fine if I enter the cleartext password. What I want to do is enter the password as it appears in the users 'userpassword' field, which is an SHA digest.
  So if the password is 'abcdef', the userpassword value is something like {SHA}cGsjdkGsgfd.
  So, -w abcdef works fine, but how can I do something like -w cGsjdkGsgfd and tell OID it's an SHA digest I'm using?
  What I'm ultimately trying to do is to get a SOAP request to authenticate my user against OID and the only password available to it is the SHA digest. It's failing and I don't know why, so my first step is trying to prove I can bind with the password digest.
  Thanks in advance.

  Yes, sorry about that - I started off trying to prove a potential solution.
  Aim:
  A user logs onto a weblogic application and is authenticated against OID. The application is making SOAP service calls to a proxy endpoint monitored by another vendors software which authenticates the user against the ldap and checks their roles to see if the user can call the service.
  Solution so far:
  The initial application gets the username from the JAAS principal, but the password is not supplied. I can easily supply the SHA password digest to it (but putting a cleartext password in the header will probably not be given the go-ahead). This would enable the application to make the SOAP call with a username and digest.
  The software protecting the services can be configured in a variety of ways to authenticate the user to the ldap. One involves using the wsse username token in the header (cleartext password or digest).
  This authentication is failing and I don't yet have the diagnostic tools available to see which stage is in error. I was trying to prove that you could actually authenticate with an SHA password digest by doing a bind.
  Regards

• WebLogic 6.1 sp2 does not allow Anonymous LDAP Binding

  Hi,
  I am trying to setup LDAP on WebLogic 6.1 SP2 and it refuses to bind
  anonymously
  to our iPlanet LDAP server.
  If I specify an admin user that is in LDAP there isn't a problem, all
  authentication works fine. Anonymous binding works find from
  ldapsearch, PeopleSoft, etc ...
  My config.xml definition is below, am I missing something ?
  <CustomRealm
  ConfigurationData="user.filter=(&(uid=%u)(objectclass=person));serve
  r.authprotocol=none;user.dn=ou=People,ou=Internal,ou=Clients,o=mycorp;server.p
  rincipal=uid=admin,ou=People,ou=Internal,ou=Clients,o=mycorp;membership.fil
  ter=(&(uniquemember=%M)(objectclass=groupofuniquenames));group.filter=(&
  (cn=%g)(objectclass=groupofuniquenames));server.host=ldap.mycorp.com;
  group.dn=ou=Groups,ou=Internal,ou=Clients,o=mycorp"
  Name="UMDSv2"
  Notes="This is provided as an example. Before enabling this
  Realm, you m
  ust edit the configuration parameters as appropriate for your
  environment."
  Password="{3DES}lwSDdYvmhJClhXHELTDQlA=="
  RealmClassName="weblogic.secur
  ity.ldaprealmv2.LDAPRealm"/>
  Thanks,
  Kim

  Hi,
  I am trying to setup LDAP on WebLogic 6.1 SP2 and it refuses to bind
  anonymously
  to our iPlanet LDAP server.
  If I specify an admin user that is in LDAP there isn't a problem, all
  authentication works fine. Anonymous binding works find from
  ldapsearch, PeopleSoft, etc ...
  My config.xml definition is below, am I missing something ?
  <CustomRealm
  ConfigurationData="user.filter=(&(uid=%u)(objectclass=person));serve
  r.authprotocol=none;user.dn=ou=People,ou=Internal,ou=Clients,o=mycorp;server.p
  rincipal=uid=admin,ou=People,ou=Internal,ou=Clients,o=mycorp;membership.fil
  ter=(&(uniquemember=%M)(objectclass=groupofuniquenames));group.filter=(&
  (cn=%g)(objectclass=groupofuniquenames));server.host=ldap.mycorp.com;
  group.dn=ou=Groups,ou=Internal,ou=Clients,o=mycorp"
  Name="UMDSv2"
  Notes="This is provided as an example. Before enabling this
  Realm, you m
  ust edit the configuration parameters as appropriate for your
  environment."
  Password="{3DES}lwSDdYvmhJClhXHELTDQlA=="
  RealmClassName="weblogic.secur
  ity.ldaprealmv2.LDAPRealm"/>
  Thanks,
  Kim