LDAP for authentication

Similar Messages

• External LDAP for authentication

  Hi All,
  I want to use external ldap for authentication purpose with Access Manager.
  I tried adding this external ldap as a secondary ldap but couldn�t succeed.
  If I add this ldap in the primary ldap along with the AM�s own ldap, this also fails to authenticate users from the external ldap.
  How can I achieve this?
  I read many topics in this forum regarding this but none of them explain how it can be achieved.
  Please suggest.
  Thanks in advance.

  This is what the amconsole log says:
  ERROR: ConsoleServletBase.onUncaughtException
  java.lang.NullPointerException
       at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.constructFilter(LDAPv3Repo.java:3126)
       at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.search(LDAPv3Repo.java:1996)
       at com.iplanet.am.sdk.AMDirectoryManager.search(AMDirectoryManager.java:1938)
       at com.sun.identity.idm.AMIdentityRepository.searchIdentities(AMIdentityRepository.java:221)
       at com.sun.identity.console.idm.model.EntitiesModelImpl.getEntityNames(EntitiesModelImpl.java:139)
       at com.sun.identity.console.idm.EntitiesViewBean.getEntityNames(EntitiesViewBean.java:222)
       at com.sun.identity.console.idm.EntitiesViewBean.beginDisplay(EntitiesViewBean.java:177)
       at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149)
       at jsps.console._idm._Entities_jsp._jspService(_Entities_jsp.java:86)
       at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
       at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:687)
       at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:459)
       at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:375)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
       at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:772)
       at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:471)
       at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:382)
       at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
       at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
       at com.sun.identity.console.base.AMViewBeanBase.forwardTo(AMViewBeanBase.java:133)
       at com.sun.identity.console.base.AMPrimaryMastHeadViewBean.forwardTo(AMPrimaryMastHeadViewBean.java:149)
       at com.sun.identity.console.idm.HomeViewBean.forwardTo(HomeViewBean.java:109)
       at com.sun.identity.console.realm.RealmPropertiesBase.nodeClicked(RealmPropertiesBase.java:90)
       at com.sun.web.ui.view.tabs.CCTabs.handleTabHrefRequest(CCTabs.java:129)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
       at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
       at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
       at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
       at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
       at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
       at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
       at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
       at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:787)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
       at com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:280)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
       at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)

• WLC connect LDAP for Authentication, but could not connect to server

  Hi Everyone, I got a problem when I use WLC 5508 connect to LDAP for authentication, but no luck there, it's a simple config, but not easy to work on my job, I got the following messgae:
  Service Port - Not connected
  Distrubution port include:
       Management Interface - in AP Management VLAN - 30
       Student AP interface - in Student VLAN - 20
       Staff AP interface - in Staff VLAN - 10
  AD is in Staff VLAN - 10
  WLC LDAP Server setting
  Base DN:OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
  User Attribute: sAMAccountName
  User Object Type: Person
  Debug aaa all enable message
  *LDAP DB Task 1: Jul 09 01:40:58.969: ldapInitAndBind [1] called lcapi_init (rc = 0 - Success)
  *LDAP DB Task 1: Jul 09 01:41:00.969: ldapInitAndBind [1] configured Method Anonymous lcapi_bind (rc = 1005 - LDAP bind failed)
  *LDAP DB Task 1: Jul 09 01:41:00.969: ldapClose [1] called lcapi_close (rc = 0 - Success)
  *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to IDLE
  *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to RETRY
  *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP_OPT_REFERRALS = -1
  WLC GUI Log:
  *LDAP DB Task 1: Jul 09 02:56:13.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
  *LDAP DB Task 1: Jul 09 02:56:11.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
  *LDAP DB Task 1: Jul 09 02:56:09.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
  LDP Message of LDAP BaseDN:
  Expanding base 'CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk'...
  Result <0>: (null)
  Matched DNs:
  Getting 1 entries:
  >> Dn: CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
  4> objectClass: top; person; organizationalPerson; user;
  1> cn: Frankie F. Yeung;
  1> sn: Yeung;
  1> givenName: Frankie;
  1> initials: F;
  1> distinguishedName: CN=Frankie F. Yeung,OU=OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
  1> instanceType: 0x4 = ( IT_WRITE );
  1> whenCreated: 8/10/2011 10:28:14 China Standard Time China Standard Time;
  1> whenChanged: 8/10/2011 10:31:26 China Standard Time China Standard Time;
  1> displayName: Frankie F. Yeung;
  1> uSNCreated: 3850555;
  1> uSNChanged: 3850571;
  1> name: Frankie F. Yeung;
  1> objectGUID: 6ebfc7e9-6989-4f11-bae7-62c23af67edc;
  1> userAccountControl: 0x10200 = ( UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD );
  1> badPwdCount: 0;
  1> codePage: 0;
  1> countryCode: 0;
  1> badPasswordTime: 0;
  1> lastLogoff: 0;
  1> lastLogon: 0;
  1> pwdLastSet: <ldp error <0x0>: cannot format time field;
  1> primaryGroupID: 513;
  1> objectSid: S-1-5-21-3867848445-1581729766-1247451615-2172;
  1> accountExpires: <ldp error <0x0>: cannot format time field;
  1> logonCount: 0;
  1> sAMAccountName: fckyeung;
  1> sAMAccountType: 805306368;
  1> userPrincipalName: [email protected];
  1> objectCategory: CN=Person,CN=Schema,CN=Configuration,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
  Hope I can resolve this problem ASAP, thanks!

  Your AD is in the Staff Vlan so maybe the WLC uses the Staff interface instead of management to contact the AD. I don't know how you sniffed exactly.
  The comment about eap methods you saw is when you use LDAP with dot1x security. It is the same as saying "You cannot do peap-mschapv2 or eap-fast-mschpv2 with LDAP".
  But you can do LDAP for web authentication, that has no eap methods.
  Your original problem was a binding problem from the WLC, so we can expect that the WLC really is sending traffic towards AD.

• AD LDAP for Authentication but ABAP or IDM for Role Assignments

  Hi Portal Gurus,
  Is it possible to configure the UME in such as way so that it connects to the AD for authentication purposes but uses the CUA or SAP Identity Manager for role assignments?
  Thanks,
  Vibhu

  Hi,
  Thanks for the suggestion. But ours was a different problem.
  The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
  During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
  Best regards,
  Ashok

• Setting up LDAP for authentication to portal:default property set named "ldap

  Hi
  I am trying to implement the LDAP authentication to WebLogic Portal .Iam went
  thru the docmentation ( http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).It
  mentions using the default property set named "ldap" and deploying ldapprofile.jar.My
  quenstion is:
  -Is there a way to look into the property using EBCC
  - Apart from deploying,configuring the ldapprofile.jar,do I have to do any additional
  steps in order to make my portal(say,stockportal) authenticate users from LDAP?
  -If a create my own portal,should I create a similar "ldap" property set?If so,how.
  Any suggestions/help is appreciated.Thanks
  - Mike

  Thanks Dave.
  "David Anderson" <[email protected]> wrote:
  You should be able to view the property set for LDAP through the EBCC
  if you
  have the propertysetws.jar installed in your Portal domain. This provides
  the ability for the EBCC to retrieve property set information from your
  server.
  Dave
  "mike" <[email protected]> wrote in message
  news:[email protected]...
  Hi Adrian
  Thank you for the pointers.Much appreciate it.However,one questionstill
  persists.
  What is the significance of the property set "ldap" mentioned in the
  document(http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).Where
  does this property set feature vis-a-vis setting up LDAP securityrealm;does it
  mater prior to/after the setting up as mentioned in the document pointeryou just
  gave .
  Is it sufficinet that i follow the procedure to set up the LDAP oris
  there more
  to post setting,like creating a property set (similar to "ldap" orcloning
  it)
  apaprt frpom deploying ldapprofile.jar.
  Thanks.
  - Mike
  "Adrian Fletcher" <[email protected]> wrote:
  Mike,
  The documentation that covers LDAP authentication is listed under
  Weblogic
  Server rather than Weblogic Portal.
  See Configuring the LDAP Security Realm in Managing Security
  (http://e-docs.bea.com/wls/docs61////adminguide/cnfgsec.html#1071872)
  Also take a look at the FAQ - Why can't I boot WebLogic Server whenusing
  the LDAP Security Realm?
  (http://e-docs.bea.com/wls/docs61//faq/security.html#25833)
  Hope this helps,
  Sincerely,
  Adrian.
  Adrian Fletcher.
  Senior Software Engineer,
  BEA Systems, Inc.
  Boulder, CO.
  email: [email protected]
  "mike" <[email protected]> wrote in message
  news:[email protected]...
  Hi
  I am trying to implement the LDAP authentication to WebLogic Portal.Iam
  went
  thru the docmentation
  http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).It
  mentions using the default property set named "ldap" and deployingldapprofile.jar.My
  quenstion is:
  -Is there a way to look into the property using EBCC
  - Apart from deploying,configuring the ldapprofile.jar,do I have
  to
  do any
  additional
  steps in order to make my portal(say,stockportal) authenticate usersfrom
  LDAP?
  -If a create my own portal,should I create a similar "ldap" propertyset?If so,how.
  Any suggestions/help is appreciated.Thanks
  - Mike

• Regarding SAP CUA vs Corporate LDAP for authentication purposes

  Hello All:
     Could anyone please give more information about SAP CUA and the corporate LDAP? Please suggest which is more advantageous and what is the cost involved in each of these. These are the options for the authentication of SAP Enterprise Portal in our system here. We want to figure out which has more advantages over the other one.
  Thanks,
  LBuegg

  Hello all,
     Appreciate your response for this query. We need to figure out the options soon. Its kind of urgent.
  Thanks again..
  L Buegg.

• OWSM won't connect to ldap for authentication in policy

  System: 10.1.3 on Windows with SOA Suite
  I've got a web service deployed, got OWSM running, have registered the web service with a gateway component and have built a basic policy (just to log) in the Pipeline "request" and Pipeline "Response" parts of the governing policy; this basic policy works correctly. However, when I try to add an "Ldap Authenticate" step to the Pipeline "Request" part of the policy, OWSM doesn't seem to really try to connect to the LDAP. I have tried two LDAPs (Lotus Notes and OID) that are operational - I can access both of them via command line using the same credentials with which I configured the "Ldap Authenticate" step. Yet, when I invoke the web service with the "Ldap Authenticate" step configured in the policy I get the following exception:
  A fault was thrown in the step Client.AuthenticationFault:Invalid username or password
  I'm pretty dang sure I have entered the correct credentials in the "Ldap Authenticate" configuration (I checked it 45,000 times) - it seems that OWSM really isn't trying to connect to the LDAPs - and there's no logging that I've found that will tell me what it's really trying to do.
  Anyone have any hints or know what's going on?

  I have the same problem.
  With the help of Vikas's instuctions for changing log level I could log the gateway's activities:
  security.WSBasicCredsExtractor - Element Value:farbod
  security.WSBasicCredsExtractor - Element Value:mypassword
  security.WSBasicCredsExtractor - Successfully retrieved username and password
  security.WSBasicCredsExtractor - Removing the UsernameToken Header
  ldap.DirContextHolder - Creating new directory context
  ldap.LDAPAuthenticatorStep - Failed to connect to ldap server.
  I am unsure whether my LDAP settings in OWSM are correct:
  my server name is nfsserver.com(OID Server) and I have this user in OID:
  cn=farbod,cn=Users,dc=nfsserver,dc=com
  so I think these settings should work:
  LDAP host (*)      nfsserver
  LDAP port (*)      389      
  User objectclass (*)      inetOrgPerson      
  LDAP baseDN (*)      cn=Users,dc=nfsserver,dc=com
  LDAP adminDN (*)      cn=orcladmin,cn=Users,dc=nfsserver,dc=com
  LDAP admin password      ******          
  LDAP admin login enabled (*)      true
  Uid Attribute (*)      string      uid      
  User Attributes to be retrieved      uid
  Is the bold part correct?
  Regards
  Farbod

• Retrieve parameters from LDAP using authentication module

  I have existing LDAP that contains organization people and their attributes. I have several web applications that use existing LDAP for authentication and authorization. My goal is to deploy single sign-on with openSSO so that users are authenticated against existing LDAP. Changing of the existing LDAP is forbidden.
  I deployed newest stable OpenSSO and Apache2 + newest policy agents to web service servers.
  OpenSSO server uses LDAP authentication module to authenticate users against existing LDAP. It uses flat file data repository and realm attributes -> user profile is ignored.
  This basic setup works fine. The next step is to integrate existing web applications to single sign-on system. The authentication part works fine. I just disabled old mechanism from web applications that did the LDAP authentication. OpenSSO and Apache Policy agent are handling that part.
  The existing web applications are still querying existing LDAP other attributes there than uid and userpassword. Is it possible to configure OpenSSO to forward LDAP attributes to web application as cookie or header value? Or is the forwarding feature only for attributes in Data Store?
  If the forwarding is not possible what is the next best alternative ?

  OpenSSO forum is quite silent so I'm back with you guys.
  I managed to solve the agent error log problem I mentioned before. The problem was about nonexisting attributes in AMAgent.properties com.sun.am.policy.agents.config.profile.attribute.map. I removed extra attributes and the authentication against LDAP started to work again.
  The problem is that no attributes are forwarded from LDAP to web application. I have tried HTTP_COOKIE and HTTP_HEADER settings in AMAgent.properties and com.sun.am.policy.agents.config.profile.attribute.map is set to cn|common-name,mail|email.
  My LDAP looks like this:
  # testuser, pollo.fi
  dn: cn=testuser,dc=pollo,dc=fi
  cn: testuser
  objectClass: organizationalPerson
  objectClass: inetOrgPerson
  givenName: Test
  sn: User
  ou: People
  uid: testuser
  mail: [email protected]
  And my datastore configuration:
  LDAP server->localhost:389
  LDAP bind DN->cn=admin,dc=pollo,dc=fi
  LDAP organization DN->dc=pollo,dc=fi
  Attribute name mapping->empty
  LDAP3 Plugin supported types and operations->agent,group,realm,user all read,create,edit,delete
  LDAP3 Plugin search scope->scope_sub
  LDAP Users Search Attribute->uid
  LDAP Users Search Filter->(objectclass=inetorgperson)
  LDAP User Object Class->organizationalPerson
  LDAP User Attributes->uid, userpassword
  Create User Attribute Mapping->empty
  Attribute Name of User Status->inetuserstatus
  User Status Active Value->Active
  User Status Inactive Value->inactive
  LDAP Groups Search Attribute->cn
  LDAP Groups Search Filter->(objectclass=groupOfUniqueNames)
  LDAP Groups container Naming Attribute->ou
  LDAP Groups Container Value->groups
  LDAP Groups Object Class->top
  LDAP Groups Attributes->cn,description,dn,objectclass
  Attribute Name for Group Membership->empty
  Attribute Name of Unqiue Member->uniqueMember
  Attribute Name of Group Member URL->memberUrl
  LDAP People Container Naming Attribute->ou
  LDAP People Container Value->people
  LDAP Agents Search Attribute->uid
  LDAP Agents Container Naming Attribute->ou
  LDAP Agents Container Value->agents
  LDAP Agents Search Filter->(objectClass=sunIdentityServerDevice)
  LDAP Agents Object Class->sunIdentityServerDevice,top
  LDAP Agents Attributes->empty
  Identity Types That Can Be Authenticated->Agent,User
  Authentication Naming Attribute->uid
  Persistent Search Base DN->dc=pollo,dc=fi
  Persistent Search Filter->(objectclass=*)
  Persistent Search Maximum Idle Time Before Restart->0
  Should I enable some setting still to get the forwarding going on? Any ideas for debugging?

• ISE Authentication Policy for RSA Securid and LDAP for VPN

  We are working on replacing our existing ACS server with ISE.  We have 2 groups of users, customers and employees.  The employee's utilize RSA securid for authentication while the customers use Window authentication.  We have integrated the AD into ISE using LDAP and this has been tested.  We are now working on trying to get the rsa portion to work.  We are wanting to utilize the authorization policy to assign the group-policy/IP for both clients via the LDAP user attributes.
  Here is my question:
  Under the authentication policy should we look @ an identity store that has RSA securid users, LDAP users and then internal users.  I assume if the user isn't present in the RSA store it will then look @ the LDAP, will this present an issue with overhead in our RSA environment.  With the legacy ACS the descsion on where to authenticate the user was done on the ACS, either Windows or RSA.  The employee users will still also be present in the LDAP so we can utilize the attributes for IP address/group policy.  The number of customer vpn's is several times larger than employees and I am afraid that if we have to query the securid servers for every authentication vpn authentication attempt this could cause issues.  Our utilimate goal is to move to any connect and utilize a single url for all authentication but allow ise to instruct the asa what attributes to hand to the client such as dns/Dacl. 
  Thanks,
  Joe

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• LDAP realm for authentication and ACL in Database

  We are thinking of using LDAP realm for authentication and we want to use ACL from a Database. But the documentation says: "WebLogic Server defers to the LDAP realm for authentication, but not for authorization. Authorization is accomplished with access control lists (ACLs), which are defined in the weblogic.properties file"
  Can we use LDAP realm for authentication and manage our ACL from a Database? or do we have to use the weblogic.properties file? Do the weblogic security API help in the above scenario? Thanks Ram

  Unfortunately, there is no easy way to do this in wls 6.0.
  The only way to handle it is to write your own custom realm
  that uses ldap for users and groups and a database for acls -
  probably not a viable alternative.
  -Tom
  "kevin doherty" <[email protected]> wrote:
  >
  Jeffrey Hirsch <[email protected]> wrote:
  You should be able to use the DelegatedRealm interface to utilize the authentication methods from LDAP and the authorization methods from RDBMSRealm...
  I'm trying to do this too, but we are using WL6 and I see that the DelegatedRealm interface has been deprecated in this version. I'd greatly appreciate more information on doing this in WL6.
  Thanks!
  -kd

• Hooking LDAP with Weblogic for Authentication

  I have a lot of users in an LDAP-Directory and I would like to map this directory to a Website on my Weblogic instance.
  Now, I've added LDAP into my Security Realm in Weblogic, what do i add to the web.xml ? Is this sufficient?
  Do I need to change anyting else in my Weblogic configuration than adding OpenLDAP Support in Authentication?
  Thanks!

  HI Tim,
  Yes LDAP can be used trough SAP BP CMS (BO authentication).
  That's means all the users has to be imported into CMS and after that BPC is using for authentication BO certificate to authenticate to CMS.
  So you have also SSO.
  You don't need Active directory in this case.
  Any way BPC is still working also with Microsoft Active directory without CMS but you have to decide what kind of authentication satisfy better customer requirements.
  You can use or Microsoft Active Directory or CMS but you cannot use both in the same time.
  Kind Regards
  Sorin Radulescu

• One username for two tunnel in IPSec remote access vpn + ACS for authentication

  Hi all,
  I want to set up a username which can be used for two different IPSec tunnel (i.e. username USER1 can be used in tunnel TUN1 and TUN2). Can anyone help me how to do this? My current configuration is that I tied the username to tunnel group using group-lock (RADIUS property) so a username can only be used for a particular remote access vpn tunnel (USER1 can only be used for TUN1). I have already tried to enable multiple entry for group lock in ACS (by manipulating the dictionaru setting in ACS), but it seems that authentication still takes the first group and can not take the second group.

  You'd have to create a new AAA server group pointing to servers in the new domain for authentication.
  Then make a new connection profile that uses that AAA server group.
  Your users would have to choose the connection profile (absent some more advanced tricks like issuing them user certificates that can be checked for attributes which map to one profile or another).
  This could also be done with ISE 1.3 which can act as the RADIUS server and join to multiple AD domains on the backend as identity stores. (or even with ISE 1.2 if you use one of the AD directories as an LDAP store vs. native AD).

• Pam.conf does not use ldap for password length check when changing passwd

  I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
  I have dsee 6.0 installed on a solaris 10 server (client).
  I have a solaris 9 server (server) set up to use ldap authentication.
  bash-2.05# cat /var/ldap/ldap_client_file
  # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_SERVERS= X, Y
  NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
  NS_LDAP_AUTH= tls:simple
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SEARCH_SCOPE= one
  NS_LDAP_SEARCH_TIME= 30
  NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
  NS_LDAP_CACHETTL= 43200
  NS_LDAP_PROFILE= tls_profile
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
  NS_LDAP_BIND_TIME= 10
  bash-2.05# cat /var/ldap/ldap_client_cred
  # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
  NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
  NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
  bash-2.05# cat /etc/nsswitch.conf
  # /etc/nsswitch.ldap:
  # An example file that could be copied over to /etc/nsswitch.conf; it
  # uses LDAP in conjunction with files.
  # "hosts:" and "services:" in this file are used only if the
  # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
  # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
  passwd: files ldap
  group: files ldap
  # consult /etc "files" only if ldap is down.
  hosts: files dns
  ipnodes: files
  # Uncomment the following line and comment out the above to resolve
  # both IPv4 and IPv6 addresses from the ipnodes databases. Note that
  # IPv4 addresses are searched in all of the ipnodes databases before
  # searching the hosts databases. Before turning this option on, consult
  # the Network Administration Guide for more details on using IPv6.
  #ipnodes: ldap [NOTFOUND=return] files
  networks: files
  protocols: files
  rpc: files
  ethers: files
  netmasks: files
  bootparams: files
  publickey: files
  netgroup: ldap
  automount: files ldap
  aliases: files ldap
  # for efficient getservbyname() avoid ldap
  services: files ldap
  sendmailvars: files
  printers: user files ldap
  auth_attr: files ldap
  prof_attr: files ldap
  project: files ldap
  bash-2.05# cat /etc/pam.conf
  #ident "@(#)pam.conf 1.20 02/01/23 SMI"
  # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
  # Use is subject to license terms.
  # PAM configuration
  # Unless explicitly defined, all services use the modules
  # defined in the "other" section.
  # Modules are defined with relative pathnames, i.e., they are
  # relative to /usr/lib/security/$ISA. Absolute path names, as
  # present in this file in previous releases are still acceptable.
  # Authentication management
  # login service (explicit because of pam_dial_auth)
  login auth requisite pam_authtok_get.so.1 debug
  login auth required pam_dhkeys.so.1 debug
  login auth required pam_dial_auth.so.1 debug
  login auth binding pam_unix_auth.so.1 server_policy debug
  login auth required pam_ldap.so.1 use_first_pass debug
  # rlogin service (explicit because of pam_rhost_auth)
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth binding pam_unix_auth.so.1 server_policy
  rlogin auth required pam_ldap.so.1 use_first_pass
  # rsh service (explicit because of pam_rhost_auth,
  # and pam_unix_auth for meaningful pam_setcred)
  rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_auth.so.1
  # PPP service (explicit because of pam_dial_auth)
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_dial_auth.so.1
  ppp auth binding pam_unix_auth.so.1 server_policy
  ppp auth required pam_ldap.so.1 use_first_pass
  # Default definitions for Authentication management
  # Used when service name is not explicitly mentioned for authenctication
  other auth requisite pam_authtok_get.so.1 debug
  other auth required pam_dhkeys.so.1 debug
  other auth binding pam_unix_auth.so.1 server_policy debug
  other auth required pam_ldap.so.1 use_first_pass debug
  # passwd command (explicit because of a different authentication module)
  passwd auth binding pam_passwd_auth.so.1 server_policy debug
  passwd auth required pam_ldap.so.1 use_first_pass debug
  # cron service (explicit because of non-usage of pam_roles.so.1)
  cron account required pam_projects.so.1
  cron account required pam_unix_account.so.1
  # Default definition for Account management
  # Used when service name is not explicitly mentioned for account management
  other account requisite pam_roles.so.1 debug
  other account required pam_projects.so.1 debug
  other account binding pam_unix_account.so.1 server_policy debug
  other account required pam_ldap.so.1 no_pass debug
  # Default definition for Session management
  # Used when service name is not explicitly mentioned for session management
  other session required pam_unix_session.so.1
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  other password required pam_dhkeys.so.1 debug
  other password requisite pam_authtok_get.so.1 debug
  other password requisite pam_authtok_check.so.1 debug
  other password required pam_authtok_store.so.1 server_policy debug
  # Support for Kerberos V5 authentication (uncomment to use Kerberos)
  #rlogin auth optional pam_krb5.so.1 try_first_pass
  #login auth optional pam_krb5.so.1 try_first_pass
  #other auth optional pam_krb5.so.1 try_first_pass
  #cron account optional pam_krb5.so.1
  #other account optional pam_krb5.so.1
  #other session optional pam_krb5.so.1
  #other password optional pam_krb5.so.1 try_first_pass
  I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
  May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
  May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
  May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
  May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
  May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
  May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
  May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
  May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
  May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
  May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
  May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
  May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
  May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
  May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
  May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
  If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
  bash-2.05$ passwd
  passwd: Changing password for VV
  Enter existing login password:
  New Password:
  passwd: Password too short - must be at least 8 characters.
  Please try again
  May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
  May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
  May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
  May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
  May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
  May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
  May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
  May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
  May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
  May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
  May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
  I am using the default policy on the directory server which states a minimum password length of 6 characters.
  server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
  pwd-accept-hashed-pwd-enabled : N/A
  pwd-check-enabled : off
  pwd-compat-mode : DS6-mode
  pwd-expire-no-warning-enabled : on
  pwd-expire-warning-delay : 1d
  pwd-failure-count-interval : 10m
  pwd-grace-login-limit : disabled
  pwd-keep-last-auth-time-enabled : off
  pwd-lockout-duration : disabled
  pwd-lockout-enabled : off
  pwd-lockout-repl-priority-enabled : on
  pwd-max-age : disabled
  pwd-max-failure-count : 3
  pwd-max-history-count : disabled
  pwd-min-age : disabled
  pwd-min-length : 6
  pwd-mod-gen-length : 6
  pwd-must-change-enabled : off
  pwd-root-dn-bypass-enabled : off
  pwd-safe-modify-enabled : off
  pwd-storage-scheme : CRYPT
  pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
  pwd-strong-check-enabled : off
  pwd-strong-check-require-charset : lower
  pwd-strong-check-require-charset : upper
  pwd-strong-check-require-charset : digit
  pwd-strong-check-require-charset : special
  pwd-supported-storage-scheme : CRYPT
  pwd-supported-storage-scheme : SHA
  pwd-supported-storage-scheme : SSHA
  pwd-supported-storage-scheme : NS-MTA-MD5
  pwd-supported-storage-scheme : CLEAR
  pwd-user-change-enabled : off
  Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
  . It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
  I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
  Edited by: ericduggan on Sep 8, 2008 5:30 AM

  you can try passwd -r ldap for changing the ldap passwds...

• Access read-only LDAP for username/password, Directory Server LDAP for rest

  Hello! I keep trying to find documentation on the above, but thus far I have been unable to find something that explains this well (and my attempts at figuring out thus far have failed).
  I have a read-only LDAP that is used University wide, and I am not allowed to change how it currently operates. It uses double-bind authentication in that you search for a user to get their DN, then bind to that DN with the users password to see if it was correct.
  I'd like to use the above setup to verify a user's credential as well as return some basic information about them (name, email, etc). After this, I'd like to use another freshly installed Directory Server LDAP to manage the roles that seem to be needed for Portal Server (as I cannot write to the original LDAP).
  Any help or advice on the above would be appreciated! Thank you.

  The authentication you described is the default way LDAP authentication works.
  AM Ldap auth-module allows you to 'pull' attributes from the LDAP server you're using for authentication and store it in it's 'amSDK' Directory Server - which is leveraged by Portal Server (if you're talking about Sun's Portal Server).
  However this is only done if the profile is created (set 'dynamic profile generation' in auth - service).
  As Portal Server does not support the new 'identity repsoistory API' of AM you have to stick to AM's legacy mode when using Portal Server.
  To keep the the data in sync (if needed) you have to write a post-auth class.
  -Bernhard

• Using Lion Server Radius for authenticating "other" clients

  Hi I've been trying to get the Radius service in Lion Server to authenticate users of my SQUID web proxy. I have followed the squid wiki's instructions to configure the squid server as a radius client and pass authentication requests to the Lion Server Radius (I hope). However I'm trying to configure and test the Lion Server Radius. As Lions Server Admin GUI for radius only lets to add Airport Basestations, I've been trying to dig around for what underlying config files to edit.  I have tried 2 methods of adding the client details to radius:
  1. By editing the /etc/raddb/client.conf, and adding/changing (for example):
  client localhost {
       secret     = mysecretpassphrase
  client 192.168.0.0/24 {
       secret              = mysecretpassphrase
       shortname       = local-lan-clients
  and restarting squid. Nothing seems to get mentioned in the radius log file! So I'm not completely convinced that the Lion Radius took any notice of this!
  2. Instead of above, added the same client info using radiusconfig:
  $ sudo radiusconfig -addclient 192.168.0.0/24 local-lan-clients other <return>
  - then it prompts for the secret. With this command I notice the entry/event is recognised in the radius log file, and also looks like some SQL activity. If I dont specify "other" for the nas-type, it defaults to "Aiport Base Station" or similar.
  OK, so forgetting about SQUID for a minute, I can't even get that far as I'm just trying to test the config using the "radclient" utility from the Lion Server and the squid server:
  $ sudo radclient localhost auth mysecretpassphrase <return>
  and... no response, just hangs, nothing in radius log either.
  The Lion Firewall allows TCP and UDP requests into the Radius authentication port.
  Any ideas what else I need to do? Scratching my head, I'm wondering if it is anything to do with SSL? e.g. do I need to make the authentication using the self-signed certificate that Open Directory has? I presume any Airport Base Stations added to radius will use this certificate to establish a secure connection for authentication.

  The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
  However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
  While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
  I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
  Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
  http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
  http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/