LDAP Policy

I have the LDAP Configuration queries set up and working but when I try to create a policy to import users I'm receiving the error, "No Data Found to Import, please check your import settings"  Here is my policy configuration, does anything jump out as horribly wrong here?
URL   = ldap://OHOwDCG7.na.com:389/dc=na,dc=com
DN Prefix  = cn=
DN Suffix  = ,ou=NaUsers,dc=na,dc=COM
Security Authentication   = Simple
Filter  = (objectCategory=user)
Username  = cn=xmiisrvacct,ou=ServiceAccounts,dc=na,dc=COM
New Password 
Search Base  = ou=NaUsers
Map Username  = sAMAccountName
Map Fullname  = cn
Map Language 
Map Email  = mail
Log Entries;
2007-08-13 10:16:01,179  ERROR  LdapLoginModuleUserMapper  com.lighthammer.cas.authentication.security.spi.mapper.MapperException: No Data Found to Import, please check your import settings
2007-08-13 10:16:01,147  DEBUG  LdapLoginModuleUserMapper  getMappedFields(Map) - Incoming field map = {USERNAME=sAMAccountName, FULLNAME=cn, LANGUAGE=, EMAIL=mail}
My thought and question - the Search Base I've listed is the root OU where users are kept.  That OU actually has no uses in it.  all of the uses are in sub-OU's beneath.  Does this import query search recursively?  If not then that is my problem and I'll need to set up an import for all of the individual OU's?

I was able to answer my own question.  It appears that the import users search query does not search recursively.  If I explicitly set the Search Base to one of the sub-OU's containing the actual user objects in AD I get a list returned to me.
Search Base = ou=Normal,ou=Employees,ou=NaUsers

Similar Messages

  • Enforcing LDAP Policy for Portal....

    Hello all,
    We have used Microsoft ADS as user data source for Portal. Also we have certain security policies applied for all the users present in AD Server like changing the password when login for the first time. What if I want to apply the same security policies for portal?
    As when I login to Portal for the first time it is giving me error that authentication failed, rather than asking to change the password.
    We are on EP7 SP9.
    Thanks in advance ,
    Amol

    Hello Michael,
    The problem is that there are some external users who are not logging to their desktop in domain.....but their user-ids are created in AD..now they will be logging to portal for the first time... and like normal other users i want they shld change their password on first logon to portal...how can i achieve this?
    Thanks for reply,
    Amol

  • Server 2012 errors for timeout -- LDAP error number: 55 -- LDAP error string: Timeout Failed to get server error string from LDAP connection

    Hello, currently getting below error msg's utilizing software thru which LDAP is queried for discovering AD objects/path and resource enumeration and tracking.
    Have ensured firewalls and port (389 ) relational to LDAP are not closed, thus causing hanging.
    I see there was a write up on Svr 2003 ( https://support.microsoft.com/en-us/kb/315071 ) not sure if this is applicable, of if the "Ntdsutil.exe" arcitecture has changed much from Svr 03. Please advise. 
    -----------error msg  ----------------
    -- LDAP error number: 55
    -- LDAP error string: Timeout Failed to get server error string from LDAP connection

    The link you shared is still applicable. You can adjust your LDAP policy depending on your software requirements.
    I would also recommend that you in touch with your software vendor to get more details about the software requirements.
    This posting is provided AS IS with no warranties or guarantees , and confers no rights.
    Ahmed MALEK
    My Website Link
    My Linkedin Profile
    My MVP Profile

  • Where is the LDAP manager config stored?

    Hi,
    Can anybody tell me where the configuration for the applied LDAP policies are stored?
    I have servers running LDAP.
    I have added a LDAP policy file to one server, I copied it over to another server.
    But when I select the dropdown to see it in User Manager/LDAP it does not show.
    I also copied the casadmin.xml file, edited the server name, but it still does not show.
    The only thing that works is to create a dummy LDAP, with the correct name, save it and then copy the proper LDAP over it.
    Where is this data stored for the LDAP manager?
    Andy

    Most of these files are held in memory.  Probably would be best to stop servletexec prior to overwritting the files and then restarte it.
    There is also a config file, login-config.xml, that goes along with it.
    Regards,
    Jamie

  • Load Balancing Directory Servers with Access Manager - Simple questions

    Hi.
    We are in the process of configuring 2 Access Manager instances (servers) accessing the same logical LDAP repository (comprising physically of two Directory Servers working together with Multi-Master Replication configured and tested) For doing this, we are following guide number 819-6258.
    The guide uses BigIP load balancer for load balancing the directory servers. However, we intend to use Directory Proxy Server. Since we faced some (unresolved) issues last time that we used DPS, there are some simple questions that I would be very grateful to have answers to:
    1. The guide, in section 3.2.10 (To configure Access Manager 1 with the Directory Server load balancer), talks about making changes at 4 places, and replacing the existing entry (hostname and port) with the load balancer's hostname and port (assuming that the load balancer has already been configured). It says that changes need not be made on Access Manager 2 since the LDAPs are in replication, and hence changes will be replicated at all places. However, the guide also states that changes have to be made in two files, namely AMConfig.properties, and the serverconfig.xml file. But these changes will not be reflected on Access Manager 2, since these files are local on each machine.
    Question 1. Do changes have to be made in AMConfig.properties and serverconfig.xml files on the other machine hosting Access Manager 2?
    Question 2: What is the purpose of putting these values here? Specifically, what is achieved by specifying the Directory server host and port in AMConfig.properties, as well as in serverconfig.xml?
    Question 3. In the HTTP console, there is the option of specifying multiple primary LDAP servers, as well as multiple secondary LDAP servers. What is the purpose of these? Are secondary servers attempted when none of the list in the primary list are accessible? Also, if there are multiple entries in the primary server list, are they accessed in a round robin fashion (hereby providing rudimentary load balancing), or are other servers accessed only when the one mentioned first is not reachable etc.?
    2. Since I do not have a load balancer setup yet, I tried the following deviation to the above, which, according to me, should have worked. If viewed in the HTTP console, LDAP / Membership / MSISDN and Policy configuration all pointed to the DS on host 1. When I changed all these to point to the directory server on host 2 (and made AMConfig.properties and serverconfig.xml on host 1 point to DS of host 2 as well), things should have worked fine, but apparently Access manager 1 could not be started. Error from Webserver:
    [14/Aug/2006:04:30:36] info (13937): WEB0100: Loading web module in virtual server [https-machine_1_FQDN] at [search]
    [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Exception in thread "EventService" java.lang.ExceptionInInitializerError
    [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.iplanet.services.ldap.event.EventServicePolling.run(EventServicePolling.java:132)
    [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at java.lang.Thread.run(Thread.java:595)
    [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Caused by: java.lang.InterruptedException
    [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.sun.identity.sm.ServiceManager.<clinit>(ServiceManager.java:74)
    [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: ... 2 more
    In effect, AM on 1 did not start. On rolling back the changes, things again worked like previously.
    Will be really grateful for any help / insight / experience on dealing with the above.
    Thanks!

    Update to the above, incase anyone is reading:
    We setup a similar setup in Windows, and it worked. Here is a detailed account of what was done:
    1. Host 1: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
    All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST1:389)
    2. Host 2: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
    All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST2:389)
    3. Host 1: Started replication. Set to Master
    4. Host 2: Started replication. Set to Master
    5. Host 1: Setup replication agreement to Host 2
    6. Host 2: Setup replication agreement to Host 1
    7. Initiated the remote replica from Host 1 ----> Host 2
    Note that since default installation uses abc.....xyz as the encryption key, setting this to same was not an issue.
    9. Started webserver for Host 1 and logged into AM as amadmin.
    10. Added Host 2 FQDN in DNS Aliases / Realms
    11. Added http://HOST2_FQDN:80 in the Platform server (instance) list.
    12. Started Host 2 webserver. Logged in AM on Host 2, things worked fine.
    At this stage, note the following:
    a) Host 1:
    AMConfig.properties file has
    com.iplanet.am.directory.host=host1_FQDN
    and
    com.iplanet.am.directory.port=389
    serverconfig.xml has:
    <Server name="Server1" host="host1_FQDN" port="389" type="SIMPLE" />
    b) Host 2:
    AMConfig.properties file has
    com.iplanet.am.directory.host=host2_FQDN
    and
    com.iplanet.am.directory.port=389
    serverconfig.xml has:
    <Server name="Server1" host="host2_FQDN" port="389" type="SIMPLE" />
    c) If one logs into AM, and checks LDAP servers for LDAP / Policy Configuration / Membership etc services, they all contain Host2_FQDN:389 (which makes sense, since replica 2 was initialized from 1)
    Returning back to the configuations:
    13. On Host 1, login into the Admin server console of the Directory server. Navigate to the DPS, and confgure the following:
    a) Network Group
    b) LDAP servers
    c) Load Balancing
    d) Change Group
    e) Action on-bind
    f) Allow all actions (permit modification / deletion etc.).
    g) any other configuations required - Am willing to give detailed steps if someone needs them to help me / themselves! :)
    So now, we have DPS configured and running on Host1:489, and distributing load to DS1 and DS2 on a 50:50 basis.
    14. Now, log into AM on Host 1, and instead of Host1_fqdn:389 (for DS) in the following places, specify Host1_fqdn:489 (for the DPS)--
    LDAP Authentication
    MSISDN server
    Membership Service
    Policy configuation.
    Verified that this propagated to the Policy Configuration service and the LDAP authentication service that are already registered with the default organization.
    15. Log out of AM. Following the documentation, modify directory.host and directory.port in AMConfig.properties to point to Host 1_FQDN and 489 respectively. Make this change in AMConfig.properties of both Host 1 as well as 2.
    16. Edit serverconfig.xml on both hosts, and instead of they pointing to their local directory servers, point both to host1_FQDN:489
    17. When you start the webserver, it will refuse to start. Will spew errors such as:
    [https-host1_FQDN]: Sun ONE Web Server 6.1SP5 B06/23/2005 17:36
    [https-host1_FQDN]: info: CORE3016: daemon is running as super-user
    [https-host1_FQDN]: info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_04] from [Sun Microsystems Inc.]
    [https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amserver]
    [https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
    [https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [ampassword]
    [https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
    [https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amcommon]
    [https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amconsole]
    [https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
    [https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [search]
    [https-host1_FQDN]: warning: CORE3283: stderr: netscape.ldap.LDAPException: error result (32); matchedDN = dc=sun,dc=com; No such object (DN changed)
    [https-host1_FQDN]: warning: CORE3283: stderr: Got LDAPServiceException code=-1
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getConnection(DSConfigMgr.java:357)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewFailoverConnection(DSConfigMgr.java:314)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewConnection(DSConfigMgr.java:253)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:184)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:194)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.initLdapPool(DataLayer.java:1248)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.(DataLayer.java:190)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:215)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:246)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.initialize(SMSLdapObject.java:156)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.(SMSLdapObject.java:124)
    [https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    [https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
    [https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
    [https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
    [https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance0(Class.java:350)
    [https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance(Class.java:303)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.SMSEntry.(SMSEntry.java:216)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ServiceSchemaManager.(ServiceSchemaManager.java:67)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.getServiceSchemaManager(AMClientDetector.java:219)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.(AMClientDetector.java:94)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.mobile.filter.AMLController.init(AMLController.java:85)
    [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
    [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:322)
    [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:120)
    [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3271)
    [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3747)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
    [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
    [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
    [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
    [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
    [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
    [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
    [https-host1_FQDN]: failure: WebModule[amserver]: WEB2783: Servlet /amserver threw load() exception
    [https-host1_FQDN]: javax.servlet.ServletException: WEB2778: Servlet.init() for servlet LoginLogoutMapping threw exception
    [https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:949)
    [https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
    [https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
    [https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
    [https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
    [https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
    [https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
    [https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
    [https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
    [https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
    [https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
    [https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
    [https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
    [https-host1_FQDN]: ----- Root Cause -----
    [https-host1_FQDN]: java.lang.NullPointerException
    [https-host1_FQDN]: at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
    [https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
    [https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
    [https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
    [https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
    [https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
    [https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
    [https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
    [https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
    [https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
    [https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
    [https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
    [https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
    [https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
    [https-host1_FQDN]:
    [https-host1_FQDN]: info: HTTP3072: [LS ls1] http://host1_FQDN:58080 [i]ready to accept requests
    [https-host1_FQDN]: startup: server started successfully
    Success!
    The server https-host1_FQDN has started up.
    The server infact, didn't start up (nothing even listening on 58080).
    However, if AMConfig.properties is left as it originally was, and only serverconfig.xml files were changed as mentioned above, web servers started fine, and things worked all okay. (Alright, except for some glitches when viewed in /amconsole. If /amserver/console is accessed, all is good. Can this mean that all is still not well? I am not sure).
    So far so good. Now comes the sad part. When the same is done on Solaris 9, things dont work. You continue to get the above error, OR the following error, and the web server will refuse to start:
    Differences in Solaris and Windows are as follows:
    1. Windows hosts have 1 IP and hostname. Solaris hosts have 3 IPs and hostnames (for DS, DPS, and webserver).
    No other difference from an architectural perspective.
    Any help / insight on why the above is not working (and why the hell does the documentation seem so sketchy / insecure / incorrect).
    Thanks a bunch!

  • OIM single use password loop

    We are provisioning users in Sun JDS LDAP using OIM 11g. We have an issue when a user changes their password in OIM. I wonder if anyone has any suggestions of how to fix it as I can't believe that we're the only ones to come across it?
    If the user changes their password in OIM the code that our consultant has written will push that password change down to LDAP. There is a password policy in LDAP that states that if the password was changed by an administrator, not the user themselves, then the password is single use and needs to be changed. This causes our (home grown) login code to redirect the user back to OIM to change their password and so end up in a loop they cannot get out of.
    We talked to the LDAP admin team about changing the policy but they don't want to do that as it's a security risk (admin remembers the password he assigned to the user ...).
    Is this normal? Any workarounds?
    Would this work differently when we move to OAM?

    I would have done it in this way: Assuming you have decent knowledge of using existing components of OOTB connector for re-usability. Also I have never tried this, its just an approach which could possibly work.
    - The only way for an end user to change its own password in OIM is via self-service which means the tcUtilityFactory would be instantiated by the user itself. If that is the case then you can obtain the User ID in the pre-insert entity adapters/plugin. Now when the password reset operation is being done, you can check the User ID of the Logged In user and the Target User and take a decision whether it was the user itself or some other admin.
    - If it was some other admin then you can set the Force Password Change at next Logon check-box in the User Profile to true.
    - Now modify the Change User Password task to use the IT Resource connection credentials if that check box is selected to create a connection OR use the credentials form the Process Form if that check box is not selected.
    This way the connection to the LDAP would be done via the user itself if it was a self-service password reset and your LDAP Policy would have no complaints.
    Assumption The user has the permissions to establish a JNDI connection with SDS and modify its own account which I am sure would be there.
    Thanks
    SRS

  • Question on QOS Configuration

    I am classifying traffic using NBAR and Access-lists, setting DSCP values, and then useing bandwidth percentages to reserve bandwidth for protected classes in times of high utilization.
    I currently have this setup on my outside interface (connecting to PE) and have the service policy set on output (egress).
    I have found that large data transfers of default-class traffic is still able to overwhelm the link and the resereved bandwidth percentages to not seem to be able to protect the data in those classes.
    Question 1 - Is it common configuration to classify, mark, and set queing policies on the same interface? Or should I be classifying and marking on the ingress of the LAN interface and then apply the queing on the outside interafce egress?
    Here is my current config. As you can see, I am classifying the traffic ussing access lists and NBAR, and then I am using the policy map on my outside (PE connnected) interface egress. For brevity, I have not included the contents of the access-lists. Does anyone see any issues with this config?
    class-map match-all AF41
    match access-group name Management
    class-map match-all AF21
    match access-group name Priority-Apps
    class-map match-all AF31
    match access-group name Critical-Apps
    match protocol citrix
    match protocol kerberos
    match protocol ldap
    policy-map SETDSCP-KABI-NA
    class AF41
      bandwidth percent 20
      random-detect dscp-based
      set ip dscp af41
    class AF31
      bandwidth percent 25
      random-detect dscp-based
      set ip dscp af31
    class AF21
      bandwidth percent 25
      random-detect dscp-based
      set ip dscp af21
      class class-default
      set ip dscp default
      fair-queue
    interface Multilink1
    service-policy output SETDSCP-KABI-NA
    Thanks in advance for your replies..

    Disclaimer
    The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.
    Liability Disclaimer
    In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.
    Posting
    Question 1 - Is it common configuration to classify, mark, and set queing policies on the same interface? Or should I be classifying and marking on the ingress of the LAN interface and then apply the queing on the outside interafce egress?
    I don't know how common one technique is vs. the other, as QoS is still a bit uncommon, but if possible, I personally prefer doing everything in the egress policy.
    Does anyone see any issues with this config?
    I normally recommend against using RED unless you really understand the technology.  I would especially question using RED and FQ in the same class, as you do in class AF21.
    I currently have this setup on my outside interface (connecting to PE) and have the service policy set on output (egress). I have found that large data transfers of default-class traffic is still able to overwhelm the link and the resereved bandwidth percentages to not seem to be able to protect the data in those classes.
    You describe connecting to a PE, so this is not a p2p link?  If you're working across some kind of cloud technology, just setting QoS, even correctly, on the egress to cloud interface might be insufficient.  Might you describe your WAN environment?
    As you mention default-class traffic, but you didn't post a default-class, you're just using the implicit default settings for this class?
    As you're using NBAR and FQ in a named class, I assume you're working with a software based router using post HQF QoS, but identification of the actual platform and IOS version being used, might also be helpful.

  • DBMS_LDAP size limit

    How do you set the size limit (number of rows) that the LDAP search returns?

    Don't change the default LDAP Policy Setting for the Maximum Number of Results. It may negatively impact performance, leaves yourself vulnerable to Denial of Service attacks, and I can guarantee that if you configure a specific value, in the future you will hit that limit as well.
    Write your application correctly using Paged Results.
    You can find sample code in the post titled "JNDI, Active Directory, Paging and Range Retrieval" available at http://forum.java.sun.com/thread.jspa?threadID=578347&tstart=0
    And BTW, the LDAP Policy settings for Active Directory Domain controllers are not configured via regsitry settings, they are configured via LDAP Policy objects which can be manipulated using NTDSUTIL.EXE or the Windows 2000 Resource kit utility script MODIFYLPDAP.VBS
    But as I said, write your application correctly using Paged Results.

  • Hitting limit when adding users to groups via powershell

    I've written a powershell to search AD for users with a specific UPN suffix and add them to a group. It's working, except I am hitting some limit. After the script runs, I see that the group only had 1,500 members (exactly). I am expecting somewhere in the
    neighborhood of 7,000.
    I did some digging and changed the LDAP policy MaxValRange from 1500 to 15000. This increased my results up to 5,000 (exactly).
    I appear to be hitting some other limit....any ideas what it could be? Here are my current LDAP policies:
    Policy Current(New)
    MaxPoolThreads 4
    MaxDatagramRecv 4096
    MaxReceiveBuffer 10485760
    InitRecvTimeout 120
    MaxConnections 10000
    MaxConnIdleTime 900
    MaxPageSize 1000
    MaxQueryDuration 120
    MaxTempTableSize 10000
    MaxResultSetSize 262144
    MinResultSets 0
    MaxResultSetsPerConn 0
    MaxNotificationPerConn 5
    MaxValRange 15000
    ThreadMemoryLimit 0
    SystemMemoryLimitPercent 0
    Thanks!

    Hello,
    have you seen
    http://technet.microsoft.com/en-us/library/cc756101.aspx for limits in AD.
    Best regards
    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://blogs.msmvps.com/MWeber
    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
    Twitter:  

  • Imlpementing EULA / end user declaration using OIM/OAM

    Hi,
    We have a requirement in which we have to make user accept EULA /end user declaration prior to adding details in portal, does any one has pointers on how to do the same using OIM/OAM.
    Early response would be much appreciated.

    I would have done it in this way: Assuming you have decent knowledge of using existing components of OOTB connector for re-usability. Also I have never tried this, its just an approach which could possibly work.
    - The only way for an end user to change its own password in OIM is via self-service which means the tcUtilityFactory would be instantiated by the user itself. If that is the case then you can obtain the User ID in the pre-insert entity adapters/plugin. Now when the password reset operation is being done, you can check the User ID of the Logged In user and the Target User and take a decision whether it was the user itself or some other admin.
    - If it was some other admin then you can set the Force Password Change at next Logon check-box in the User Profile to true.
    - Now modify the Change User Password task to use the IT Resource connection credentials if that check box is selected to create a connection OR use the credentials form the Process Form if that check box is not selected.
    This way the connection to the LDAP would be done via the user itself if it was a self-service password reset and your LDAP Policy would have no complaints.
    Assumption The user has the permissions to establish a JNDI connection with SDS and modify its own account which I am sure would be there.
    Thanks
    SRS

  • Migration fails at Upgrading services

    G4 Xserve with 10.4.11, static ip, normal collection of apps and services over a period of 8 years (very happy with the machine). User homes, around 50Gb, mounted on a separate drive from the boot drive. I just bought a new Xserve with SSD for OS and three drives for a raid. I install the new machine in the rack, try to startup and realize that it can't find a boot drive, open the cabinet, and find the SSD drive loose inside. I plug it back in and go through Server Setup Assistant. I choose to migrate from my 10.4.11 machine using target disc mode. All appears to be working fine, it says it successfully migrated my info. I click continue and a dialog called "Setting Up" appears with a yellow dot beside "Setting serial number" and a message in the lower left corner that says "Upgrading services". The interface appears to be stalled at this point for hours. I let it run overnight, and it never proceeds past this dialog. At some point, I get an error that the hard disc is almost full. I restart the next morning and despite trying multiple solutions mentioned in the forums (unplugging the network cable, starting in single use mode and editing the hosts file, reinstalling the OS from the Install disc and starting over, etc) I still cannot get past this dialog. I can't log in and set things manually....nothing. The SSD drive is 128GB and I can't recall exactly how much was on my original boot drive, but it wasn't more than 20 Gb. Could the migration assistant be trying to pack all 50Gb of my User home directories (on a separate drive previously) onto my new boot drive and causing problem?
    Any ideas on how I can get past the wizard so I can fix things manually, somehow?
    Thanks for any help...it's been 3 days of misery.
    Jack

    i'd recommend not upgrading your config and instead starting with a fresh install of 10.6 server.
    for the service config, export the settings on the old server and import them on the new.
    for user accounts, export users, groups, etc. and import on the new server. enough has changed with both service config and OD between 10.4 and 10.6 that i recommend staying away from a straight migration in place. the exported users will have their passwords wiped, but you can set them to defaults and require changing them on first login with ldap policy.
    as for data, just move it in place as needed with rsync or your tools of choice. since you have the 3 internal drives separate from your ssd boot, dump all data on them. it's possible the migration copied too much data to the boot drive, thus filling it. since i never do such upgrades/migrations, i'm not sure, though.
    strangely, the xserve with ssd i most recently configured also had the ssd drive disconnected and floating inside the case. thanks, quality control…

  • ISE Authentication Policy for RSA Securid and LDAP for VPN

    We are working on replacing our existing ACS server with ISE.  We have 2 groups of users, customers and employees.  The employee's utilize RSA securid for authentication while the customers use Window authentication.  We have integrated the AD into ISE using LDAP and this has been tested.  We are now working on trying to get the rsa portion to work.  We are wanting to utilize the authorization policy to assign the group-policy/IP for both clients via the LDAP user attributes.
    Here is my question:
    Under the authentication policy should we look @ an identity store that has RSA securid users, LDAP users and then internal users.  I assume if the user isn't present in the RSA store it will then look @ the LDAP, will this present an issue with overhead in our RSA environment.  With the legacy ACS the descsion on where to authenticate the user was done on the ACS, either Windows or RSA.  The employee users will still also be present in the LDAP so we can utilize the attributes for IP address/group policy.  The number of customer vpn's is several times larger than employees and I am afraid that if we have to query the securid servers for every authentication vpn authentication attempt this could cause issues.  Our utilimate goal is to move to any connect and utilize a single url for all authentication but allow ise to instruct the asa what attributes to hand to the client such as dns/Dacl. 
    Thanks,
    Joe

    That is not what I want. I want user "test1" to be able to do this:
    C
    Username: test1
    Enter PASSCODE:
    C2960>en
    Enter PASSCODE:
    C2960#
    In other words, test1 user has to type in his/her RSA token password to get
    into exec mode. After that, he/she has to use the RSA token password to
    get into enable mode. Each user can get into "enable" mode with his/her
    RSA token mode.
    The way you descripbed, it seemed like anyone in this group can go directly
    into enable mode without password. This is not what I have in mind.
    Any other ideas? Thanks.

  • OWSM won't connect to ldap for authentication in policy

    System: 10.1.3 on Windows with SOA Suite
    I've got a web service deployed, got OWSM running, have registered the web service with a gateway component and have built a basic policy (just to log) in the Pipeline "request" and Pipeline "Response" parts of the governing policy; this basic policy works correctly. However, when I try to add an "Ldap Authenticate" step to the Pipeline "Request" part of the policy, OWSM doesn't seem to really try to connect to the LDAP. I have tried two LDAPs (Lotus Notes and OID) that are operational - I can access both of them via command line using the same credentials with which I configured the "Ldap Authenticate" step. Yet, when I invoke the web service with the "Ldap Authenticate" step configured in the policy I get the following exception:
    A fault was thrown in the step Client.AuthenticationFault:Invalid username or password
    I'm pretty dang sure I have entered the correct credentials in the "Ldap Authenticate" configuration (I checked it 45,000 times) - it seems that OWSM really isn't trying to connect to the LDAPs - and there's no logging that I've found that will tell me what it's really trying to do.
    Anyone have any hints or know what's going on?

    I have the same problem.
    With the help of Vikas's instuctions for changing log level I could log the gateway's activities:
    security.WSBasicCredsExtractor - Element Value:farbod
    security.WSBasicCredsExtractor - Element Value:mypassword
    security.WSBasicCredsExtractor - Successfully retrieved username and password
    security.WSBasicCredsExtractor - Removing the UsernameToken Header
    ldap.DirContextHolder - Creating new directory context
    ldap.LDAPAuthenticatorStep - Failed to connect to ldap server.
    I am unsure whether my LDAP settings in OWSM are correct:
    my server name is nfsserver.com(OID Server) and I have this user in OID:
    cn=farbod,cn=Users,dc=nfsserver,dc=com
    so I think these settings should work:
    LDAP host (*)      nfsserver
    LDAP port (*)      389      
    User objectclass (*)      inetOrgPerson      
    LDAP baseDN (*)      cn=Users,dc=nfsserver,dc=com
    LDAP adminDN (*)      cn=orcladmin,cn=Users,dc=nfsserver,dc=com
    LDAP admin password      ******          
    LDAP admin login enabled (*)      true
    Uid Attribute (*)      string      uid      
    User Attributes to be retrieved      uid
    Is the bold part correct?
    Regards
    Farbod

  • Anyconnect tunnel-group and group-policy from LDAP

    Recently we've changed from LOCAL to LDAP authentication and added additional group-policies for different users to increase security.
    To prevent users from selecting an incorrect group-policy, the LDAP server provides a IETF-Radius-Class value which matches the different group-policy names.
    It is my understanding that the authentication method is provided by the tunnel-group.
    tunnel-group DefaultWEBVPNGroup general-attributes
     authentication-server-group LDAP_AD
    This all works, but for _one_ of the group policies i'd like to enable (external) two factor authentication. Two enable two factor auth a 'secondary-authentication-server-group' needs to be set in the tunnel-group.
    Creating a tunnel-group which maches the name of the group-policy doesn't seem to have any effect.  When listing the connected users via "show vpn-sessiondb anyconnect", it always states the correct Group Policy but also always DefaultWEBVPNGroup.
    When enabling the listing of tunnel-groups for webvpn, thus allowing users to select their own tunnel-group, the two factor auth does work.
    To summarize, is it possible to let LDAP decide which tunnel-group is used or is there another way to have different group policies without users being able to choose ?

    Fabian, 
    Your connection lands on a tunnel group and picks a group policy. 
    A typical way to overcome the problem you're indicating is by using group-url. 
    a URL is bound to a specific tunnel-group and allows you to land directly on the one you desire. 
    vide:
    http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
    M.

  • LDAP (openldap) authorization with DAP (dymamic access policy)

    Hello,
    We have a asa 5520 and we try to make a ldap (openLdap) authorization with DAP (Dynamic Access Policy). We have problem with logical expression. We need more example of logical expression and we need to know how debug logical expression. We try to use de Debug dap trace and debug dap error but we need more debug informations.

    Hi
    I guess you are using an ldap attribute map, to map the ad group to a group policy. This does not work as you may expect when the user is part of multiple groups, I.e. the user will always be mapped to the same group (first or last in the list, not sure).
    Possible solution : remove the ldap attribute map, and configure dap rules that check the ldap.memberOf attribute instead
    Hth
    Herbert
    Sent from Cisco Technical Support iPad App - sorry for the brief explanation, if you need more details let me know.

Maybe you are looking for

  • Is it possible to pass the score of the memory game as a variable using javascript?

    Hi, I would like to create a score table for the memory game. For that I need captivate to pass the last sore to a form/page. In the memory game widget there is a variable displayed: memGame_var. Is this really the memory game score, and do you think

  • AD for SSO to SAP r/3

    Is it possible to use active directory and kerberos to effectively single sign on from AD to R/3? Thanks

  • How to Select data using same column name from 3 remote database

    Hi, Can anyone help me on how to get data with same column names from 3 remote database and a single alias. Ex. SELECT * a.name, b.status, SUM(b.qty) qantity, MAX(b.date) date_as_of FROM *((table1@remotedatabase1, table1@remotedatabase2, table1@remot

  • Error trying to run SqlPackage DACPAC Extract

    "An error occurred while attempting to reverse engineer elements of type Microsoft.Data.Tools.Schema.Sql.SchemaModel.SqlCredential: Invalid object name 'master.sys.sysclrobjs'" This is a diagnostic core table that needs a DAC connection to even see.

  • G4 won't connect to internet no matter which way I try.

    I recently obtained a 867Mhz PowerMac G4 running 10.4.6 and I can't get it connected to the internet. I'm a savvy mac guy(at least i think I am) and I am running another G4 and an Imac G5 off the same network router which is a linksys. I've tried con