ACI help!!!!

Hey All,
I am a bit new to Directory Server please excuse any stupid ?'s here.
I have and application that is using ldap to authenticate. Right now it's using directory manager to authenticate. I have created a user "testuser" entry that is located in ou=People,o=foo.com. I have an ACI restricting testuser to only be able to view ou=People, o=foo.com, o=foo.com as there are other directories under o=foo.com,o=foo.com. I need to be able to resrtict testuser to only be able to read/search on attributes uid, userPassword and cn. I have created an ACI for this located in ou=People, o=foo.com,o=foo.com directory. It is -
(targetattr = "uid || cn || userPassword")
(target = "ldap:///ou=People, o=foo.com,o=foo.com")
(version 3.0;acl "access only for uid, cn, userpassword user=testuser
;allow (read,search) (userdn = "ldap:///uid=testuser, ou=People, o=foo.com");)
I have tried different variations but none seem to work. Is what I am trying to accomplish possible? From what I've read theoreticly it should be. Also I have noticed that on o=foo.com there is an ACI for all access
(targetattr != "userPassword || passwordHistory || passwordExpirationTime ||
passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime
|| passwordAllowChangeTime ")
(version 3.0; acl "Anonymous access";
allow (read, search, compare)userdn = "ldap:///anyone";)
Now would this take precedence over my ACI on ou=People,o=foo.com,o=foo.com? I've read that
ACI's are more designed for Deny All an only open to those select few, is this true? If I deny all on o=foo.com will any allow ACI's ever work.
Thank in advance!

As a recalled, I once answerer a similar question here.
If you want to deny some "access", try to use "deny" instead of "allow". For example, if you only want to allow "read, search", try use deny "delete ...".

Similar Messages

  • ACI-How are the new advancements in ACI helping the drawbacks in nexus switching?

    ACI-How are the new advancements in ACI helping the drawbacks in nexus switching?

    ACI is a paradigm shift in data centre designs.
    According to this solution overview ACI is the next generation of Software Defined Networking:
    http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/guide-c07-731461.html
    Having worked with Nexus switches for a couple of years now I haven't encountered any serious drawbacks with these devices.

  • Help with target filter in an ACI and editing multivalue attributes

    Here is the ACI I tried to use:
    (targetattr = "*")
    (target = "ldap:///ou=xyz,dc=company,dc=com")
    (targetfilter=(objectclass=groupofuniquenames)||(objectclass=extendedobjectclass1)||(objectclass=extendedobjectcla ss2))
    (version 3.0;acl "xyzadmin privileges";
    allow (selfwrite,write,delete,add)
    (userdn = ldap:///uid=xyzadmin,ou=people,dc=company,dc=com");)
    1. Is the targetfilter syntax above correct? This does not work even when I tried the other notation
    " (|(|(objectclass=X)(objectclass=Y))(objectclass=Z)) "
    2. xyzadmin needs to update (another system creates a value initially) an 'extendedattribute' in either of the 'extendedobjectclass1/2'. This works if I set seperate ACIs. If I combine them (as above) does not work. Any solutions?
    3. Not exactly related to this. The 'extendedattribute' is a multi-value attribute. Say it has two values,
    (extendedattribute: ID1=222|ID2=333, ID1=444|ID2=-1). If I want to use ldapmodify and replace the
    'ID1=444|ID2=-1' to 'ID1=444|ID2=555', how can it be done?
    The same question can be rephrased as 'how can I replace a value amongst a set of values in a multivalued attribute with ldapmodify'? Is it possible?
    p.s.: Please don't ask to split the ID1, ID2 into 2 attributes as one of the products using the directory requires it to be that way (ID1=<vale>|ID2=<value>).

    My answer will concerne only your first query.
    Firstly, the target syntax must include the target keywork in the first portion of rule.
    Have you try these syntax ===>
    (targetfilter="(|(objectClass=groupofuniquenames)(|(objectClass=extendedobjectclass1)(objectClass=extendedobjectclass2)))")
    or
    (targetfilter="(|(objectclass=groupofuniquenames)(objectclass=extendedobjectclass1)(objectclass=extendedobjectclass2))"
    The first syntax works correctly for me.
    I hope this is help you and good luck for the rest.

  • Pls help: aci based on reference to other entries?

    Hello,
    We've question in defining ACI. Our users are students, who can enroll multiple study programmes. Thus our entries (simplified version) looks like following:
    For student:
    dn: uid=1234,dc=my,dc=domain
    objectclass: inetorgperson
    objectclass: student
    cn: my CN
    sn: my SN
    studentID: A1234
    userpasswd: ....
    For the study programmes of corresponding student ('links" to student records through studentID attribute):
    dn: uid=7890,dc=my,dc=domain
    objectclass: studentprofile
    programmeName: Dept of Chemistry
    studentID: A1234
    dn: uid=8901,dc=my,dc=domain
    objectclass: studentprofile
    programmeName: Dept of Physics
    studentID: A1234
    Now we want to define an ACI to limit access to student records based on the study programme (programmeName in above example). However, since the programmeName doesn't exist in the student's record, I wonder if it's possible to setup such ACI.
    Would anyone please help?
    Thanks a lot.
    /ST Wong

    Hello,
    perhaps you could base your ACIs on DS Groups.
    Your study programmes definitions are essentially, or could be defined as, Groups. Each Student can be a Member of some DS Groups.
    IDM Ldap connector supports group memberships.
    Then you can write ACIs which refer, in the Bind Rule part, the groups.
    Using groups can leverage:
    - referential integrity (when you remove a student from DS it is automacally removed from his/her groups)
    - class of service (attributes are automatically assigned to students depending their memberships)
    HTH

  • I am unable to save plug-in gadgets in Blogger because I get a Javascript:void(0) message on pop-up window. Pop-up blocker is disabled, cache cleared. Help?

    I am trying to add a plug-in gadget to my blogger blog. They use a pop-up window to configure the gadget and then a save button. When I am ready to save the plug-in I see a tiny message in the lower left of the pop-up window which says " Javascript:void(0)". I click "save" but the operation is not fully completed. Here is the strange part. The plug in does appear on my blog but I cannot edit it from the blog. When it was first installed, I could edit the plug-in but the changes would not be saved. Now I cannot edit as no editing buttons appear.
    I have cleared my cache, have exempted the Blogger site from my pop-up blocker. I have rebooted. My Firefox plug-ins are all up to date. I have contacted the support for the company that makes the plug-in, they can't fix it. I tried to contact Google but that help pop-up box also did not work properly as it only allows me to sign in but then nothing more happens.
    I don't want to have to refresh Firefox unless I have to... rebuilding what I have is going to take a lot of time.

    Hi Winnie
    Unfortunately I have been sick and did not read the message before. I apologize.
    I have not received help beyond what is on the page. But when I get I tell you.
    I hope you can get answers. If you receive, I ask that you share with me.
    thank you very much
    best regards
    AC
    Date: Mon, 27 Feb 2012 09:33:10 -0700
    From: [email protected]
    To: [email protected]
    Subject: Pop up Window before saving remembering the need (forcing) to fill required fields in a form
        Re: Pop up Window before saving remembering the need (forcing) to fill required fields in a form
        created by Win_Form in Forms - View the full discussion
    Hi ACI wonder if you can share any responses on to your question above?I too have never used a script but, I have the same problems as you in regards to building a form. And wants to have the same 'protection' and message reminders for the end users. Any information, including a script and/or a contact email of experts you can share with me will help tremendously. Thank you so much in advance. Winnie
         Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page: http://forums.adobe.com/message/4232307#4232307
         To unsubscribe from this thread, please visit the message page at http://forums.adobe.com/message/4232307#4232307. In the Actions box on the right, click the Stop Email Notifications link.
         Start a new discussion in Forms by email or at Adobe Forums
      For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.

  • Error While running ATG ACI 9.2 OOTB Reports.

    Hi All,
    I am getting following error when I run some of the OOTB ACI 9.2 reports.
    UDA-SQL-0107 A general exception has occurred during the operation "prepare".ORA-32035: unreferenced query name defined in WITH clause RSV-SRV-0042 Trace back:RSReportService.cpp(758): QFException: CCL_CAUGHT: RSReportService::process()RSReportServiceMethod.cpp(239): QFException: CCL_RETHROW: RSReportServiceMethod::process(): promptPagingForward_RequestRSASyncExecutionThread.cpp(774): QFException: RSASyncExecutionThread::checkExceptionRSASyncExecutionThread.cpp(211): QFException: CCL_CAUGHT: RSASyncExecutionThread::run(): promptPagingForward_RequestRSASyncExecutionThread.cpp(824): QFException: CCL_RETHROW: RSASyncExecutionThread::processCommand(): promptPagingForward_RequestExecution/RSRenderExecution.cpp(593): QFException: CCL_RETHROW: RSRenderExecution::executeAssembly/RSDocAssemblyDispatch.cpp(264): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchAssemblyAssembly/RSLayoutAssembly.cpp(64): QFException: CCL_RETHROW: RSLayoutAssembly::assembleAssembly/RSDocAssemblyDispatch.cpp(331): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchChildrenAssemblyForwardAssembly/RSReportPagesAssembly.cpp(163): QFException: CCL_RETHROW: RSReportPagesAssembly::assembleAssembly/RSDocAssemblyDispatch.cpp(281): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchAssemblyAssembly/RSPageAssembly.cpp(287): QFException: CCL_RETHROW: RSPageAssembly::assembleAssembly/RSDocAssemblyDispatch.cpp(281): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchAssemblyAssembly/RSTableRowAssembly.cpp(160): QFException: CCL_RETHROW: RSTableRowAssembly::assembleAssembly/RSDocAssemblyDispatch.cpp(281): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchAssemblyAssembly/RSTableCellAssembly.cpp(122): QFException: CCL_RETHROW: RSTableCellAssembly::assembleAssembly/RSDocAssemblyDispatch.cpp(331): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchChildrenAssemblyForwardAssembly/RSTableAssembly.cpp(97): QFException: CCL_RETHROW: RSTableAssembly::assembleAssembly/RSDocAssemblyDispatch.cpp(331): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchChildrenAssemblyForwardAssembly/RSTableRowAssembly.cpp(160): QFException: CCL_RETHROW: RSTableRowAssembly::assembleAssembly/RSDocAssemblyDispatch.cpp(281): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchAssemblyAssembly/RSTableCellAssembly.cpp(122): QFException: CCL_RETHROW: RSTableCellAssembly::assembleAssembly/RSDocAssemblyDispatch.cpp(331): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchChildrenAssemblyForwardAssembly/RSAssembly.cpp(626): QFException: CCL_RETHROW: RSAssembly::createListIteratorAssembly/RSAssembly.cpp(667): QFException: CCL_RETHROW: RSAssembly::createListIteratorRSQueryMgr.cpp(978): QFException: CCL_RETHROW: RSQueryMgr::getListIteratorRSQueryMgr.cpp(1051): QFException: CCL_RETHROW: RSQueryMgr::getResultSetIteratorRSQueryMgr.cpp(1211): QFException: CCL_RETHROW: RSQueryMgr::createIteratorRSQueryMgr.cpp(1511): QFException: CCL_RETHROW: RSQueryMgr::executeRsapiCommandRSQueryMgr.cpp(1498): QFException: CCL_RETHROW: RSQueryMgr::executeRsapiCommandRSQueryMgrExecutionHandlerImpl.cpp(174): QFException: CCL_RETHROW: RSQueryMgrExecutionHandlerImpl::execute()RSQueryMgrExecutionHandlerImpl.cpp(154): QFException: CCL_RETHROW: RSQueryMgrExecutionHandlerImpl::execute()RSQFSession.cpp(243): QFException: CCL_RETHROW: RSQFSession::DoRequestQFSSession.cpp(603): QFException: CCL_RETHROW: QFSSession::ProcessDoRequest()QFSSession.cpp(601): QFException: CCL_CAUGHT: QFSSession::ProcessDoRequest()QFSSession.cpp(558): QFException: CCL_RETHROW: QFSSession::ProcessDoRequest()QFSConnection.cpp(737): QFException: CCL_RETHROW: QFSConnection::ExecuteQFSQuery.cpp(199): QFException: CCL_RETHROW: QFSQuery::Execute v2CoordinationQFSQuery.cpp(4174): QFException: CCL_THROW: CoordinationPlanner
    I changed "Use SQL With Clause" to "No" to resolve that. After changing that I got the following error when I run the same OOTB report.
    RSV-SRV-0042 Trace back:RSReportService.cpp(758): QFException: CCL_CAUGHT: RSReportService::process()RSReportServiceMethod.cpp(239): QFException: CCL_RETHROW: RSReportServiceMethod::process(): promptPagingForward_RequestRSASyncExecutionThread.cpp(774): QFException: RSASyncExecutionThread::checkExceptionRSASyncExecutionThread.cpp(211): QFException: CCL_CAUGHT: RSASyncExecutionThread::run(): promptPagingForward_RequestRSASyncExecutionThread.cpp(824): QFException: CCL_RETHROW: RSASyncExecutionThread::processCommand(): promptPagingForward_RequestExecution/RSRenderExecution.cpp(593): QFException: CCL_RETHROW: RSRenderExecution::executeAssembly/RSDocAssemblyDispatch.cpp(264): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchAssemblyAssembly/RSLayoutAssembly.cpp(64): QFException: CCL_RETHROW: RSLayoutAssembly::assembleAssembly/RSDocAssemblyDispatch.cpp(331): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchChildrenAssemblyForwardAssembly/RSReportPagesAssembly.cpp(163): QFException: CCL_RETHROW: RSReportPagesAssembly::assembleAssembly/RSDocAssemblyDispatch.cpp(281): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchAssemblyAssembly/RSPageAssembly.cpp(287): QFException: CCL_RETHROW: RSPageAssembly::assembleAssembly/RSDocAssemblyDispatch.cpp(281): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchAssemblyAssembly/RSTableRowAssembly.cpp(160): QFException: CCL_RETHROW: RSTableRowAssembly::assembleAssembly/RSDocAssemblyDispatch.cpp(281): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchAssemblyAssembly/RSTableCellAssembly.cpp(122): QFException: CCL_RETHROW: RSTableCellAssembly::assembleAssembly/RSDocAssemblyDispatch.cpp(331): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchChildrenAssemblyForwardAssembly/RSTableAssembly.cpp(97): QFException: CCL_RETHROW: RSTableAssembly::assembleAssembly/RSDocAssemblyDispatch.cpp(331): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchChildrenAssemblyForwardAssembly/RSTableRowAssembly.cpp(160): QFException: CCL_RETHROW: RSTableRowAssembly::assembleAssembly/RSDocAssemblyDispatch.cpp(281): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchAssemblyAssembly/RSTableCellAssembly.cpp(122): QFException: CCL_RETHROW: RSTableCellAssembly::assembleAssembly/RSDocAssemblyDispatch.cpp(331): QFException: CCL_RETHROW: RSDocAssemblyDispatch::dispatchChildrenAssemblyForwardAssembly/RSAssembly.cpp(626): QFException: CCL_RETHROW: RSAssembly::createListIteratorAssembly/RSAssembly.cpp(667): QFException: CCL_RETHROW: RSAssembly::createListIteratorRSQueryMgr.cpp(978): QFException: CCL_RETHROW: RSQueryMgr::getListIteratorRSQueryMgr.cpp(1051): QFException: CCL_RETHROW: RSQueryMgr::getResultSetIteratorRSQueryMgr.cpp(1211): QFException: CCL_RETHROW: RSQueryMgr::createIteratorRSQueryMgr.cpp(1511): QFException: CCL_RETHROW: RSQueryMgr::executeRsapiCommandRSQueryMgr.cpp(1498): QFException: CCL_RETHROW: RSQueryMgr::executeRsapiCommandRSQueryMgrExecutionHandlerImpl.cpp(174): QFException: CCL_RETHROW: RSQueryMgrExecutionHandlerImpl::execute()RSQueryMgrExecutionHandlerImpl.cpp(154): QFException: CCL_RETHROW: RSQueryMgrExecutionHandlerImpl::execute()RSQFSession.cpp(243): QFException: CCL_RETHROW: RSQFSession::DoRequestQFSSession.cpp(603): QFException: CCL_RETHROW: QFSSession::ProcessDoRequest()QFSSession.cpp(601): QFException: CCL_CAUGHT: QFSSession::ProcessDoRequest()QFSSession.cpp(558): QFException: CCL_RETHROW: QFSSession::ProcessDoRequest()QFSConnection.cpp(737): QFException: CCL_RETHROW: QFSConnection::ExecuteQFSQuery.cpp(199): QFException: CCL_RETHROW: QFSQuery::Execute v2CoordinationQFSQuery.cpp(4174): QFException: CCL_THROW: CoordinationPlanner
    I changed "Auto Group & Summarize" to No then this error is resolved, report is displaying but the data within the report is showing duplication of reocrds. It seems because of changes for "Auto Group & Summarize" the report is not displaying aggregation or group data.
    I am using ATG 9.2, Oracle 10g , Oracle thin driver. Please help me to resolve these issues.
    Advanced Thanks for any help.
    Edited by: ram_atg_867614 on Jun 23, 2011 3:17 AM
    Edited by: ram_atg_867614 on Jun 23, 2011 3:22 AM

    Hi
    I think you may be running into a known product issue here - ARF-168034.
    You will need to contact the support team and log a support case.
    There are fixes available for this issue.
    Please send the full server log files containing both the errors you saw while opening the case.
    Thanks
    Gareth

  • SQL injection protection help

    In trying to help another user, I was reminded of a problem I
    face
    often. Trying to create a DW recordset using an IN clause (I
    think this
    got broken in the 8.0.2 update and seems to still be broken
    in CS3).
    I create a string held in a variable like this:
    $ids = (1,5,9,23,6)
    My advanced recordset is this:
    SELECT * FROM tbl WHERE id IN varIds
    Then I set the variable parameters to type=text,
    default=(-1), and
    runtime to $ids.
    The generated SQL doesn;t work because DW puts single quotes
    around my
    variable and the SQL query becomes invalid. DW creates this:
    SELECT * FROM tbl WHERE id IN '(1,5,9,23,6)'
    It should be:
    SELECT * FROM tbl WHERE id IN (1,5,9,23,6)
    So, I edited the SWITCH block at the top of the document to
    include a
    "custom" type, which is the same as the TEXT type but without
    the single
    quotes.
    case "custom":
    $theValue = ($theValue != "") ? $theValue : "NULL";
    break;
    Then in my SQL statement, I manually changed "text" to
    "custom".
    This work fine, but does that open me up to SQL injection or
    other bad
    stuff?
    Alec Fehl, MCSE, A+, ACE, ACI
    Adobe Community Expert
    AUTHOR:
    Microsoft Office 2007 PowerPoint: Comprehensive Course
    (Labyrinth
    Publications)
    Welcome to Web Design and HTML (Labyrinth Publications)
    CO-AUTHOR:
    Microsoft Office 2007: Essentials (Labyrinth Publications)
    Computer Concepts and Vista (Labyrinth Publications)
    Mike Meyers' A+ Guide to Managing and Troubleshooting PCs
    (McGraw-Hill)
    Internet Systems and Applications (EMC Paradigm)

    It looks like you're using PHP ... to protect from SQL
    injections I always
    do this:
    $query = "SELECT * FROM tbl WHERE col='%s' AND col2 IN
    (%d,%d)"
    $query = sprintf($query,"val",34,23);
    $result = mysql_query($query);
    This method ensures that if a user puts "DELETE FROM tbl" in
    an input
    field, it will not cause any deletions, instead the words
    'DELETE FROM tbl'
    will be inserted. Check out sprintf in the PHP manual - good
    stuff!
    One thing to remember about SQL injection, the injected SQL
    has to be
    entered somehow by the end-user (usually with a form); I may
    be wrong, but
    this sql statement looks like it is contained entirely within
    your scripts
    (i.e. it isn't getting getting a user-generated value to
    build any part of
    the SQL statement). Again, I'm guessing here - but it looks
    that way.
    Alex
    "Alec Fehl" <[email protected]> wrote in message
    news:[email protected]...
    > In trying to help another user, I was reminded of a
    problem I face often.
    > Trying to create a DW recordset using an IN clause (I
    think this got
    > broken in the 8.0.2 update and seems to still be broken
    in CS3).
    >
    > I create a string held in a variable like this:
    > $ids = (1,5,9,23,6)
    >
    > My advanced recordset is this:
    >
    > SELECT * FROM tbl WHERE id IN varIds
    >
    > Then I set the variable parameters to type=text,
    default=(-1), and runtime
    > to $ids.
    >
    > The generated SQL doesn;t work because DW puts single
    quotes around my
    > variable and the SQL query becomes invalid. DW creates
    this:
    >
    > SELECT * FROM tbl WHERE id IN '(1,5,9,23,6)'
    >
    > It should be:
    >
    > SELECT * FROM tbl WHERE id IN (1,5,9,23,6)
    >
    > So, I edited the SWITCH block at the top of the document
    to include a
    > "custom" type, which is the same as the TEXT type but
    without the single
    > quotes.
    > case "custom":
    > $theValue = ($theValue != "") ? $theValue : "NULL";
    > break;
    > Then in my SQL statement, I manually changed "text" to
    "custom".
    >
    > This work fine, but does that open me up to SQL
    injection or other bad
    > stuff?
    >
    >
    > --
    > Alec Fehl, MCSE, A+, ACE, ACI
    > Adobe Community Expert
    >
    > AUTHOR:
    > Microsoft Office 2007 PowerPoint: Comprehensive Course
    (Labyrinth
    > Publications)
    > Welcome to Web Design and HTML (Labyrinth Publications)
    >
    > CO-AUTHOR:
    > Microsoft Office 2007: Essentials (Labyrinth
    Publications)
    > Computer Concepts and Vista (Labyrinth Publications)
    > Mike Meyers' A+ Guide to Managing and Troubleshooting
    PCs (McGraw-Hill)
    > Internet Systems and Applications (EMC Paradigm)

  • ACI, 2 BD´s and 2 EPGs in L2 mode won´t talk even with contract supplied

    Hi experts
    I tried to make a L2 connection between 2 EPG in different BD, both BD are in L2 mode and in the same Private network, I saw in the sniffer that the traffic was send between the EPG ( hosts)  but the "ping" between the hosts did not got answered. we had a contract between the EPG´s that was allow any in both directions.
    the connection works between the 2 host  with the  2 EPG´s  in the same BD with the same any contract.
    is it intended that 2 BDS won´t let 2 EPG´s talk in L2 mode ( Floodmode ) ?.
    And I read that the L2 external is not a separate BD but 2 EPG´s  in a " L2 construct"  with a contract between and the AEP stuff to get physical to work
    /Ola

    Just to understand, you created two BDs in flood and L2 mode and two EPGs. The two hosts are using the same subnet/address space to talk to each other and you have a contract in between the two EPGs yet the communication is not working. 
    When you put the two EPGs in the same BD it works? correct?
    Its a very interesting question, but there is something you must remember about ACI. The BD is the flood/forwarding boundary. Since you are using two different flood domains and no routing (unicast off and no subnet/SVI on the BD), ARPs and general data flood/packets will not traverse the flood domains, even with a contract. 
    What other questions do you have? Thanks for using Support Forums, hope that helps!

  • Possible to restrict logins on hosts w/ ACI?

    Greetings,
    My DS impelementation is beginning to mature some, and I'm not faced with the possibility that I may need to restrict logins on various hosts. My current setup is using LDAP netgroups to define who can log in to which server, but now I'm being asked to restrict it even further...some people in those netgroups will be explicitly disallowed from logging into some servers (think about contractors working with an already established team...you may not want them logging into just any server simply because they're part of a netgroup that can).
    So, what I'm looking to do is set up ACI's to say something like "User X can log into servers A, B, and C, but none other".
    Any ideas? I've tried creating ACI's using the ACI-builder, and I've done so at both the leaf entry and at the branch point, and I can still log into any server that that user's netgroup allows. So, either my ACI's are not built properly, or I"m not putting them in the right place. I suppose another possibility is that this type of access restriction isn't possible, but I'd have guessed that this was part of the point of ACI's :)
    Thanks!
    Patrick

    Hi Tom,
    Thank you for posting in Windows Server Forum.
    For your environment, I would suggest you to use following command.
    Firstly find user session ID with: Query Session /Server:Servername
    For disconnecting existing login: 
    Disconnect-RDUser -HostServer sessionhost.contoso.com -UnifiedSessionID 2
    For sending message to users:
    Send-RDUserMessage -HostServer "rdsh.contoso.com" -UnifiedSessionID 1 -MessageTitle "Message from Administrator" –MessageBody "Please save your work. You will be logged off in 10 minutes"
    You can deny new user logons by specifying user login mode.
    Change Logon /Disable
    http://technet.microsoft.com/en-us/library/bb490792.aspx
    Hope it helps!
    Thanks.
    Dharmesh Solanki
    TechNet Community Support

  • ACI Alert - Application Sharing

    Hello All,
    Has anyone see the following alert when launching Application Sharing on NW SP12?
    <b>ACI Alert
    ACI Error: The communication with the server has been disconnected, you have to login again. (1101)</b>
    To generate this error, I go through the CLP, select the Contact that I want to share the application with, I then select the application at which point I get the error.
    My system pretty much freezes up and I have to forcefully close my Internet Explorer session.
    My Application Sharing parameters are:
    SecureMode = 1
    ServerName = <fully qualified domain of server)
    ServerPath = streamingserver/servlet/streamingserver
    ServerPort = 50000
    Version    = 1729
    I've searched for this error in the Forum logs but have not found anything.
    Can anyone provide assistance?
    Thanks in advance for your help!
    ~H

    Hi Guy,
    Thanks for your feedback;
    One quick question; I do not have the "SAPPortals" entry on my either of my client PC's underl
    HKLM\Software; does that have to be added as well?
    With regards to request b.), I did navigate to the URL you provided and received the status page you mentioned. The results are as follows:
    Application Sharing Server
    General Information:
    URL : /streamingserver/servlet/streamingserver 
    Server protocol : HTTP/1.1 
    Server version : NW04 
    Registered sessions: 0 
    Onging Sessions Information:
    Session id Status Sharer Name Participants Count
    Threads Count Properties:
    Property Name Value
    SAP J2EE Engine max application threads count 40
    SAP J2EE Engine max system threads count 100
    Application Sharing Server max threads count 20
    Application Sharing Server currently in use threads count 0
    Thanks again; please let me know if I need to add the Registry Entry "SAPPortals" and I'll get that information to you right away.
    ~H

  • So slow when Delete a PeopleContainer, pls help!

    I wanted to delete a Peopple Container, but it was so slow, and I find that:
    1. The CPU of the ns-slapd process as high as 40%
    2. There were a lot of "ABANDON" message in the access log, and the etime is very high:
    [21/Sep/2009:16:52:50 +0800] conn=55 op=2 msgId=2708 - ABANDON targetop=1 msgid=2670 nentries=0 etime=597
    [21/Sep/2009:16:52:50 +0800] conn=54 op=2 msgId=2712 - ABANDON targetop=1 msgid=2666 nentries=0 etime=597
    [21/Sep/2009:17:02:50 +0800] conn=71 op=2 msgId=2746 - ABANDON targetop=1 msgid=2711 nentries=0 etime=600
    [21/Sep/2009:17:02:50 +0800] conn=70 op=2 msgId=2750 - ABANDON targetop=1 msgid=2707 nentries=0 etime=600
    [21/Sep/2009:17:11:53 +0800] conn=77 op=2 msgId=2781 - ABANDON targetop=1 msgid=2749 nentries=0 etime=543
    [21/Sep/2009:17:11:53 +0800] conn=76 op=2 msgId=2785 - ABANDON targetop=1 msgid=2745 nentries=0 etime=543
    I really don't know what happen, Pls help!
    Thanks!
    Shen

    I do not see the delete query in the logs pasted below. Although this Search query also has ABANDON message:
    Could you please paste the logs for DELETE query in specific?
    =================================================
    [21/Sep/2009:16:18:24 +0800] conn=18 op=-1 msgId=-1 - fd=52 slot=52 LDAP connection from 172.16.0.65 to 172.16.0.65
    [21/Sep/2009:16:18:24 +0800] conn=18 op=0 msgId=2548 - BIND dn="cn=dsameuser,ou=DSAME Users,dc=ceibs,dc=edu" method=128 version=3
    [21/Sep/2009:16:18:24 +0800] conn=18 op=0 msgId=2548 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=dsameuser,ou=dsame users,dc=ceibs,dc=edu"
    [21/Sep/2009:16:18:24 +0800] conn=18 op=1 msgId=2549 - SRCH base="dc=ceibs,dc=edu" scope=2 filter="(aci=*)" attrs="objectClass" options=persistent
    [21/Sep/2009:16:23:21 +0800] conn=18 op=2 msgId=2584 - ABANDON targetop=1 msgid=2549 nentries=0 etime=297
    [21/Sep/2009:16:23:21 +0800] conn=18 op=3 msgId=2585 - UNBIND
    [21/Sep/2009:16:23:21 +0800] conn=18 op=3 msgId=-1 - closing - U1
    [21/Sep/2009:16:23:21 +0800] conn=18 op=-1 msgId=-1 - closed.
    =================================================
    -Akshay

  • 802.11n Enabler: Does it help existing issues?

    Just wanted to know if anyone has downloaded and installed the update with the hopes of solving existing connection/quality issues.
    Please post on this thread if you did, and what the result was. I'm not looking for info regarding speed increase with an N-branded router, but rather improvements in existing connection issues.
    I will mark any decent info received as helpful.

    I am having the same problem with my C2D Macbook. My Airport is very lethargic. Dashboard takes like 5 mins and many websites time out or I get the "can't find the server". I downloaded and installed the most recent Airport update and then paid the $2.13 for the "n" enabler and installed it. Neither of these seemed to have helped. I even changed the security settings in the Airport Express from WPA2 to WEP as noted by Cheryl@ACI in the following thread: http://discussions.apple.com/thread.jspa?threadID=797008&start=50&tstart=0
    I don't think it's the Airport Express because it worked fine with my old Core Duo Macbook (That was replaced by Apple for many other reasons) and it's definitely not the router because that works flawlessly when I connect it directly to my Macbook via Ethernet.
    Any suggestions would be greatly appreciated?

  • ACI is not having desired result

    I hope you can help me with this, first this is my directory structure:
    (root) (dc=mycompany,dc=com)
    (first level) I have 3 organizational units
    ou =Customers
    ou=Admin
    ou=Services
    (second level Inside ou= Customers) I have 2 organizational units
    ou=Client1
    ou=Client2
    (third level inside each Client ) I have 1 organizational units and a group called allpeople
    ou= NA
    cn=allpeople
    (cn=allpeople,ou=NA,ou=Client1,ou=Customers,dc=mycompany,dc=com)
    (fourth level Inside each NA level for each client) I have 2 organizational units
    ou=people (ou=people,ou=NA,ou=Client1,ou=Customers,dc=mycompany,dc=com)
    ou=roles
    inside ou=people i have a user aelias
    (uid=aelias,ou=people,ou=NA,ou=Client1,ou=Customers,dc=mycompany,dc=com)
    what I need is to create an ACI that grant acces to a group called "allpeople" this group is inside (ou=NA,ou=Client1,ou=Customers,dc=mycompany,dc=com")
    and all members added to this group ( "allpeople") should have access to the "people" branch (ou=people,ou=NA,ou=Client1,ou=Customers,dc=mycompany,dc=com)
    so what I did was to put the ACI on the people branch and grant acces to the group called "allpeople" I already have a user "aelias" inside people branch and I added this user to the "allpeople" group
    this is the ACi:
    (targetattr = "*")
    (version 3.0;
    acl "Allow allpeople group to have access to people branch on Client1";
    allow (read,compare,search)
    (groupdn = "ldap:///cn=allpeople,ou=NA,ou=Client1,ou=Customers,dc=mycompany,dc=com")
    when I connect to the directory using the uid =aelias, with his respective password, I only get the dc=mycompany,dc=com. I cannot see beyond this.
    However if I move this ACi to the Customer branch (second level) then it works fine and I'm able to see Customer branch only and all the sub-branches, but this is not good because This user only must see inside the "people" branch which he belongs.
    I have removed Anonymous acces from the root level, because having anonymous acces allways granted the "uid=aelis" to have acces to the root directory and all the branches, even though I had ACI for that particular user in Customer branch. the anonymous access allowed this user (aelias) to see everything inside the tree.
    why I'm having this problem?, why the ACI that I put in the ou=people is not working but it works for ou=Customer? is there a consideration for putting ACI's to much deep on the tree? any Ideas on this?, could be possible to have anonymous acces on root level and at the same time ACI's for other branches ?
    please help, I have many days trying to resolve this Issue.
    Thanks in advance.

    The way ACI works is by allowing access only when specified.
    I think in your case you need 2 ACIs.
    One at the top of the tree where you want to grant read access to anyone who is NOT in the group cn=allpeople.
    (targetattr = "*")(version 3.0; acl "Allow everyone but allpeople group to have access to people branch on Client1"; allow (read,compare,search)
    (groupdn != "ldap:///cn=allpeople,ou=NA,ou=Client1,ou=Customers,dc=mycompany,dc=com")
    And then the one as below that allows the member of group cn=allpeople to read the people branch of client1.
    Ludovic.

  • Putting site problem. Please help.

    Hi - if anyone can help me it would be fantastic...
    I try to put my web site onto the remote site, which
    according to the split 'Remote Site/Local Files' view, it has done.
    But when I view the web address in the browser (safari), it is
    still the old site... which I have actually deleted from the remote
    and local views... I have tried clearing the cache and the other
    suggestions I found on the video 'trouble shooting dreamweaver'
    section on this site. I am stuck, I had a similar problem with this
    particular site when using MX 2004 too (am using the trial CS3
    now).

    Check your Remote Site Definition in DW and make sure you
    have specified
    the correct Default Folder on the server. You may have
    uploaded your
    files to the web server, but not to the actual site root
    folder on the
    server.
    Alec Fehl, MCSE, A+, ACE, ACI
    Adobe Community Expert
    AUTHOR:
    Microsoft Office 2007 PowerPoint: Comprehensive Course
    (Labyrinth
    Publications)
    Welcome to Web Design and HTML (Labyrinth Publications)
    CO-AUTHOR:
    Microsoft Office 2007: Essentials (Labyrinth Publications)
    Computer Concepts and Vista (Labyrinth Publications)
    Mike Meyers' A+ Guide to Managing and Troubleshooting PCs
    (McGraw-Hill)
    Internet Systems and Applications (EMC Paradigm)

  • ACI  - Date Range issue for Sales Details report

    I am working on ACI setup for one of my client. I set everything us as per documentation.
    This is regarding ‘Sales Details’ (Public Folders > ATG > Commerce > Sales > All Sales) report.
    Report is being generated if I select ‘Date Range’ under ‘Time Period’; but if I select ‘Predefined’ I get below errors:
    RQP-DEF-0177
    An error occurred while performing operation 'sqlPrepareWithOptions' status='-9'.
    UDA-SQL-0107 A general exception has occurred during the operation "prepare".ORA-32035: unreferenced query name defined in WITH clause RSV-SRV-0042 Trace back:RSReportService.cpp(758): QFException: CCL_CAUGHT: RSReportService::process()RSReportServiceMethod.cpp(239): QFException: CCL_RETHROW: RSReportServiceMethod::process(): promptPagingForward_RequestRSASyncExecutionThread.cpp(774): QFException: RSASyncExecutionThread::checkExceptionRSASyncExecutionThread.cpp(211): QFException: CCL_CAUGHT: RSASyncExecutionThread::run(): promptPagingForward_RequestRSASyncExecutionThread.cpp(824): QFException: CCL_RETHROW: RSASyncExecutionThread::processCommand(): promptPagingForward_RequestExecution/RSRenderExecution.cpp(593):
    Has anybody come across this issue?
    Any help in this regard will be highly appreciated.
    Thanks,
    Mukesh

    Contact Oracle support. I think we've seen this one before if using a particular version of Oracle(11.1?). There's a particular version of Oracle that doesn't support queries in a WITH clause that aren't referenced in the main query. Cognos seems to generate these types of queries not knowing that the version of Oracle doesn't support it. According or Support Article ID 1063400.1 you can patch this particular problem with Oracle or you can upgrade to Oracle 11.2. I also think that was a to get Cognos to generate an alternative query that doesn't use the WITH clause at all. Something about disabling the use of WITH in all queries by making a change to the report definition or alternatively a global change to the metadata model.
    Good luck...
    Andrew

Maybe you are looking for