Adv RACF 9.0.4.15 LDAP Gateway setup issue on LINUX

Hi,
I am trying to setup LDAP Gateway on LINUX, while starting the script (run.sh), it is throwing lot of errors. Can anybody please share their working LDAP Gateway run.sh? I will try to compare and resolve the issue.
Thanks,

I have had to resiolve similar errors using the LDAP gateway for the AS400. The two products are based on the same gateway from Identity Forge.
When you are trying to debug the startup, be sure to watch the console the console for class not found errors. When debugging, I typically run the gateway as a forground task instead of using nohup. In my case, there were some missing jar files that were reventing the gateway from running. I used google to locate the jars and got the gateway to run.
Here is a copy of the run.sh I made using the provided run.sh code as a base.
#!/bin/sh
# IDF Server start script.
# resolve link - $0 may be a softlink
THIS_PROG="$0"
#echo "This Prog = " $THIS_PROG
while [ -h "$THIS_PROG" ]; do
ls=`ls -ld "$THIS_PROG"`
link=`expr "$ls" : '.*-> $.*$$'`
if expr "$link" : '.*/.*' > /dev/null; then
THIS_PROG="$link"
else
THIS_PROG=`dirname "$THIS_PROG"`/"$link"
fi
done
PRGNAME=`basename ${THIS_PROG}`
# Get standard environment variables
PRGDIR=`dirname "$THIS_PROG"`
if [ "$PRGDIR" = "." ] ; then
PRGDIR=`pwd`
THIS_PROG=${PRGDIR}/${PRGNAME}
fi
#APP_HOME is set here
# we are assuming that this script
# lives in a subdirectory like bin
APP_HOME=`cd "$PRGDIR/.." ; pwd`
TMPDIR="$APP_HOME"/temp
##### SET ENVIRONMENT VARIABLES #######
APP_HOME=/opt/app/ldapgateway
TMPDIR=/opt/app/ldapgateway/temp
OIM_HOME=/opt/app/Middleware/Oracle_IDM1/server
OIM_CLIENT_HOME=/opt/app/Middleware/Oracle_IDM1/designconsole
##### SET WEBLOGIC HOME ##################
APPSERVER_HOME=/opt/app/Middleware
## ************ EXAMPLE 11G PATH **********************************
# APPSERVER_HOME=/opt/Oracle/Middleware/wlserver_10.3
# OIM_HOME=/opt/Oracle/Middleware/Oracle_IDM1/server
# OIM_CLIENT_HOME=/opt/Oracle/Middleware/Oracle_IDM1/designconsole
# Get standard environment variables
# Like JAVA_HOME, etc.
if [ -r "$PRGDIR"/setenv_idf.sh ]; then
. "$PRGDIR"/setenv_idf.sh
else
#JAVA_HOME=$APPSERVER_HOME/jdk/jre
SECURE="false"
SM=""
DEBUG="false"
DB=""
JVM_OPTS=""
fi
echo '********************************'
echo 'Displaying vars from setenv'
echo '********************************'
echo "JAVA_HOME = " $JAVA_HOME
echo "SECURE = " $SECURE
echo "SM = " $SM
echo "JAVA_OPTS = " $JVM_OPTS
echo "DB = " $DB
echo "DEBUG = " $DEBUG
echo "APP_HOME = " $APP_HOME
#echo '********************************'
# resolve link - $JAVA_HOME may be a softlink
#$echo "JAVA HOME = " $JAVA_HOME
#while [ -h "$JAVA_HOME" ]; do
# ls=`ls -ld "$JAVA_HOME"`
# link=`expr "$ls" : '.*-> $.*$$'`
# if expr "$link" : '.*/.*' > /dev/null; then
# JAVA_HOME="$link"
# else
# JAVA_HOME=`dirname "$JAVA_HOME"`/"$link"
# fi
#done
#echo "JAVA HOME = " $JAVA_HOME
#Set Java Command after we resolved soft link
JAVACMD="$JAVA_HOME"/bin/java
if [ ! -r "$JAVACMD" ]; then
echo "JAVE Executable not found, exiting"
echo "JAVACMD = " $JAVACMD
exit 1
fi
## CHANGES THE BELOW CP_FILES FOR USER WITH 11G
## UMCOMMENT SPECFIC CONNECTOR AGENT /etc/...-adv-agent-recon.jar
CP_FILES="${APP_HOME}/dist/idfserver.jar
${APP_HOME}/etc/as400-adv-agent-recon.jar
${APP_HOME}/lib/concurrent-1.3.4.jar
${APP_HOME}/lib/shared-ldap-0.9.5.3.jar
${APP_HOME}/lib/shared-ldap-0.9.5.3.jar
${APP_HOME}/lib/ldapfilt.jar
${APP_HOME}/lib/ldapjdk.jar
${APP_HOME}/lib/ldaplstd.jar
${APP_HOME}/lib/ldapsp.jar
${APP_HOME}/lib/antlr-2.7.5H3.jar
${APP_HOME}/lib/shared-asn1-codec-0.9.5.4.jar
${APP_HOME}/lib/shared-asn1-0.9.5.3.jar
${APP_HOME}/lib/commons-beanutils.jar
${APP_HOME}/lib/slf4j-jdk14.jar
${APP_HOME}/lib/jakarta-regexp-1.4.jar
${APP_HOME}/lib/license.jar
${APP_HOME}/lib/jdbm-1.0.jar
${APP_HOME}/lib/jt400-full-5.0.jar
${OIM_HOME}/lib/xlLogger.jar
${OIM_HOME}/lib/xlCrypto.jar
${OIM_CLIENT_HOME}/ext/commons-logging.jar
${OIM_CLIENT_HOME}/ext/javagroups-all.jar
${OIM_CLIENT_HOME}/ext/oscache.jar
${OIM_CLIENT_HOME}/ext/log4j-1.2.8.jar
${OIM_CLIENT_HOME}/ext/spring.jar
${OIM_CLIENT_HOME}/lib/oimclient.jar
${OIM_CLIENT_HOME}/lib/xlAdapterUtilities.jar
${OIM_CLIENT_HOME}/lib/xlAPI.jar
${OIM_CLIENT_HOME}/lib/xlAuditor.jar
${OIM_CLIENT_HOME}/lib/xlCache.jar
${OIM_CLIENT_HOME}/lib/xlDataObjectBeans.jar
${OIM_CLIENT_HOME}/lib/xlDataObjects.jar
${OIM_CLIENT_HOME}/lib/xlUtils.jar
${OIM_CLIENT_HOME}/lib/xlVO.jar
${APPSERVER_HOME}/wlserver_10.3/server/lib/weblogic.jar "
#start
CLASSPATH=""
# Setting the classpath
for cp in $CP_FILES
do
# echo $cp
if [ "$cp" = "${APP_HOME}/dist/idfserver.jar" ] ; then
CLASSPATH=$cp
else
CLASSPATH=${CLASSPATH}:$cp
fi
if [ ! -e "$cp" ] # Check if file exists.
then
echo "$cp does not exist."; echo
continue # On to next.
fi
done
# Checking to see if IDF will run with security Manager enabled
if [ "$SECURE" = "false" ] ; then
SM=""
fi
# Checking to see if IDF will run with debugging enabled
if [ "$DEBUG" = "false" ] ; then
DB=""
fi
#echo '*******************************'
echo "TMPDIR: " $TMPDIR
echo "JAVA_HOME: " $JAVA_HOME
#echo '*******************************'
#echo '*******************************'
echo "JAVACMD = " $JAVACMD
echo "DB = " $DB
echo "JVM_OPTS = " $JVM_OPTS
echo "SM = " $SM
echo '*******************************'
echo "CLASSPATH = " $CLASSPATH
echo '*******************************'
## START COMMAND FOR WEBLOGIC [OIM 9.x & OIM 11G]
nohup $JAVACMD $DB $JVM_OPTS $SM -classpath $CLASSPATH -DXL.HomeDir=${OIM_HOME} -Djava.security.auth.login.config=${OIM_HOME}/config/authwl.conf com.identityforge.idfserver.Main $1 $2 $3 $4 $5 $6 $7 $8 $9 2>&1 &
xpid=$!
#Save running process id (PID)
echo $xpid > ${APP_HOME}/logs/idf_server_pid
#end
Kerry Classen
[email protected]

Similar Messages

LDAP Field Mapping in 4.6C - Using WebAS 6.10+ as an LDAP Gateway

Dear All,
We have a need to enable CUP Functionality (we use GRC AC 5.3) for one of our oldest R/3 systems - on 4.6C. All other R/3 backends are on 4.7+ releases, so it's a multiple backend configuration for GRC AC.
However, LDAP Field Mapping functionality is missing in 4.6C. It was enabled through LDAPMAP in the higher releases only.
At the same time, I discovered in one SAP HR document a diagram, which shows that indeed 4.7+ can map and post data directly to LDAP, but for 4.6C and below you can use WebAS 6.10+ as an LDAP Gateway. Meaning that 4.6C calls through RFC some functions in the higher release R/3 system to use its functions for Field Mapping and further transfer of user data to the target LDAP server.
But... I can not find anywhere how to configure 4.7 / 6.0 servers to act as an LDAP Gateway for the older 4.6C server to bypass its limitation - absence of built-in LDAP Field Mapping functionality.
Advice on how to realise this concept will be highly appreciated.
Thanks,
Laziz

Hi,
In order to migrate users, groups and password you have to use the command ldapaddent as you did with this sintax:
# ldapaddent -D "cn=Directory Manager" -w secret -f /etc/group group
# ldapaddent -D "cn=Directory Manager" -w secret -f /etc/passwd passwd
# ldapaddent -D "cn=Directory Manager" -w secret -f /etc/shadow shadowNote that you must use passwd instead of people container.
I suggest you to check this article from BigAdmin http://www.sun.com/bigadmin/features/articles/nis_ldap_part1.jsp
G.

C/C++ version of LDAP SDK 4.1 for Linux platform

Hi All,
I am looking for C/C++ version of LDAP SDK 4.1 for Linux platform.
Do you have any pointer from where I could download this library?
Thanks in Advance,
Shyam Shukla

The only version available on sun.com is LDAP C-SDK 5.08 <http://www.sun.com/download/products.xml?id=3ec28dbd>
The 4.1 version is very old and no longer available.
Note that future versions of the LDAP C-SDK will be directly available from Mozilla.org as we've completed the merge of all of our changes back to Mozilla.org (this is with LDAP C-SDK 6.0.2).
Builds are not available yet, but should be soon.
Regards,
Ludovic.

Can not use the Gateway setup assistant

Hello,
I want to use the Gateway setup assistant from NAT service.
My Os X server is in french.
I have a bug, when setting for VPN from the assistant, I can't continue she setup.
I click on the "continue" button but nothing happens !
Is this a bug ? Someone got the same result ?
Thx to help

No answer ?
Perhaps it is a bug in french translation.

Gateway Setup Assistant on a 10..x.y.z subnet

Hi,
I'm trying to use Gateway Setup Assistant on a 10..x.y.z subnet.....
BUT
the assistant tells me that it will siwtch everything to 192.168.0.x !!!! which i obviously do not want
Hence, how can i use that assistant without screwing up my current subnet setup OR how can i setup that gateway manually ?
Thks
Laurent

Hi,
>>can u pls explain what is this mounting?
Mounting is equivalent to creating a map drive in Windows.
To know more about mounting check this page http://www.techotopia.com/index.php/Sharing_Ubuntu_Linux_Folders_with_Remote_Linux_and_UNIX_Systems
>>If i use ftp..what do i use for port?
he standard port for FTP communication is port 21. Also you can check this link http://www.zephyrcorp.com/unix-ftp.htm
I will suggest you to do some google and find it out yourself. You will get lot more of information on these
Regards
suraj

NIS+/LDAP-Gateway Nis+ Credentials lost after some time

Hello,
I have configured an NIS+ Server with NIS compatibility under Solaris. Then I have installed an Sun Directoryserver on the same machine and populatet the LDAP-tables with the rpc.nisd gateway. Everything works fine. Even with TLS-Encryption.
The Server works perfect and the LDAP-Clients and NIS+ and NIS-Clients work too.
But after some days you can do an niscat cred.org_dir on the Server and the Nis+-Credentials are ok. 5 seconds later you do the same niscat in the same shell and the cred.org_dir table is only half filled. When you repeat the Command again, all NIS+-Credentials are lost and the server is death.
I have the same problem with the Directory Server 5.1 on Solaris 9 sparc, on Solaris 10 beta x86, on Solaris 10 beta sparc and with directoryserver 5.2 on Solaris 10 final sparc.
I think it is a Problem with the NIS+LDAPmapping file or the rpc.nisd configuration.
Please help me.
With friendly Greetings from Germany
Ralf

There's a book at http://docs.sun.com called "Solaris Administration Guide: Naming and Directory Services (DNS, NIS and LDAP)". This will answer a lot of your questions.
The file you're looking for is /var/ldap/ldap_client_file. Unforntunately, it's a "chicken and egg" design. The ldapclient program creates this file when you use the "init" option. But, the ldap_cachemgr daemon actually updates it from the LDAP specified in the file. The ldapclient program also creates /var/ldap/ldap_client_cred. This contains the credentials that ldap_cachemgr uses to authenticate with the server.
What I do is modify the LDAP and then SIGHUP ldap_cachemgr, avoiding the use of ldapclient. I used ldapclient to build the cred file and get the initial LDAP settings and file format. After that, I've never used it.
HTH,
Roger S.

RFC gateway setup in XI and R3

Hi All,
The sceanario is RFC calling target system through XI.
Do we need to create one RFC destination in XI and another one in R3 for achieving this. And what are the parameters (gatewayhost, service, program id ) need to be supplied. Much appreciated.
Thanks,
Deno

Hi,
<i>Created RFC dest in XI as registered server program with Gateway host and service as R3 smgw--> gateway host and service. Then in R3, what type of destination do i need to call this programid for connecting..Please correct me if anything is wrong here..</i>
1. Created RFC destination with PROGRAM ID.
2. Create sender RFC adapter and put the details and put the same program ID that you have given in RFC destination
3. Test the RFC destination and see if it's working.
4. Complete your IR and ID config
5. Run RFC from transaction SE37 with the RFC destination created in the step 1 and all input values.
Regards
Vijaya

EDI Gateway Setup

Hi All
I need info regarding EDI Gateways(EDI Outbound Transaction setup)
I am trying to generate the falt file for Outbound Purchase Order using standard Extract programs. But I am getting empty file.
I have gone through some documents available on Net. But I could not fix this problem.
I wanted to know the basic steps we need to perform to get the output file.
I am using standard catagories only so far. I Defined values for some Categories and attached those categories to some of the columns in the Interface Table.
But still I am not getting the output file.
Do you I need to delete the columns from Output Definition to which I have not attached any category.
When I setup Trading Partner Information, Just I created A dummy name for the parnet header and attached one of the supplier name and supplier site to that partner. Will it validate the partner information somewhere while extracting the data. Is this partner information need to be present somewhere or we can create the dummy names for the testing purpose.
Please feel free to send info to [email protected]
I appreaciate your help regarding this.

If you are looking at e-Commerce Gateway, you should also look at the full Oracle B2B solution, which includes complete integration, EDI, mapping, TPM, AS2 etc. capabilities. It provides a standards-driven, flexible, end-to-end solution that you won't find elsewhere. If you are and e-Business Suite user, this would be an ideal choice.
John Morris

Solaris 10 LDAP Client to 389 DS(Linux)

Hey guys,
I had this working in Solaris 11 but I have to port back to Solaris 10 to run SunOS 4 binaries. Here goes, I can su over to the accounts in the LDAP, it resolves names and groups to files. DNS and NTP are functioning. I cannot log -in via ssh or su <username>. I can log in or su with both methods with local accounts(non-LDAP).
When I - su Username the system responds prompting for password then returns su: Uknown id: Username
When I ssh [email protected] it prompts me three times for a password which it never accepts as valid.
Here is my pam.conf file -
#ident "@(#)pam.conf 1.31 07/12/07 SMI"
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
login   auth required           pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other   auth required           pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required           pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other   account sufficient      pam_ldap.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
Any ideas? So close but missing something as when I go to log in via ssh it prompts me for password 3 times then tosses me. Yes password and account are OK. If I ssh from a Linux server authenticating to the LDAP it works just fine. Any help is appreciated.
Thanks,
Ted

CN,
I have not modified the schema yet. I have updated pam.conf and while evaluating /var/adm/messages on the Solaris Client I only get output when I enter a known bad password, if I enter the correct password there is nothing in that log. Log in and su results remain the same. the slapd log does show the attempts and does not appear to show any errors that I can tell. I'll keep working it, here is the pam.conf I switched too after further evaluation -
# more /etc/pam.conf
#ident "@(#)pam.conf 1.31 07/12/07 SMI"
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1 force_check
other password required pam_authtok_store.so.1 server_policy
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
I did create a .ldif file for a profile. Output seems similar to what I entered in the manual ldapclient command. Reading up more on that now and the schema updates you recommended. I wanted to make sure I sent you the updated pam.conf though as this seems to match those found online in style for pre-Solaris 11. The first copy was what I transferred from a working Solaris 11 server I had running here.
Thanks,
Ted

Solaris 10 VPN server/gateway setup

Hi all,
I have a V20z running Solaris 10 at home, and I would like to set it up as a VPN server. The Solaris 10 is behind a router with a reserved private IP assigned by DHCP and port forwarding set up for only SSH at the moment. The router has a static external IP.
I'm not exactly sure what the terms are for what I'm trying to do, but this is basically it:
When I am out of town or overseas, I want to be able to connect from my laptop running OS X or Linux to my Solaris 10 server at home, and have the S10 server act as a proxy(?) (gateway?) for all the traffic from my laptop; for example, if I was in a place where nytimes.com was blocked and wanted to be able to browse from my laptop by having the Solaris 10 server proxy (transparently) my requests and forward the responses back to me. I hope I'm explaining this ok...
I have searched a lot online for how to do this, and I have found a lot of info, but nothing that really ties it all together. I'm pretty comfortable working in the shell and doing config stuff, but it would be a huge help if anyone could explain all the pieces I need to snap together to get this working.
These are my questions:
1. What is what I have described called? Just "VPN" or "VPN router," or "VPN gateway"?
2. What software do I need on my Solaris 10 server to do this?
A lot of what I read pointed me to OpenVPN, but I am not clear if OpenVPN alone would enable me to use the public web via the VPN.
If not, then what would I need to have on the server to enable incoming requests over the VPN connection to be rerouted to the public internet?
3. I'm sure I can figure this out if I can just get the server VPN working, but if anyone happens to know, I'd appreciate it:
Built into OS X Networking Prefs I have the ability to add a VPN interface of either of these 2 types:
"PPTP"
"L2TP over IPsec"
From what I have read so far, it seems like IPsec is likely the only reasonable choice, but the option of "L2TP over IPsec" confuses me since I haven't read that they are required to be used together.
Will this option work for connecting to my Solaris VPN server or will I need a 3rd-party app?
Any guidance would be a tremendous help.
Thanks guys!
Jamie

Mobile IP???
Assuming that you had the right security in place you could have the "Home" box export it's display back to the "Roving" box and then just run a web browser over X. Something like SSH with X forwarding.
alan

OEL ldap client setup with SSL against OID using either ldaps or starttls

Hi, I've got OID 11.1.1.1.0 running with SSL enabled on port 3132. It's running in mode 2, SSL Server Authentication mode (orclsslauthentication is set to 32). I'd like to setup my OEL 5.3 and Solaris 10 ldap clients to connect to OID using SSL for user authentication. I have everything already working on the non-SSL port (3060), but I need to switch over to SSL. So far I can't get it to work on either OEL or Solaris. Does anyone out there know how to configure the client to use SSL?
Here's my /etc/ldap.conf file on OEL 5.3.
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
URI ldaps://FQDN:3132/
port 3132
ssl yes
host FQDN
base dc=DOMAIN,dc=com
pam_password clear
tls_cacertdir /etc/oracle-certs
tls_cacertfile /etc/oracle-certs/oid-test-ca.pem
tls_ciphers SSLv3
# filter to AND with uid=%s
pam_filter objectclass=posixaccount
#The search scope
scope sub
I have /etc/nsswitch.conf set to check for files first, then ldap
passwd: files ldap
shadow: files ldap
group: files ldap
Here's my /etc/openldap/ldap.conf file
URI ldaps://FQDN:3132/
BASE dc=DOMAIN,dc=com
TLS_CACERT /etc/openldap/cacerts/oid-test-ca.pem
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
TLS_CIPHERS SSLv3
The oid-test-ca.pem is a self-signed cert from the OID server. I also have the hash file configured.
4224de9f.0 -> oid-test-ca.pem
I can run ldapsearch using ldaps and it works fine.
ldapsearch -v -d 1 -x -H ldaps://FQDN:3132 -b "dc=DOMAIN,dc=com" -D "cn=user,cn=users,dc=DOMAIN,dc=com" -w somepass -s sub objectclass=* | more
But when I run the 'getent passwd' command, it only shows me my local user accounts and none of my ldap accounts. I also can't SSH in using a ldap account.
Solaris 10 is actually a whole other beast...I'm using the native Solaris ldap client (not PADL based) and I don't think it even works with SSL unless you're using the default ports (389/636).
Does anyone out there know how to setup the client-side for ldap authentication using SSL? Any tips, howto docs, or advice are appreciated. Thanks!

Hello again...
after some research and work together with Oracle Support I found out how to get it to work:
1. You have to create your own ConfigSet in OID using
SSL-Server-Authentication
(OpenSSL seems not to support SSL-encryption-only).
The following link shows on how to do that:
http://otn.oracle.com/products/oid/oidhtml/oidqs/html_masters/a_port01.htm
2. Add the following lines to your $HOME/ldaprc
TLS_CACERT /home/frank/oid-caroot.pem
TLS_REQCERT allow
TLS_CIPHERS SSLv3
ssl on
tls_checkpeer no
oid-caroot.pem is the CA-Root Certificate you got
during step 1
3. you should now be able to use ldapsearch using SSL
If you still can't connect using SSL you may have run into another issue with OpenSSL which affects systems using OpenSSL version 0.9.6d and above. The problem seems to be caused by an security fix which may not be compliant with the SSL implementation of Oracle.
I opened an Bug for that problem with RedHat. This Bug Description also includes an proposal for an Patch which solves the problem (but may introduce some security risks). See the Bug at RedHat:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123849
Bye
Frank Berger

MS Active Directory LDAP Authentication/Locking Issue.

Dear All,
We are a software company; we have implemented feature of LDAP Authentication in our product using Java API and its working fine from our network environment.
We have used following things with LDAP feature.
1. User Authentication.
2. Locking account after exceed the maximum attempts that has configured in window server.
Main our issue is: The LDAP feature is not working properly from our client side. They are able to authenticate their LDAP user but do not able to lock user account however they have exceeded the maximum attempts from login dialog of our products but it still working in our side.
If anybody has any experienced about it then please reply with positvie solution or any other information like require do the specific configuration for different version of Windows and Active Directory Server etc.
Can any body know what are the possibilities for identifying and resolving this issue?
Please help us if anybody has any experienced about it.
Please do the needful.
Thanks,
Mehul.

Hi,
Thanks for your reply.
We have used java package of javax.naming.* and javax.naming.directory.* for LDAP Authentication.
Following code for checking whether ADS User is valid or not.
* Function checks whether ADSUser is valid user or not
* @returns int value indicating result.
public int isValidADSUser() {
Hashtable env = new Hashtable(5);
Vector adsInfoVec = getADSInfo();
env.put("java.naming.referral", "ignore");
// env.put("java.naming.security.authentication", "simple");
env.put(Context.SECURITY_AUTHENTICATION,"simple");
String provider = "com.sun.jndi.ldap.LdapCtxFactory";
env.put("java.naming.factory.initial", provider);
//For handling Uncontinued reference found message of partial result exception
env.put(Context.REFERRAL, "follow");
env.put("java.naming.ldap.derefAliases", "always");
env.put("java.naming.ldap.deleteRDN", "false");
env.put("java.naming.ldap.attributes.binary", "");
env.put(Context.PROVIDER_URL,
"ldap://" + (String) adsInfoVec.elementAt(0) + ":" +
(String) adsInfoVec.elementAt(1));
// env.put("java.naming.security.principal",
// userNameStr + "@" + (String) adsInfoVec.elementAt(0));
env.put(Context.SECURITY_PRINCIPAL,
userNameStr + "@" + (String) adsInfoVec.elementAt(0));
if (userPassStr == null) {
userPassStr = "";
// env.put("java.naming.security.credentials", userPassStr);
env.put(Context.SECURITY_CREDENTIALS, userPasswordStr);
try {
DirContext ctx = new InitialDirContext(env);
ctx.lookup("");
//System.out.println(ctx.lookup(""));
ctx.close();
catch (javax.naming.AuthenticationException ex) {
//System.out.println();
ex.printStackTrace();
return AUTHENTICATION_ERROR;
catch (javax.naming.PartialResultException pex) {
pex.printStackTrace();
return COMMUNICATION_ERROR;
catch (javax.naming.CommunicationException pex) {
pex.printStackTrace();
return COMMUNICATION_ERROR;
catch (NamingException e) {
System.out.println("Failed to connect to ");
e.printStackTrace();
return COMMUNICATION_ERROR;
return SUCCESS;
Result of this code from our company: We are able to Authenticate LDAP user and also Lock User Account after exceed the Max Failure Attempt that configured from Windows Server.
Result of this code from our client side: They are able to Authenticate LDAP user but they can't User Accout Lock however exceed the Max Failure Attemp that configured from their Windows Server.
Can u please help us if any experience about it and suggest if any other configuration require from Windows Server / Active Directory Server OR also if some other implementation require for resolving this issue.
Your optimistic reply is much appreciated.
Thanks,
Mehul Garnara.
Edited by: [email protected] on Mar 6, 2008 10:24 PM
Edited by: [email protected] on Mar 6, 2008 10:25 PM
Edited by: [email protected] on Mar 6, 2008 10:25 PM

XML Gateway Mapping Issue

Hi All,
My map has following structure
-<envelope> -- root element and also level
-<gdsnItemRegistryResponse> --Level
-<docException> --Level
-<docAcknowledgement> --Level
<docException> and <docAcknowledgement> are siblings
I dont have any dtd's associated with map
In payload <docException> and <docAcknowledgement> can be occur in any order
When I push the payload with following order same as defined in XMG map
-<docException>
-<docAcknowledgement>
its working fine
but when I push the payload with different order
-<docAcknowledgement>
-<docException>
PL/SQL procedure calling on INPROCESS action on <docAcknowledgement> is
working fine,
but
PL/SQL procedure calling on INPROCESS action on <docException> is being
performed, but XML Gateway is not passing values to the parameters of that
procedure.
When I verified the parameter values in log, all are null
I am calling same procedure on both tags
How to overcome above problem ?
How to enforce that two tags can be in any order without dtd?
Thanks
-Praveen

Just I am confirming my map structure
-<envelope> -- root element and also level
----<gdsnItemRegistryResponse> --Level
-------<docException> --Level
-------<docAcknowledgement> --Level

Gateway Server Issue

Hello,
Following is the issue that I'm having.
I've 2 management servers and ADCS configured on Active Directory. I've a couple of servers in the workgroup that I need to monitor. I didn't configured gateway servers because there are only 2 workgroup servers. I've successfully imported the certificates
using MOMImport.exe. on SCOM management servers and also on the WORKGROUP servers. However I don't see the workgroup servers in the pending servers.
I checked the event ID on the workgroup servers and I got the following Event IDs.
EVent ID 21006: The opsMgr connector could not connect to SCOM:5723. The error code is 11001L(no such host is know)
Event ID : 21023 OpsMgr has no configuration for management group SCOM and is requesting new configuration from the Configuration service.
The firewall is disabled on the all servers. I'm not sure what is going on.
I've followed a lot of blogs and technets answer, but i'm still having issues.
Any help will be apprecaited.
Thanks

I've figured it out the problem. Ive resolved it by going through the following steps.
1st issue was DNS entry. After entering the DNS of the work group machine I got the EVENT ID 21007 on the workgroup computer.
That lead me to check my certificate names which were not correct so I changed it to the FQDN of my SCOM server and on the workgroup computer I changed it to the computer name. Re-imported the certs and boom.
NOTE make sure certificates name and friendly name are same as of the FQDN otherwise it will not work.
Kevingreen blog really explained it well. Below is the link
http://kevingreeneitblog.blogspot.com/2011/09/using-internal-certificates-with-scom.html

SA520w ProtectLink Gateway activation issue

Hi Forumers'
Below are my problem statement:
1. i had been register the ProtectLink Gateway at TrendMicro website. Now i receiveing the activation code with me.
My problem is i never receive the additional activation email for me to proceed on configure the IMHS web portal.
2. during the registration, i didn't provide my domain name and IP address of my WAN port. But still, i never receive the post-registration email for this. Now i need to get the MX record then forward to local ISP to configure over their DNS.
3. anybody who the escalation channel? i raise case in trend micro but seem no reaction from them (i register since 8th march 2011, it's over 80hrs ++)
thanks
Noel

exactly same as my case but even i did hardware reset with correct time zone & everything, problem still can't be solved. Re-generate the license from TrendMicro and get problem solved at the end. I can understand the point for factory default but when the box deployed in client site that'll be difficult for reseller to perform factory default. We trust & rely on Cisco but outcome is un-expected. I strongly suggested support to generate license for me in day but they insist in factory default even I'm very sure all setting are correct in box already.
I found lots of post regarding SA500 series issues and I can't believe Cisco SMB products are even worst than China & Taiwan products nowadays.
cheers,
Chi Hong.

Adv RACF 9.0.4.15 LDAP Gateway setup issue on LINUX

Similar Messages

Maybe you are looking for