Anyconnect tunnel-group and group-policy from LDAP
Recently we've changed from LOCAL to LDAP authentication and added additional group-policies for different users to increase security.
To prevent users from selecting an incorrect group-policy, the LDAP server provides a IETF-Radius-Class value which matches the different group-policy names.
It is my understanding that the authentication method is provided by the tunnel-group.
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAP_AD
This all works, but for _one_ of the group policies i'd like to enable (external) two factor authentication. Two enable two factor auth a 'secondary-authentication-server-group' needs to be set in the tunnel-group.
Creating a tunnel-group which maches the name of the group-policy doesn't seem to have any effect. When listing the connected users via "show vpn-sessiondb anyconnect", it always states the correct Group Policy but also always DefaultWEBVPNGroup.
When enabling the listing of tunnel-groups for webvpn, thus allowing users to select their own tunnel-group, the two factor auth does work.
To summarize, is it possible to let LDAP decide which tunnel-group is used or is there another way to have different group policies without users being able to choose ?
Fabian,
Your connection lands on a tunnel group and picks a group policy.
A typical way to overcome the problem you're indicating is by using group-url.
a URL is bound to a specific tunnel-group and allows you to land directly on the one you desire.
vide:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
M.
Similar Messages
-
Group and Group counter in Routing
Hi all,
what is group and group counter in routing , how these are used in routing , please explain.
Regards,
Joseph.Dear Joseph,
1.Each routing is stored against a group and group counter no.
2.When we create routing without respect to any material and only by giving the plant,the set of operations gets saved under one
group counter and group no.
4.Many materials can be assigned to this same group and group counter no,so that the routing is valid for all the materials included.
5.When you create a routing for material specific,the set of operation gets saved in a group no and group counter no as 01,when
you create another routing with another set of operations for the same material,plant and task list combination now the group no
remains same and the group counter gets saved under 02.
6.This data can be further helpful in assigning the routing data in the production version,.
Check and revert
Regards
S Mangalraj -
How do I know which group and group counter used to create current estimate
Is there a way to know, if for a given set of materials, what groups and groups counters have been used to create the current cost estimate. Or for a given comboniation of material, group and group counter has been used to create a current cost estimate. I can look each up through displaying the cost estimate but I am looking for a quick way since the number of materials are in 100s.
I was wondering if there is a table I could look up to get the info.
Any help would be much appreciated.
RegardsThe name of the table that needs to be used is KEKO. I figured it out so I thought I would share
Edited by: NIK83 on Mar 7, 2011 10:16 PM -
ASA 5520: Retrieve user, group -and- lanlist (ACL) from openldap
hi,
while migrating from a VPN Concentrator 3000 to ASA 5520 (IOS 8.0.4), we'd like to put all VPN-related configuration settings in an openldap server (2.3.27).
We have trouble finding ways to put group settings, LanLists (as they were called on the Concentratror, or ACLs) and Lan2Lan configurations in LDAP.
Authenticating users through openldap works, and there seems to be a aaa-server command "ldap-group-dn-base", but it seems this is only used in conjunction with Active Directory, while we only use openldap.
Furthermore, ACL's seem to be indices refering to ACLs locally stored on the ASA: how to put the complete ACL in LDAP?
Preferred LDAP configuration:
VPN-users: ou=users,dc=vpn,dc=COMPANY,dc=com
VPN-groups: ou=groups,dc=vpn,dc=COMPANY,dc=com
VPN-L2L: ou=lantolan,dc=vpn,dc=COMPANY,dc=com
How to refer the ASA to an entry in ou=groups,... from an entry residing in ou=users?
Same question for LanLists. Is this possible?Thank you. I did find the attribute map option, but the manuals and explanations that describe this feature all refer to group-settings (ACLs etc) that are _already configured_ on the ASA. They refer to a groupname or ACL-name that is "known" in the ASA configuration.
What we'd like to do is put -all- possible group, ACL, lan2lanlists, data in ldap. So when a user authenticates:
1. his user-credentials are checked against LDAP and relevant configurations (using attribute maps) are loaded into the ASA
2. his group-credentials are checked against LDAP and relevant group-configurations (using attribute maps) are loaded into the ASA
3. possible lan/network-lists to which his group-information refers, are loaded from LDAP into the ASA.
Perhaps I'm missing something, but I've found only ways to put the _name_ (/ID) of these settings in LDAP, referring to settings/configurations already existing in the ASA. I'd like to put _all_ the settings/configurations in LDAP as well. -
How to get list of groups and the users from OID
Hi,
Can someone please tell me how to get the list of GROUPS and all the USERS in each group in OID using Java. Need to recursively get all the Groups and Users in each group using Java any samples.
Thanksuse examples from OTN like
http://www.oracle.com/technology/sample_code/products/jdev/readmes/samples/ldapdatacontrol/ldapapplication/src/dc/ldap/model/LDAPSearch.java
and modify it to your needs
Bernhard -
Can I delete the hierarchy groups and reload again from R/3
Hello all,
I am having some issue in my reports because of the hierarchy groups. Can i just delete the entire hierarcgy groups from "production" and reload again from R/3 will that cause any issue?
Thanks in advanceHi,
I think u can delete the Master Data Hierarchies. I dont see any issue in the production .
Rgds,
Ravi. -
Relationship between groups and their members in LDAP directory missing
I use SAP EP 6 SPS14 with one LDAP Server as data source using this flat LDAP structure:
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: example.com
dn: ou=user,dc=example,dc=com
objectClass: organizationalUnit
description: All Users
ou: user
dn: cn=Max Mustermann,ou=user,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Max Mustermann
givenName: Max
sn: Mustermann
uid: 0001
userPassword:: bWF4
dn: cn=Max Meier,ou=user,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Max Meier
givenName: Max
sn: Meier
uid: 0002
userPassword:: bWF4
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
description: All Groups
ou: groups
dn: cn=internal,ou=groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: internal
member: uid=0001,ou=user,dc=example,dc=com
dn: cn=external,ou=groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: external
member: cn=Max Meier,ou=user,dc=example,dc=com
The private section of the LDAP entry in the dataSourceConfiguration.xml looks like:
<privateSection>
<ume.ldap.access.server_type>openLDAP</ume.ldap.access.server_type>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>inetOrgPerson</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>inetOrgPerson</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>groupofnames</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>uid</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>uid</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>cn</ume.ldap.access.naming_attribute.grup>
</privateSection>
The pointers in the portal are:
User Path: ou=user,dc=example,dc=com
Group Path: ou=groups,dc=example,dc=com
If I log in as SuperUser, all users and all groups of the LDAP directory are there and I could log on as one of the LDAP provided users. But the relationship between the users and the groups, defined in the member of the objectClass groupOfNames, is missing.
Whats wrong???
Message was edited by: Holger WohlhüterMeanwhile I changed the GroupOfNames to GroupOfUniqueNames in the LDAP structure and solved the problem. I had to add this line: <physicalAttribute name="null"/></b> in the User mappings.
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
</attributes>
</nameSpace>
Message was edited by: Holger Wohlhüter -
How to create Groups and Group Leaders in Clusters.
Hi,
As we know in unicast there is one to one communication and there are groups to control the Thread
Management, How the Groups and the Group Leaders are created.
Regards,
Vardhan.Unicast clustering uses TCP/IP sockets to pass cluster messages between members. To avoid requiring each cluster member
to have connectivity to every other cluster member, WebLogic Server uses a group leader strategy whereby the oldest member
of the group (in other words, the server that was started first) is designated the group leader. All members of the cluster
connect to the group leader so that the group leader acts as the relay point for cluster messages between members.
If the group leader goes down, the next oldest member becomes the new group leader.
As you can imagine, the group leader strategy works well for small groups but becomes less efficient as the number of members
of the group grows large. As such, WebLogic Server uses a multiple group leader strategy where it limits the number of members
in a group to 10. If the cluster is larger than 10 members, WebLogic Server splits into two or more groups, each with their own
group leader. The group leaders themselves are all interconnected to minimize the number of hops that a cluster message must
traverse to reach all cluster members. -
Tasl list group and group counter
hi,
i have one requirement . I have give internal number range to the task list. so my need to to create task list with one group and several group counter. But what is happening is when i run LSMW for that. seperate group numbers has been generated for each task list. is there any way to get the same group number with different counters using LSMW>hi
since you have given internal number range for task list system will try to create task list with different group numbers .if you want the same group number with different group counter then i think you have to use the task list with external number and use the number created before
regards
thyagarajan -
Group and group counter in sap
Hi all,
when i am creating rate routing while how can i change group number, external entry is not possible for group.,Dear Joy,
check the number range interval in T.Code OP62 for the number range interval whether the check box is included for external
number allowed(which means within the from - To range a number can be entered externally for creating routing).
If not means you can onlu use interval number range,if required a different number range for external series can be configured.
Check and revert back.
Regards
Mangalraj.S -
Bea Portal Group and Group selection / um:getPorperty
Hi,
I would like to know if it is possible to set the default group
in which <um:getProperty> looks into when the user does not have
the requested property set into his profile.
I noticed that by default it looks into the current group portal.
However I would like to make it look into a specific sub group
of the group portal.
In the same way there are checks to dertermine if a user belongs to
several portal groups, I would like to extend these checks and include
sub groups in the tests and selection.
I saw that the webflow uses GroupFormProcessor and GroupProcessor but
couldn't find the source code to see what needs to be initialized for
<um:getProperty> to work correclty.
I saw the successor attribute in <um:getProfile>, but I would like to
know if there's a way to avoid specifying it each time... by setting a
value in the session for instance ?
Thanks for your help,
Best Regards,
ThierryHello Thierry,
You probably want to set the explicit successor in the session. A
successor is a group from which a user inherits properties. An explicit
successor is one that is specified in the getProperty() call underlying the
<um:getProperty> tag. Just for your information, this is as opposed to an
implicit successor, which is persisted for the user and is associated with a
property set. You can use the methods of ProfileWrapper to persist an
implicit successor for a user for a specific property set.
The portal framework sets the ProfileWrapper in the session using the
com.bea.p13n.usermgmt.SessionHelper.putProfileInSession() method. It sets
the explict successor for this profile to be equal to the group that was
selected by the user to apply for this portal session when they logged on
(if they are only a member of 1 group, then they were not prompted for which
group...the group was simpley set as the explicit successor). The call to
SessionHelper.putProfileInSession() is done in the PostLoginProcessor in the
portal security webflow (see the webflow in your EBCC).
You can override this by using SessionHelper.putProfileInSession()
yourself or by putting <um:getProfile> into your portal.jsp page.
<um:getProfile> does the same thing (uses
SessionHelper.putProfileInSession() to put the ProfileWrapper into the
session).
If I were you, I'd put <um:getProfile> with session scope at the top of
portal.jsp and use the group that you are interested in as the explicit
successor.
See the <um:getProfile> docs at
http://edocs.bea.com/wlp/docs70/jsp/p13njsp.htm#1001358
"Thierry Bensoussan" <[email protected]> wrote in message
news:[email protected]...
Hi,
I would like to know if it is possible to set the default group
in which <um:getProperty> looks into when the user does not have
the requested property set into his profile.
I noticed that by default it looks into the current group portal.
However I would like to make it look into a specific sub group
of the group portal.
In the same way there are checks to dertermine if a user belongs to
several portal groups, I would like to extend these checks and include
sub groups in the tests and selection.
I saw that the webflow uses GroupFormProcessor and GroupProcessor but
couldn't find the source code to see what needs to be initialized for
<um:getProperty> to work correclty.
I saw the successor attribute in <um:getProfile>, but I would like to
know if there's a way to avoid specifying it each time... by setting a
value in the session for instance ?
Thanks for your help,
Best Regards,
Thierry -
Group and group counter used to create cost estimate
I am creating a custom report and would like to know what table do I have to use if for a given material the program has to pick Group, Group counter and the task list type that were used in creating the cost estimate for that material. Any help in this regards is much appreciated.
Regards,The name of the table that needs to be used is KEKO. I figured it out so I thought I would share
Edited by: NIK83 on Mar 7, 2011 10:16 PM -
Provisioning Groups into FIM 2010 from oracle database
Greetings,
I am trying to provision security groups from an oracle database where i have a view that contains:
Department_Code
Department_Name
DepParent_Code
The view has a recursive relation between Department_Code and DepParent_Code (1 to many).
The view will lead to a Tree that has departments and sub-departments, i want to provision this data into FIM then to AD as security groups reserving the same hierarchy.
Any help would be appreciated.
Mohamad ChahlaI have done something like this myself. Using my approach I would do the following:
Extend the Group and group resource type schema in FIM and the FIM Metaverse respectively, adding a new REFERENCE attribute binding ParentGroup/parentGroup respectively;
Create an Oracle MA for importing DEPARTMENT objects with the anchor attribute Department_Code and with DepParent_Code declared as type REFERENCE;
Create an inbound sync rule to import department objects as GROUP objects, with IAFs as follows:
'DEPT-' + Department_Code => group.displayName
Department_Name => group.description
DepParent_Code => group.parentGroup
... and other IAFs according to the instructions you will find
here;
Either create your FIM groups as static (easy), or dynamic/query based (harder - i.e. you would do this if each Person object had a string binding of Department with values which exactly match the DEPT data you are importing) by using an appropriate MPR/workflow;
Define an outbound sync rule to
synchronise your FIM group objects to AD.
If creating dynamic groups, your new workflow "Set Department Group Filter' can be created by using the Function Evaluator to construct the necessary XML filter value (create a group manually first to determine what this must look like) such that each
group has a matching filter, e.g. the filter for DEPT-ABC would be /Person[Department='ABC']
Bob Bradley (FIMBob @
TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM -
Grouping and Decimal characters in rtf templates.
Hi guys and girls,
I’m really struggling with a problem here regarding the decimal characters for the prices in my output.
I'm using XML Publisher 5.6.3.
My goal is to control the grouping and decimal character from my template.
The numbers in the XML data file can either be 10.000,00 or 10,000.00. The format is handled by the users nls_numeric_characters profile option.
The output of the template shall be based on the locale and not the data generated by Oracle Reports. For example: Reports to US customers shall show the numbers in the following format 10,000.00. Reports to our European customers shall show the numbers in this format 10.000,00.
How can I achieve this in my templates? Can it be achieved at all?
Thank you in advance.
Kenneth Kristoffersen
Edited by: Kenneth_ on May 19, 2009 1:30 AMHi,
Thank you for your reply.
The problem is that the report is generating the output based on the users profile option nls_numeric_characters.
I have tried to override the users profile option in the before report trigger without any luck. I can alter selects so the query gets the numbers in the right format but then I would have to go through all queryes and reports which seem a bit wrong? Especially for the standard Oracle reports.
BR Kenneth -
Retrieving User groups and email for all users in a group
Hi Everyone,
I need to create an ADF application to retrieve all the groups in OID, the user would select a group and it should list down all the email addresses in that group.
Can you suggest what is the best way to achieve this. My main concern is how to retrieve groups and email addresses from OID. I was unable to find APIs for it.
Your suggestions are greately appreciated.
Thanks,
HusainIn a multi-user environment, a user install a dreamweaver extension,but just the user who install the extension can use it.
Is there a way that administrator install the extension and make this extension available for other users in multi-user environment(e.g. the Windows 7)
Dreamweaver had this capability many releases ago, but it has been dropped, so it's no longer available.
Regards,
Randy Edmunds
Dreamweaver Development
Adobe Systems, Inc.
Maybe you are looking for
-
Setting up Express with new router
I have a Linksys wireless router which is replacing a older one of different brand. I want to use my Airport Express to extend signal strenth in the family room and feed the speakers as I've done before. Is there something I have to do to get this ne
-
Movies - even apple's own - not synching
Repost: probably not suited to the camra, photos and video forum Okay, I've used up all the (limited) options I can think of here. I have mp4 files in my iTunes movie in-tray. These files are formatted correctly (tested using iPod Touch with OS3.0) a
-
Capitalisation from auc to asset account
in asset accounting ,i have created the asset class and followed the PR,PO,MIGO process to inward the asset and the same is accounted in Asset under construction account. i want to capitalise the asset now available in AUC a/c to asset account. kind
-
Can´t open illustrator. It says I have to upload the OLD Java SE 6-Runtime-Version. But I can´t install the old Version. What should I do?
-
Hi can anyone help with the following problem for a clip I'm editing please: Clip has the following: tracking forward shot, which has been slowed down. The footage however keeps flickering. I have tried the de-interlace and flicker filter but no joy!