Authen and Auth via kerberos and ldap (hosted on linux)

Similar Messages

• FTP adapter for OESB in Linux and OESB hosting in Linux

  Hello,
  is there anyone can explain how to set the correct path for the ftp directory and the local physical directory during setting up the wizard?
  FTP server directory will be: \folderA << physical location is in \var\ftp\folderA
  Local Archive Directory will be :\var\ftp\folderArchieve
  How do I going to configure this in my config xml as well?
  Edited by: kpchong on Jan 22, 2010 2:46 AM

  Well, Metalink can't find any pages that match that error number, or the error text.
  Nor can Google - the only pages that come back are this page and your post on orafaq with the same message.
  Have you posted the error message correctly? If you run the procedure from SQL*Plus as if the workflow engine were running it, what happens?
  Matt
  WorkflowFAQ.com - the ONLY independent resource for Oracle Workflow development
  Alpha review chapters from my book "Developing With Oracle Workflow" are available via my website http://www.workflowfaq.com
  Have you read the blog at http://www.workflowfaq.com/blog ?
  WorkflowFAQ support forum: http://forum.workflowfaq.com

• Windows authentication via kerberos on LDAP

  question - where can I generate ktpass -princ host/ etc. it isn't at j2ee engine machine ( is it at SAP Web Dispatcher)??

  Hi Damian
  You need to run the command on the Domain Controller
  Theo

• Single sign-on using Kerberos and Ldap

  I am currently setting up single sign-on using Kerberos for authentication and Ldap for authorization and information store.
  The setup includes several Solaris 8 & 9 workstations, a couple of SGI's, as well as a M$ terminal server farm, several WinXP desktops and their associated Active Directory.
  I am required to authenticate etc against the AD. (which has M$ SFU3.5 installed)
  I have the Kerberos authentication and part of the Ldap service working via pam & nss.
  ie. I can logon to the solaris worksatations using the AD username and password, mount the home directory from a M$ NFS server.
  BUT...
  id gives:- userID, groupID (primary group only)
  groups :- primary group only. (no secondary groups are listed)
  Question: what additional configuration information do I need in the pam, nss &/or ldap config files, so that I can list the secondary groups.
  Thanks in advance for any help.

  After evaluating (giving up on, and finally throwing out) the Sun Directory server it looks like we are going to endup with a similar solution..
  Sadly enough, the MS AD seems much more stable and easier to handle than Suns DS, kerberos and associated services.
  Anyway, currently we are evaluating a product called vintela ( www.vintela.com ), and it seems very promising; its easy, robust, stable and does what we require it to do, as well as more :) It comes with an additional nss module called 'vas', so you easily can retrieve data like hosts/groups from your AD.
  //M.

• How to config messaging 5.2 and ldap 5.2 with smtp auth?

  Hello.
  I want to config smtp auth for msg 5.2 and ldap 5.2.
  How to step of work.
  I config follow admin guide but it not work.
  Please help me and advice me.

  For your internal clients to be authenticated,
  replace "mustsaslserver" instead of "maysaslserver" in tcp_intranet channel on your imta.cnf file. Then all clients connecting from your internal IPs (listed on your mappings file) will be authenticated.
  Add the below two parameters for messenger express users to use the same system.
  configutil -o local.service.http.smtpauthuser -v "store admin user name"
  configutil -o local.service.http.smtpauthpassword -v "store admin password"
  All other external smtp connections (MX pointed) are not authenticated since they are directed to tcp_local channel.

• Difference betweek adding node via Sysadmin and adding host via OAM

  We have cluster setup at DB node in EBiz 11.5.10.2. After running autoconfig we have to manually add physical host entry in FND_NODES table. We do this via sysadmin > Install > Nodes. But I have seem some difference when we add node via OAM > add new host and sysadmin > install > nodes. Specially if you add host via OAM, it add support_CP value along with hostname, same doesn't happen if you do via sysadmin.
  Did anyone know technical difference between these two approach.

  Here is the X server backtrace I get when I try to open an image in GIMP:
  Backtrace:
  0: /usr/bin/X(xorg_backtrace+0x3b) [0x813017b]
  1: /usr/bin/X(xf86SigHandler+0x51) [0x80d8cb1]
  2: [0xb7fde400]
  3: /usr/lib/xorg/modules//libexa.so [0xb7a07f4c]
  4: /usr/lib/xorg/modules//libexa.so(exaComposite+0x607) [0xb7a08747]
  5: /usr/bin/X [0x8175e5d]
  6: /usr/bin/X(CompositePicture+0x19a) [0x815e86a]
  7: /usr/bin/X [0x810ef9a]
  8: /usr/bin/X [0x811f20d]
  9: /usr/bin/X(miPointerUpdateSprite+0x1ac) [0x8118aec]
  10: /usr/bin/X [0x8118bd5]
  11: /usr/bin/X [0x8145948]
  12: /usr/bin/X [0x81691ee]
  13: /usr/bin/X [0x809378f]
  14: /usr/bin/X [0x8098611]
  15: /usr/bin/X(miSlideAndSizeWindow+0x24e) [0x812734e]
  16: /usr/bin/X(ConfigureWindow+0xab3) [0x8078763]
  17: /usr/bin/X(ProcConfigureWindow+0x9c) [0x808b7ac]
  18: /usr/bin/X(Dispatch+0x34f) [0x808c20f]
  19: /usr/bin/X(main+0x47d) [0x8071c8d]
  20: /lib/libc.so.6(__libc_start_main+0xe5) [0xb7beb6c5]
  21: /usr/bin/X [0x8071071]

• Radius server (not elektron!) interacting with mysql DB and LDAP

  I am installing a service that requires a radius server. I have tried to build and install freeradius from source, as well as used the installer packages that are out there. None of them include support for mysql. As soon as you turn on sql in the radiusd.conf you get an error like this:
  rlm_sql: Could not link driver rlmsqlmysql: file not found
  Similar to the problem described here:
  http://www.freeradius.org/faq/#4.14
  Except that I get an error saying that rlmsqlmysql.a is an invalid image. The file exists and freeradius sees it and can find it, it's just not usable by freeradius. Like I said I have tried building this from the latest cvs source, and finally got it to build completely fine, and even except connections.
  I just need it to authenticate to mysql now.
  Anybody have any pointers. I have tried some of the suggestions on the freeradius faq, but I think what I am encountering is an issue specific to os x tiger. I have even tried to install using darwinports, but the installation fails.
  The system I am trying to install this on is running 10.4.2 (I am apprehensive about updating the system, because of issues with mysql being hosed.)
  If anyone thinks or knows that 10.4.2 has specific issues as to why it cannot be installed on 10.4.2 I may need to look into doing a backup and then upgrade of the server, and attempt freeradius install on 10.4.7.
  Thanks in advance for any and all help!

  Big help you OS Xers are. J/P!
  Since this place is supposed to be about education, let's educate!
  I ended up installing OpenRadius and using RADsql (it comes with openradius). It's a bit finicky, but in the end it seems to be working. You also have to install Perl DBI, and Perl DBD Mysql, all of which I installed using darwing ports (also btw, you are better off getting the darwin/macports source and compiling it yourself, rather than using the DMG installer) If you are paranoid about using terminal there is an app out their called PORT AUTHORITY which is basically a gui front end to install darwinport apps.
  You may have to do a little searching, but the key is getting the behaviour file and the config file correct, I found examples of the two I needed here:
  http://www.mirrors.wiretapped.net/security/authentication/radius/openradius/exam ples/0.9.10/
  I am attempting to also have openradius look at ldap if it can't auth to sql, I think this is possible, since it seemed to be in freeradius. So that our users don't need to choose a seperate auth protocol.
  I hope at least part of what I have to say will help someone out there, I will update this as I find out more. Right now I can only auth via clear-password, which is not really much of an issue, since this will all be LAN and WAN behind a firewall. But it would be nice if it was at least MD5 which openradius is supposed to support.

• Cisco ASA 5505 Cannot ping local traffic and local hosts cannot get out

  I have, what I believe to be, a simple issue - I must be missing something.
  Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209).
  There is a PC (10.51.253.210) plugged into e0/1.
  I know the PC is configured correctly with Windows firewall tuned off.
  The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
  I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue.
  Basically, the VPN is up and running but PC 10.51.253.210 cannot get out.
  Any ideas? Sanitized Config is below. Thanks !
  ASA Version 7.2(4)
  hostname *****
  domain-name *****
  enable password N7FecZuSHJlVZC2P encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif Inside
  security-level 100
  ip address 10.51.253.209 255.255.255.248
  interface Vlan2
  nameif Outside
  security-level 0
  ip address ***** 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  ftp mode passive
  dns server-group DefaultDNS
  domain-name *****
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
  pager lines 24
  mtu Outside 1500
  mtu Inside
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any Outside
  no asdm history enable
  arp timeout 14400
  global (Outside) 1 interface
  nat (Inside) 0 access-list No_NAT
  route Outside 0.0.0.0 0.0.0.0 ***** 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa authentication enable console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set DPS_Set esp-3des esp-md5-hmac
  crypto map DPS_Map 10 match address Outside_VPN
  crypto map DPS_Map 10 set peer *****
  crypto map DPS_Map 10 set transform-set *****
  crypto map DPS_Map interface Outside
  crypto isakmp enable Outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 28800
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 Outside
  ssh timeout 60
  console timeout 0
  management-access Inside
  username test password P4ttSyrm33SV8TYp encrypted
  tunnel-group ***** type ipsec-l2l
  tunnel-group ***** ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:8d0adca63eab6c6c738cc4ab432f609d
  : end
  1500

  Hi Martin,
  Which way you are trying. Sending traffic via site to site is not working or traffic which you generate to outside world is not working?
  But you say ASA connected interface to PC itself is not pinging that is strange. But try setting up the specific rules for the outgoing connection and check. Instead of not having any ACL.
  If it is outside world the you may need to check on the NAT rules which is not correct.
  If it is site to site then you may need to check few other things.
  Please do rate for the helpful posts.
  By
  Karthik

• Problem with ADS and LDAP

  Problem with ADS and LDAP
  I have installed Win2000 + sp1 and ADS on a computer. This computer is PDC.
  After connection via LDAP I cann't get any object ( users or goups etc. ).
  I try connect to ADS by java ( JNDI ).
  When I use another clients of LDAP ( eg. Maxware Directory Explorer) I have
  the same problem - no objects.
  Can anybody help me?
  Grzegorz Pszona
  my e-mail: [email protected]

  Thanks a lot.
  Softerra's browser is really good.
  Thanks
  Rashmi
  "Anant Kadiyala" <[email protected]> wrote:
  >
  I used Softerra's LDAP browser. The browser is free. There is also a
  java baded
  LDAP browser from Univ of Michigan. I found the Softerra browser to be
  more easier
  to use.
  -anant
  "rashmi" <[email protected]> wrote:
  Hi,
  Can you please let me know which exact ADS tool that you used to examine
  the
  DN. I have Active Directory Users and Computers, Sites and Servicesand
  Domain
  and Trusts installed on my machine but I am not able to figure out how
  to get
  the DN?
  Thanks
  Rashmi
  for Stephen Davies <[email protected]> wrote:
  Grzegorz,
  I have had WLS6.1 & ADS working ok using LDAP V2. Mind you it did take
  a
  fair bit of messing around to get it going. MS does have a few oddities,
  for example the Administrators DN might look something like this:
  cn=Administrator,cn=Users,dc=eglobal,dc=net
  One tool that I found invaluable came with the additional support tools
  for Windows 2000. The 'Active Directory Administration Tool' made it
  easy to list the directory contents and examine the DNs.
  Regards,
  Steve
  Stephen Davies
  Principal Consultant
  eGlobal Services Pty. Ltd.
  Sydney, Australia
  Ph. +61 2 9283 1033
  http://www.eglobal.net/

• Connected MDM and LDAP, but but now what? Why user mapping?

  Hi Gurus,
  In my last thread, I posted that I was not able to connect MDM with LDAP. I was finally able to.
  My problem now is I have to define user mapping in SAP Portal for the MDM business iViews to work.
  By connecting MDM and LDAP, I got the benefit that now the authentication and authorization is happening via LDAP.
  But this does eliminate the need for user mapping. If this is the case then why the real benefit of using LDAP?
  In this case this becomes worse as I need to know the user's LDAP Password which no body will share for sure.
  Any ideas? I want to get rid off this user mapping stuff.
  Warn Regards,
  Karan

  without knowing specifics of ur architecture, i can quickly point out two things:
  1)  LDAP is primarily used for authentication, true.
  2) Portal User mapping should not be an issue if u already have portal tied up to the active directory or some kind of single sign on?
  So portal knows the users who has logged it, polls the Active directory for authentication and Active directory logs into MDM with that users role.
  -Sudhir

• Iweb and microsoft hosting

  My husband had a website with a linux hosting package, and I would drop a new published iWeb folder to the ftp via Transmit anytime I wanted to update it. Worked like clockwork. However, he recently wanted to upgrade the package, and accidently selected MS hosting verses linux hosting. Now I have no idea where to put the iWeb folder. Anytime I open the website's FTP, instead of seeing the folders I'm used to being ther, all i see is:
  _db import folder
  db folder
  default.asp
  logs folder
  First, I understand it's going to be different because it's microsoft, but surely I can still use this?
  I am calling up to switch to the linux, but until now what can I do to get my website running? Where can i drop the published iWeb folder?
  i'm using iWeb 08..Thanks!

  Greetings,
  Usually putting your iWeb site and it's index file at the root level of your server is sufficient. So if you are looking at the top level (not inside of any containing folders) of the server then just try uploading your files there.
  The very best answer? Contact whatever company is doing the hosting for you and ask them. They are the ones you are paying money to to have this site hosted, they should be able to tell you exactly where to put your files on their server. It should be a simple question for them to answer.

• I have a creative cloud membership.  If I don't want to build a site in Muse, can I build a business Catalyst site and have hosted free with my creative cloud membership?

  I have a creative cloud membership.  If I don't want to build a site in Muse, can I build a business Catalyst site and have hosted free with my creative cloud membership?

  Yes you can! It is a Basic level site but you can build it without Muse. I think you may need to create the site originally with Dreamweaver or Muse (meaning creating the site with Business Catalyst not building the site) but once that is done you can use any software to create the code for the site and upload it via SFTP. Hope that makes sense.

• Authenticating against both RDBMS and LDAP in WL6.0

  Hi,
  We are designing a webapp that will be accessible to both internal and
  external users. For internal users, we would like to authenticate via LDAP;
  for external users we would like to use RDBMS. In WL5.1, this looked to be
  possible with the DelegatingRealm, however this has been removed in WL6.0.
  Two questions:
  1) Why was it removed?
  2) How can we get this functionality in WL6.0?
  Thanks much for your help,
  -jt

  We are currently deployed on WL5.1 with a similar situation as you and in
  the process of migrating to WL6. We are Authenticating against LDAP and
  Authorizing against RDBMS. But I can't see how you could tell it to go
  one way for certain users and another for other users.
  The delegatingrealm in WL5 was intended to split the responsibility of
  Authenticating to one source and Authorization to another. To make this
  work for your Application of splitting internal and external users
  security, I suppose you can do it if you can somehow pass the information
  to the Security Realm the type of the user that is logging in. Maybe you
  can make this code a part of the userid such as ext_uersID or int_userID.
  Doing this will allow you to filter the where the users are coming from
  and Direct them to the appropriate security realm.
  As far as WL6 goes, the Delegating realm class is no longer available
  since the security model for WL6 is different from WL5. But you can take
  a look at what they did with the RDBMSrealm example and use that. This is
  what we did to make our Security work in WL6. However, you can no longer
  store ACLs in the RDBMS realm in WL6.
  Hopes this helps.
  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  You will need to create a Custom Realm which delegates to both your RDBMS
  and LDAP perhaps using the Weblogic supplied RDBMS and LDAP realms
  "Jonathan Thompson" <[email protected]> wrote in message
  news:3accf1a3$[email protected]..
  Hi,
  We are designing a webapp that will be accessible to both internal and
  external users. For internal users, we would like to authenticate viaLDAP;
  for external users we would like to use RDBMS. In WL5.1, this looked tobe
  possible with the DelegatingRealm, however this has been removed in WL6.0.
  >
  Two questions:
  1) Why was it removed?
  2) How can we get this functionality in WL6.0?
  Thanks much for your help,
  -jt
  [att1.html]

• SSL between ITS and LDAP

  Hello:
  I have a ITS 6.20 patchlevel 22 with Linux Red Hat Enterprise 4. I have configured the service PAS to access to the Employee Self-Service of the ITS via LDAP.
  I want to configure SSL between my ITS and the LDAP, but I read in note 456666 that it is only possible for Microsoft Windows and my ITS is Linux.
  Is it correct?
  Regards,
  Felipe Sánchez

  Hi,
  ~ldapport=636
  636 is normally the secure port or the LDAP SSL port, but this depends on the directory server and additionaly things also.
  Therefore I advise you to use example or SDK coding from your directory server or vendor. Normally things like certificate exchange / key exchange and configuration needed to ensure the secure configuration.
  All these things are vendor dependend steps and therefore SAP has no documentation about it,e.g. Novell directory server has a SDK with example coding for SSL connections. This coding in combination with SAPs PAS SDK can be used to build a shared library with LDAP SSL.
  regards,
  -markus

• LCCS and LDAP

  Hello,
  Is it possible to integrate LCCS and LDAP?
  Maybe there are any samples of it?
  Thank you in advance,
  Kioshin10

  Hi and sorry for the delay.
  It is possible to integrate LCCS with LDAP but we don't have a specific example of how to do it. You would use the external authentication APIs and we have some example of how to generate a valid authentication token given a user name and a unique id.
  Basically this is the deal:
  - your client authenticates into your LDAP system on your server backend (via an HTML form or a Flash application that interacts with your server).
  - once authenticated you take a "unique identifier" from your LDAP "record" (the uid, gid/uid or potentially the full distinguished name but I would not recommend that) and the user name and use it to generate an authentication token for a specific session in a room.
  - then you send the token to your Flash/Flex client or start a Flash/Flex client that will connect to the specified room and authenticate with that token.
  In general LCCS doesn't require strict integration with your authentication system. You authenticate into your system and then generate a signed token that tells LCCS that the user "carrying" that token is a valid user that has been authorized to access a specific room.
  Anyway, please check the documentation and the examples for external authentication and if you have any specific question, or you get into implementation details and need more help, don't hesitate to ask here.