Authenticate via LDAP - 2 diffrent "LDAP DN Strings"

Similar Messages

• Can not authenticate via LDAP in CUPC 8.5.5.19839

  Hi to all .
  I recently have installed Cisco Unified Presence 8.6.2.10000-44 and Cisco Personal Communicator 8.5.5.19839 . The users can not log in to the CUPC with your windows users , only can do it locally . Can you give some advice about this problem ?
  Thanks and best regards
  Hugo

  The service Cisco UP XCP Directory Service is not running . I have Cisco Presence 8.6.2.10000-44 ( demo mode )
  It is possible that is related to the problem ?
  Thanks and best regards

• Can Cisco ASA work with spaces in LDAP DN string to authenticate and assign group policies?

  I am having the hardest time getting a definitive answer to this;  basically, I have a Cisco ASA firewall that is using AD via LDAP to authenticate  users and assign them a group policy based on certain AD group memberships.
  The problem I think I have is that due to how our AD forest is structured, I have spaces in the DN string, as shown below...  I have tried enclosing the entire string in quotes, etc.  - nothing seems to work.  Basically, the string is not matched, and the users are assigned a non-matching default policy.  Cisco TAC thinks it is due to the spaces (highlighted) but I am not sure sure.
  Can some one please advise?
  CN=VPN_SSL_SPLIT,OU=Grps - ACS,OU=Res - Groups,OU=BU - Vesna.Resources,DC=DOM1,DC=US,DC=LOCAL

  We can troubleshoot this issue. Please provide me the following outputs:
  show run aaa-server
  show run ldap
  Turn on "debug ldap 255" and reproduce the issue. Paste the output here.
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Read 'userPassword' attribute via LDAP?

  Hi all,
  Sorry if this question has already been answered...
  I do not have access to a Sun ONE Directory server so I have not been able to answer this question for myself.
  Is it possible to read the 'userPassword' attribute from a Sun ONE Directory Server via LDAP?
  I know that this is not possible for MS AD, and I am guessing this is a standard used by all LDAP Servers.
  Thanks in advance for any help,
  Bryan Galvin

  If the privileges are set properly, you can read the password in the Sun directory. If the password is stored in clear text (not the default) then you will see the password. If it is encrypted then you will see an encrypted password string preceded by the encryption method used, for example:
  userPassword: {SHA}0twDi9KZ2bTTBL1PpYwcFxhWsCu=
  An "old" method of authentication involved hashing the user-supplied password with the same algorithm and comparing it to the entry in the directory. (apologies to those "oldies" still using that method!)

• Assigning a login module to a single WebDynpro to authenticate against LDAP

  Hi there,
  we are running the J2EE Engine 7.0 within XI on SAP NetWeaver 2004s / Linux x86_64.
  Basically, i want to Authenticate a Java WebDynpro against an LDAP (Active Directory). With the XI Usage installed, I can not customize the UME to authenticate against an LDAP (not supported and not possible).
  Thus, I want to use a custom login module or, if suitable, a standard login module to authenticate against LDAP. I know that all WebDynpro Apps use the default authentication scheme that in turn references the authentication template "ticket".
  1) Can I use a predefined Login Module to authenticate against Active Directory LDAP or do I have to write a custom login module?
  2) Is it possible to assign a login module to a single WebDynpro and how can I do this?
  Thanks a lot in advance,
  Oliver Kalkofen

  > Thus, I want to use a custom login module or, if
  > suitable, a standard login module to authenticate
  > against LDAP.
  We have developed a custom login module which does this. It looks to the user like the BasicPasswordLoginModule provided with SAP, but the userid and password entered has to be a valid accountpassword from the Active Director domain. We use the Kerberos protocol to perform this useridpassword validation, not LDAP. The userid can be just a name, in which case the default domain (realm in Kerberos terminology) or it can be specified as user@REALM in which case a non-default realm can be used to authenticate. Once the authentication is complete, we look in USRACL table to map this Kerberos principal name onto a SAP userid so we can then create an SSO2 ticket.
  If you interested to evaluate, or get a quote for purchasing this, please contact me offline. Of course, you can develop your own if you are happy to do so. I just thought you might be interested to know of an alternative.
  Thanks,
  Tim

• How do you get OS X Lion to authenticate against LDAP?

  Need help getting OpenLDAP to authenticate against LDAP on  Linux server....please help!

  Go to the Users & Groups system preferences, click "Login Options:" and then click "Edit" next to "Network Account Server." Then click the plus button and add your LDAP authentication server. You can also click the Directory Utility button to further refine the settings for your server and the LDAP service.

• Server 2012 errors for timeout -- LDAP error number: 55 -- LDAP error string: Timeout Failed to get server error string from LDAP connection

  Hello, currently getting below error msg's utilizing software thru which LDAP is queried for discovering AD objects/path and resource enumeration and tracking.
  Have ensured firewalls and port (389 ) relational to LDAP are not closed, thus causing hanging.
  I see there was a write up on Svr 2003 ( https://support.microsoft.com/en-us/kb/315071 ) not sure if this is applicable, of if the "Ntdsutil.exe" arcitecture has changed much from Svr 03. Please advise. 
  -----------error msg  ----------------
  -- LDAP error number: 55
  -- LDAP error string: Timeout Failed to get server error string from LDAP connection

  The link you shared is still applicable. You can adjust your LDAP policy depending on your software requirements.
  I would also recommend that you in touch with your software vendor to get more details about the software requirements.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Can Oracle Database 11.2.0.3 authenticate with ldap (ODSEE 11g)??

  Dear Experts,
  I wanted to know if the Oracle DB 11.2.0.3 can authenticate with LDAP ODSEE 11g. I got to know that in order to authenticate to LDAP oracle DB needs to connect to Oracle Virtual Directory (OVD). Is this the correct statement. Any inputs will be appriciate it. thanks in advance.
  Ibbi
  Edited by: Ibbi2200 on Apr 29, 2013 11:30 AM

  Yes i have looked into these Docs, It seems like Oracle DB does not connect directly with ODSEE 11g. It seems like you have to have OID (LDAP) not ODSEE (LDAP) for DB connection, and if you need to use ODSEEE, you have to use OVD to connect DB....Which is weird as OID is also an LDAP...and ODSEE is also an Oracle Ldap....
  this is the error i get when i tried connecting DB to ODSEE.
  "Error
  Unable to connect to Oracle Internet Directory.
  I am not using OID, we have ODSEE. Is there any pointers or workaround to connect ODSEE to DB? I am just trying to avoid OVD in the middle. Any help will be appriciated.
  Thanks
  ibbi

• FAQ: BC-LDAP-USR (Directory Interface for User Management via LDAP )

  Version: 20060317
  Q: Where can i find more information to the BC-LDAP-USR interface ?
  A: Have a look on our ICC webpage in the SDN:
  SAP NetWeaver AS - Directory Interface for User Management via LDAP (BC-LDAP-USR)[1] [original link is broken]
  Q: What costs a arising when we want our product to be certified ?
  A: See also our SDN page under the headline "Price List".
  Q: Is there a link/page for the already certified products for this interface ?
  A: Sure, have a look on our ICC page under the headline "Certified Solutions"
  Q: Who can we ask in case of general question ?
  A: Have a look at our general ICC forum:
  SAP Integration and Certification Center (SAP ICC)
  Of course, if you have urgent requests you can send them also directly to our local ICC's:
  ICC Walldorf in Germany: [email protected]
  ICC Palo Alto in USA: [email protected]
  ICC Bangalore in India: [email protected]
  Q: Who can we ask in case of technical questions ?
  A: This depends on the state of your certification project.
  1.) If the certification contracts have been signed then you can ask in this forum and if this does not solve your question go back to your assigned integration consultant.
  2.) When the certification contracts have not been signed then you can ask questions in this forum.

  I distinguish it using the passwordExpirationTime(or something like that, i don't have code here with me).
  This is possible if after password is expired user has at least one more access.It is a user policy that can be set in the Ldap server.
  If it is possible, user can still login and perform operations.You chan search the passwordExpirationTime attribute and determine if password is expired, and the send a message to the user, telling him to change it.(If only one access is allowed and you change the password with the same application or service then do not close context, else you should not be able to connect again.) Instead, if you use an external script, then the last acces should not give you problems.
  Hope i made myself clear.

• Apex 4 ldap configuration string syntax for multiple ou

  I created a working string cn=%LDAP_USER%, ou=employee, o=Toronto.
  I have another organization unit called non-employee.
  I have checked the Oracle Forums and google for syntax that would be compatible to authentication schemes in shared components of APEX.
  "(&(uid=%LDAP_USER%)(|(ou:dn:=employee)(ou:dn:=non-employee)))" and every variation that I could think of for an OR operation between ou. I even tried ou=* without success.
  What worked for one organization unit was uid=%LDAP_USER%, ou=employee, o=Toronto.
  uid=%LDAP_USER%, ((ou=employee) | (ou=non-employee)), o=Toronto and every variation there of did not work. I would like to union the two groups.
  Otherwise, it means copying the same application so that each would have a connection string. This is inefficient.
  I do not control the LDAP server so I cannot create an ou=everyone group.
  In summary, looking for a LDAP connection string syntax to union more than one ou.

  Hi, I've solved my problem. Seems that the pair of quotes around the DN is unnecessary and causing me the agony.
  Thanks!

• Import X.509 certificate via LDAP

  Hello,
  I have an iPad running iOS 5 and I'd like to know if it's possible to import people's X.509 certificates via LDAP. I have my corporate LDAP set up in Settings>Mail, Contacts  and I can search for people fine. The LDAP also has X.509 certificates that I'd like to use for encryption when sending emails from the iPad.
  regards,
  Tex

  I think if you select security profile in the channel then you can do sign and verify the certificate in the reciever agreement. THat is only for Security parameters. For just configure certificate authentication,  you will not see anything in the receiver agreement.

• Services won't allow users to authenticate via Open Directory

  Greetings! I have been pulling my hair out for a long time over this and wondering if anyone has seen something similar or has anything I can try.
  It's a bit confusing so I'll try to lay it out so it's not to crazy.
  *The setup:*
  Leopard server hosing services including Podcast Producer, AFP, SMB and iCal
  External OpenLDAP directory server
  *The problem:*
  I have setup our test Leopard server and got services all working. While this server is setup as an OD master I can authenticate and use the services without problem. However, we have an external LDAP server using OpenLDAP. If I try to authenticate with any of these users from the external ldap server they are not able to login on any service except afp!!!
  *What I've Done:*
  I've setup the server trying two methods: Magic triangle and augmented records. Both seem to yield the same thing. I can see the ldap users in workgroup manager and I can even nest them into groups on the local leopard ldap server. Some other possible info:
  A log entry in the Podcast producer log dealing with authentication:
  [error] [client xxx.xxx.11.122] moddigestapple: Unable to authenticate for URI "/podcastproducer/workflows" from user "testuser" for realm "PodcastProducer" at location "/LDAPv3/ldap.ourschool.edu" from the directory because user's password type is not compatible with digest authentication.
  If I edit /etc/smb.conf and delete the line : passdb backend = opendirectorysam guest windows users can successfully authenticate via smb.
  On our old Tiger server, we had a magic triangle setup. That machine only ran SMB and AFP and it experienced the same problem with SMB and needing to delete that line.
  I think these things may be related, but I'm not sure where to look next. Any help would be greatly appreciated! Thank you for any suggestions you can provide.
  Steve

  I've followed the apple kb articles for enabling WIKI access and Podcast Producer access. Users can now authenticate.

• Users not able to authenticate via short names

  First it was VPN and now it's happening to my radius server. Users aren't able to authenticate via their short names/usernames. The only way they are able to authenticate to these two services is by using their full name as entered in the LDAP directory. Previously "jsmith" would work, but now you have to enter "John Smith" This is very frustrating. Other services like calendar, mail, addressbook, webdav are unaffected by this issue. Any reccomendations? Thanks

  Hi JFWX5,
  I recently experienced a very similar problem myself, all services was running fine with no problem with authentication except for the calendar service; namely the webcal.
  Throug the Server Admin tool (not the Server app) I checked the log for Open Directory server and then explicitly for Kerberos which was comlaining that it didn't find the database for looking up users trying to authenicate themselfs.
  I found this article in the Apple knowledge base discussing a similiar problem: http://support.apple.com/kb/TS2938
  By executing that terminal command Open Directory and Kerboros was up and running for my webcal.
  PS: REALM_NAME should be in all caps and it is the DNS hostname for your server ex. SERVER.EXAMPLE.COM.

• Access Point Radios trying to authenticate via PEAP against ISE

  I have a working installation including a 5508 controller with ISE. The ISE is configured for EAP Chaining and clients are authenticating fine.
  We are seeing some weird behavior from the Access Points. We see authentication failures from devices trying to authenticate via PEAP, the funny thing is that the username and endpoint ID are the MAC addresses of our APs. we see it once or twice a day from several of the APs.
  Any ideas on what would cause this and what function of the AP is causing this?

  Hi Rasika,
  kindly advice. running on 7.6.130 and Cisco ISE 1.2.1.198, but my case is rejected the authentication, why radio base mac address is try to authenticating to ISE?
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.6.130.0
  Bootloader Version............................... 1.0.20
  Field Recovery Image Version..................... 7.6.101.1
  Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
  Build Type....................................... DATA + WPS
  (Cisco Controller) >show radius summary
  Vendor Id Backward Compatibility................. Disabled
  Call Station Id Case............................. lower
  Acct Call Station Id Type........................ Mac Address
  Auth Call Station Id Type........................ Mac Address
  Aggressive Failover.............................. Enabled
  Keywrap.......................................... Disabled
  Fallback Test:
      Test Mode.................................... Off
      Probe User Name.............................. Radius_KeepAlive
      Interval (in seconds)........................ 300
  MAC Delimiter for Authentication Messages........ hyphen
  MAC Delimiter for Accounting Messages............ hyphen
  Authentication Servers
  Idx  Type      Server Address        Port    State     Tout  MgmtTout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
  1    NM    x.x.x.x              1645    Enabled   2     2         Disabled  Disabled - none/unknown/group-0/0 none/none
  2    NM  x.x.x.x               1812    Enabled   2     2         Enabled   Disabled - none/unknown/group-0/0 none/none <-- ISE
  3    NM    x.x.x.x             1645    Enabled   2     2         Disabled  Disabled - none/unknown/group-0/0 none/none
  4    NM    x.x.x.x               1812    Enabled   2     2         Enabled   Disabled - none/unknown/group-0/0 none/none <-- ISE
  Accounting Servers
  Idx  Type      Server Address        Port    State     Tout  MgmtTout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
  2      N    x.x.x.x               1813    Enabled   2     2         N/A       Disabled - none/unknown/group-0/0 none/none
  3      N     x.x.x.x               1813    Enabled   2     2         N/A       Disabled - none/unknown/group-0/0 none/none

• Can't Authenticate in LDAP directory after upgrade from 10.4.11 to 10.5.1

  Hi, all
  Yesterday I have tried to upgrade my Xserve Intel from 10.4.11 Tiger to 10.5.1 Leopard Server
  In my server there is this service:
  -AFP
  -DNS
  -SMB
  -Open Directory Master
  - XSAN Primary MDC
  All works fine but when I try to acces with worgroup manager to LDAP directory I can't authenticate with "diradmin" this thing appen in local machine and with remote worgroup manager connected to the server.
  I have tried with "root" user and I have been able to authenticate for some time, (5-15 min.) after It's impossible to access with all user.
  The client still authenticate with user and password in all computer with 10.5.1 and 10.4.11 workstation, but now i wan't to add some new users and I can't do That!!!!!
  So for now I have restore my old 10.4.11 Server Tiger, but I wish to know if someone have tried new 10.5.2 server upgrade and maybe there is some kind of fix to this problem.
  Thank's In Advance

  After posting on numerous message boards, and no one having an exact answer, but several making plenty of great suggestions, I think I've finally figured out the cause of this issue or at least part of the cause.
  Within 'Server Admin', select "Open Directory",
  under: Settings > Policy > Binding
  there are six check boxes under "Security"... for testing kerberos, I have been checking the first four boxes, which are:
  1. disable clear text passwords
  2. digitally sign all packets (requires Kerberos)
  3. encrypt all packets (requires ssl or kerberos)
  4. block man-in-the-middle attackes (requires kerberos)
  through troubleshooting this myself, and doing each change, followed by a server reboot, then immediately attempting to authenticate to /LDAPv3/127.0.0.1/, it seems that enabling some, or some combination of these Security settings triggers WordGroup Manager to not accept the diradmin password.
  referring to the numbers above (1 through 4)...
  2 or 4 by themselves fails
  1 and 3 together fails
  I haven't gone beyond that for testing and don't know what other combinations works or fails.
  I don't know if there is something beyond this that is specific to my configuration or environment that plays a part in this failing. All I know is that turning off all Security checkboxes in this section fixes the problem.
  I wonder if anyone who has never seen this problem can try this on their 10.5.2 Server and see if they are still able to authenticate as their diradmin to WGM. Regardless, seems that this is a WGM bug to me, right?
  if you are having this problem, uncheck all of these boxes and then reboot before trying to authenticate.