Authenticating a User against UNIX LDAP

Similar Messages

• Authentication against a LDAP

  All,
  We have a requirement where in we want to validate a user against the LDAP of our organisation.
  We wil like to build a simple JSP page.
  Questions that come to my mind is
  1> Can we create a Portal application that wil not ask for a Portal authentication and directly point to the JSP stored in a web application or a portal application?
  2> How complex is it to validate a user gainst an LDAP?
  3> After successful validation we will like the aplication to trigger an RFC is this possible?
  Thanks and Regards
  Pradeep Bhojak

  Pradeep,
  you have to create your own LogonModule to achieve your requirements (not only a jsp page). But on the other hand, why don't you configure your Portal UME to the LDAP anyway?
  kr, achim

• How to authenticate CXF-Webservice against external LDAP in WebLogic?

  Hi there,
  I'm trying to integrate our Camel-application into WebLogic 12c. All the incoming endpoints are CXF-based webservices. These are secured by "UsernameToken Timestamp" with the WSS4JInInterceptor configured like this:
  <bean id="wss4jInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
            <constructor-arg>
                 <map>
                      <entry key="action" value="UsernameToken Timestamp" />
                      <entry key="passwordType" value="PasswordDigest" />
                      <entry key="passwordCallbackClass"
                           value="de.mycompany.camel.cxf.UserTokenCallbackHandler" />
                 </map>
            </constructor-arg>     
  </bean>
  My problem is: WSS4JInInterceptor expects the UserTokenCallbackHandler to return the password of the user delivered in the header <wsse:Username>. Is there any way to retrieve this from an external LDAP configured in WebLogic? I've already managed to retrieve the users, groups etc with JMX (javax.management.MBeanServerConnection and weblogic.security.providers.authentication.LDAPAuthenticatorMBean), but I can't figure out how to authenticate the user against the LDAP, i. e. retrieve the password.
  Or am I heading in a completely wrong direction and this is not the way to achieve authentication for CXF-Webservices in WebLogic?
  Please give me a hint (code-snippets preferred ;-) ) how to solve this.
  Regards,
  Frank

  I have run into the exact same situation ? Did you ever get around this ? If so, how ? Please let me know.

• Authentication against both LDAP and BI repository

  I have a lot of user who are authenticated against LDAP. I need add few users who aren't exist in LDAP. I can create user in BI repository and if this user is in an Administrator group he is able to log in. But if this user isn't in an Administrator group he get error "Succesfull execution of intitializtion block LDAP is required". Is there any way how to authenticate users agains both LDAP and BI repository?

  Hi,
  why dont you create a group in ldap and add the correspondng users to that group.
  You can configure the LDAP server with that group and try...
  Hope it works...
  Regards
  Venkat

• Windows users authenticating in OID in Unix

  Hi !!!
  I am newbie with LDAP and OID, so If anyone can help me...
  I have a Computer Associates Aplication which authenticate users against LDAP server but this application is installed in a Windows 2003 Server.
  This application already query OID sucessfuly, because this application simply point to OID server through it´s configuration.
  My problem is for authenticate users against OID because in Computer Associates Application does not have any configuration to tell authentication server.
  What I must configure to tell the Computer Associates Application, or Windows 2003 server to authenticate the users in OID instead locally??

  Hi !!!
  I am newbie with LDAP and OID, so If anyone can help me...
  I have a Computer Associates Aplication which authenticate users against LDAP server but this application is installed in a Windows 2003 Server.
  This application already query OID sucessfuly, because this application simply point to OID server through it´s configuration.
  My problem is for authenticate users against OID because in Computer Associates Application does not have any configuration to tell authentication server.
  What I must configure to tell the Computer Associates Application, or Windows 2003 server to authenticate the users in OID instead locally??

• ACS cannot Authenticate Aironet Users against Exernal DB (LDAP)

  ACS cannot Authenticate Aironet Users against Exernal DB (LDAP)
  Can anyone point me to a technical explanation of why this is true?
  All I have found so far is one small note in a help file and something that might be related under EAP-FAST explanation.
  I have posed this question to our Cisco account team but no response yet.
  Just need to have a good explanation when explaining to mgmt why we need to have a special setup for WLAN users.

  Hmmm....you should be getting more than that from debug radius and debug aaa authen if your AP is truly attempting EAP authentication. The debugs I generally use for this are 'debug aaa authen', 'debug radius', and 'debug dot11 aaa dot1x all' coupled with gathering the detailed support logs from ACS. A warning about 'debug dot11 aaa dot1x all'....it is VERY verbose and cryptic if you don't have alot of experience looking at it so it may be best to open up a TAC case. With these debugs turned on, you should see an EAPOL logon show up from the client (usually says 'received EAPOL packet...') and then a request for identity from the switch and a response from the client with a username and password. Then a series of RADIUS challenge/response packets will be passed which consists of the server cert being passed to the client for validation and then the client sending the username and password to the server. Then you will finally get an access-reject or access-accept packet from the RADIUS server. The failed and passed attempts logs in ACS can also provide good info as to what the source of the failure may be. Do you get any passed or failed attempts for these authentications?

• LDAP Authentication Failed :user is not a member in any of the mapped group

  Hi,
  I tried to set up the LDAP Authentication but I failed.
  LDAP Server Configuration Summary seems to be well filled.
  I managed to add a Mapped LDAP member Group: This group appears correctly in the Group list. 
  But itu2019s impossible to create a User. Although this user is a member of the mapped group (checked with LDAP Brower) , an error message is displayed when I tried to create it (There was an error while writing data back to the server: Creation of the user User cannot complete because the user is not a member in any of the mapped groups)
  LDAP Hosts: ldapserverip:389
  LDAP Server Type: Custom
  Base LDAP Distinguished Name: dc=vds,dc=enterprise
  LDAP Server Administration Distinguished Name: CN=myAdminUser,OU=System Accounts,OU=ZZ Group Global,ou=domain1,dc=vds,dc=enterprise
  LDAP Referral Distinguished Name:
  Maximum Referral Hops: 0
  SSL Type: Basic (no SSL)
  Single Sign On Type: None
  CMS Log :
  trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
  trace message: LDAP: LdapQueryForEntries: QUERY base: dc=vds, dc=enterprise, scope: 2, filter: (samaccountname=KR50162), attribute: dn objectclass
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 2453 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
  trace message: GetParents from plugin for cn=huh\,chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise.
  trace message: LDAP: De-activating query cache
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
  trace message: LDAP: query for DSE root returned 89
  trace message: LdapQueryForEntries: incr. retries to 1
  trace message: LDAP: Updating the graph
  trace message: LDAP: Starting Graph Update...
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
  trace message: LDAP: query for DSE root returned 89
  trace message: LdapQueryForEntries: incr. retries to 1
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
  assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
  trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
  trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (&(cn=gp-asia)(objectclass=group)(member=cn=huh
  , chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise)), attribute: objectclass
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
  assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
  trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
  trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (cn=gp-asia), attribute: member objectclass samaccountname cn
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 3109 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
  trace message: LDAP: query for DSE root returned 0
  trace message: Failed to commit user 'KR50162'. Reason: user is not a member in any of the mapped groups.
  trace message: [UID=0;USID=0;ID=79243] Update object in database failed
  trace message: Commit failed.+
  Can you please help?
  Joffrey

  Please do this after you verify all permission settings for all the groups the account is associated with. Also, make sure you check the NTFS folder permissions before doing this as well.
  Since the same result happens on multiple computers, it is not the profile.
  I am recommending you delete the AD account (or rename to backup the account).
  It will not effect the users Exchange account, but you will need to link it back to the new AD user account. 
  You can also delete her profile just to remove it, for the "just in case" scenario.
  Don't forget to mark the post that solved your issue as &quot;Answered.&quot; By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional

• Check_ntlm_password:  Authentication for user ['name'] - ['name'] FAILED with error NT_STATUS_LOGON_FAILURE

  Hi,
  We are running a Mountain Lion Server with Open Directory / LDAPv3, as far as I can tell.  My responsibility is to get my CentOS 6.3 box running Samba v. 3.5.10-125.el6 to authenticate users against the ML / OD box.  I can ssh to the CentOS box OK and I can get Guest access to the Samba share to go OK too.  Also, the OD passwords on the LDAP server are set to 'Open Directory' so I guess that means that they are encrypted and the Samba server is set to send encrypted passwords.  But when a user tries to properly authenticate using either say via a Mac client Finder [Command-K], or smbclient, the Samba server will generate this message:
  check_ntlm_password:  Authentication for user ['name'] -> ['name'] FAILED with error NT_STATUS_LOGON_FAILURE
  (I am blanking out the user name on purpose).
  Of course there is more to the story, but those are the basics.
  Here are the relevant parts of my smb.conf.  FWIW, the CentOS / Samba box is called Jupiter.
  Thank you,
  NickZ
  [smb.conf]
  [global]
            display charset = UTF-8
            realm = SATURN.MCLEAN.HARVARD.EDU
            netbios aliases = ANL
            server string = Welcome To The Jupiter Samba Server Version 3.5.10-125.el6
            interfaces = lo, em1
            security = SERVER
            update encrypted = Yes
            password server = saturn.mclean.harvard.edu
            smb passwd file = /var/lib/samba/private/secrets.tdb
            passdb backend = ldapsam:ldap://saturn.mclean.harvard.edu
            passwd program = /usr/bin/passwd %u
            unix password sync = Yes
            lanman auth = Yes
            client NTLMv2 auth = Yes
            client use spnego principal = Yes
            kerberos method = system keytab
            log level = 2
            syslog = 3
            log file = /var/log/samba/log.%m
            max log size = 50
            name resolve order = host lmhosts wins bcast
            server signing = auto
            preferred master = Auto
            ldap admin dn = uid=DirAdmin,cn=users,dc=saturn,dc=mclean,dc=harvard,dc=edu
            ldap group suffix = cn=groups
            ldap passwd sync = yes
            ldap suffix = dc=saturn,dc=mclean,dc=harvard,dc=edu
            ldap ssl = no
            ldap user suffix = cn=users
            usershare allow guests = Yes
            idmap backend = ldap:ldap://saturn.mclean.harvard.edu
            idmap uid = 10000-20000
            idmap gid = 30000-40000
            cups options = raw
  [homes]
            comment = Home Directories
            read only = No
  [printers]
            comment = All Printers
            path = /var/spool/samba
            printable = Yes
            browseable = No
  [anl]
            comment = Main ANL Share
            path = /anl
            read only = No
            guest ok = Yes
            hide dot files = No

  Turns out a printer driver installed on an XP (even W2K(?)) was (apparently?) flooding the OS X SMB server to the point of collapse. Uninstalling the "HP Tools" part of the driver cleared it up. The printer is an HP LJ1300. I had downloaded the full driver from HP.com. I don't know if any/all these conditions need to be matched, but: the printer was on the network using an HP print server JetDirect EX Plus, and the computer(s) in question were connecting directly to it (not via a print server). It's been too long ago, but there were always several errors in the System Log (Win XP Event Viewer) that correlated with the errors on the OS X server.
  Proud to say that since that day (10+ months ago) I've not seen it happen again. whew.

• OAM 11gR2 Authentication using username/password/additional ldap field

  I want to add additional credential parameter along with username and password to be validated against LDAP.
  Is there any out of the box solution for authentication using username/password/additional ldap field in OAM 11gR2?
  This solutions exist in 10g and could not find any OOB feature in 11g.

  Do you need to accept additional parameter from user via login form & then use it in credential mapping step
  Not sure if %% syntax would work .. havent tried it. next option is to develop custom authentication plugin
  Additional ldap attribute against static value
  If you need to add additional ldap attribute (check against static value) that you can specify in LDAP search filter in "User Identification plugin" configuration
  Take a look at "MTLDAPPlugin" under custom authentication modules
  Hope this helps

• Java.lang.SecurityException: Authentication for user test1 denied in realm wl_realm

  Environment: WLS61 SP2
  Two WLS61 servers on different machines. User test1 is authenticated against LDAP
  on server_1, then tries
  to execute a class (from JSP) that calls EJB on server_2. The environment properties
  for the call to EJB on server_2 to are setup as follows (Note that user test2 is
  used to call EJB on server_2. User test2 exists in the wl_realm on server2):
  env.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
  env.put(Context.PROVIDER_URL, "t3://server2:7001");
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  env.put(Context.SECURITY_PRINCIPAL, "test2");
  env.put(Context.SECURITY_CREDENTIALS, "somepass");
  The call results in the following exception raised on server_2. Why is test1 id used
  if test2 is explicitly specified for the call? User test1 does not exist on server_2.
  <Jul 13, 2002 11:37:31 AM EDT> <Warning> <Dispatcher> <RuntimeException thrown by
  rmi server: 'weblo
  gic.rmi.cluster.ClusterableServerRef@111 - jvmid: '4783591120128354231S:xxx.xxx.xxx.xxx:[7001,7001,7002,7
  002,7001,7002,-1]:mydomain:myserver', oid: '271', implementation: '[BaseEJBObject]
  home: c
  om.test.TestEJB_jvjalv_HomeImpl@7583b9''
  java.lang.SecurityException: Authentication for user test1 denied in realm wl_realm
  at weblogic.security.acl.Realm.authenticate(Realm.java:212)
  at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
  at weblogic.security.acl.internal.Security.authenticate(Security.java:125)
  at weblogic.security.acl.internal.Security.verify(Security.java:87)
  at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:237)
  at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:22)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)

  If you are using JNDI authentication, make sure you close the context before
  you get another context.
  In WLS, stack of authenticated users will be maintained per thread. Now when
  user is authenticated, it will be pushed into the stack. When you close the
  context it will be popped out. In your case it seems like somehow test1 user's
  idenitity is set on the thread which is calling the EJB on server2.
  use weblogic.security.acl.Security.getCurrentUser() to get the current
  user associated with the thread.
  I hope this helps.
  -utpal

• Have OAM authenticate/authorize users against diff dir servers

  Hi folks,
  Is there a way to have OAM authenticate/authorize users against diff dir server under single OAM instance?
  We have standalone OAM 10_1_4_3_0 w OHS11g installed on linux and connected to a particular directory server (sun ldap). We also have an OAM-protected app which authenticate/authorizes users against the same dir server. Can we somehow configure rules/policies/etc, so that users accessing app B will be authenticated/authorized against dir server B; users accessing app C will be authenticated/authorized against dir server c; etc, without having multiple OAM instances?
  Any help is greatly appreciated
  Thank you, Roman

  OVD will not be able to figure out what directory servers its getting authenticated to. OVD is a virtual directory server which can talk to different data sources and fetch a match according to the request.
  For instance, if OVD is configured to AD, SunOne LDAP, OID and Oracle DB. When you call OVD for authentication, it will make a call to all the data sources (AD/OID/LDAP/DB) and gets a match and provides to OAM. If you have 2 Auth modules one with Sun LDAP and other with Oracle DB, OVD will not remember to which data source it should make a call. All it does is dynamically makes calls to all the configured data source and gets a matching results.
  To tell you in more detail - Consider App A is configured to authenticate against SunOne LDAP and App B is configured to get authenticate against Oracle DB. When user tries to login to App A; OAM makes a call to OVD and OVD [OVD don't have capability of maintaining the info of users and where they reside] will make a call to both SunOne LDAP and Oracle DB and when SunOne returns a matching record, OVD sends the authentication info to OAM.
  For better results, try to maintain the same set of schema across all your data sources.

• Discoverer against Open-LDAP

  Did anyone have experience of using Discoverer against Open-Ldap? We are using discoverer in non-apps mode and dont want to create 300db user's. Our current application uses Open-Ldap and we want to make use of it for Discoverer authentication. Any ideas?
  Thanks

  Thanks Rod for the metalink documents.
  I'd tried using eul_trigger$post_login using a similar function as indicated in the article you refer before posting my question but it didn't work - may be because i was not paying attention to upper/lower case.
  But, after reading the article 372067.1 and following the exact instructions I still can't make it work. Not even with Discoverer desktop while logged in as EUL owner.
  Here is the function I created:
  CREATE OR REPLACE FUNCTION EUL_TRIGGER$POST_LOGIN RETURN NUMBER IS
  BEGIN
  insert into my_eul.test_logon values (sysdate);
  commit;
  RETURN 0;
  END EUL_TRIGGER$POST_LOGIN;
  Some values for this registered function from EUL5_FUNCTIONS metadata table are:
  FUN_NAME: eul_trigger$post_login
  FUN_DEVELOPE_KEY: EUL_TRIGGERPOST_LOGIN
  FUN_FUNCTION_TYPE: 8
  FUN_HIDDEN: 0
  FUN_DATE_TYPE: 2
  FUN_AVAILABLE: 1
  FUN_MAXIMUM_ARGS: 0
  FUN_EXT_NAME: EUL_TRIGGER$POST_LOGIN
  FUN_EXT_OWNER: MY_EUL
  Any thing seems missing/incorrect?
  I am not 100% sure about EnableTrigger preferences. My pref.txt does not have an entry for EnableTriggers and according to Configuration Guide you should not add an entry if not present because by default triggers are enabled. But, since the trigger was not firing I also tried adding the line and applied preferences using the applypreferences.bat but it didn't work.
  To make it work with Discoverer Desktop I tried updating the registry to add entry for EnableTrigger registry entry, but no successs (Finally I removed all changes to registry and preferences).
  Now I am clueless why the trigger is not working. Any help would be appreciated.
  Using Discoverer 10G R1 (9.0.4)
  thanks
  Message was edited by:
  user552591

• Authenticating a user or getting a user's password

  I'm using Weblogic server 7.
  I need to authenticate a user against a domain: establish whether the user
  exists and if so, verify his password.
  Code samples would be most welcome.

  "Yonatan Taub" <[email protected]> wrote in message
  news:[email protected]..
  I'm using Weblogic server 7.
  I need to authenticate a user against a domain: establish whether the user
  exists and if so, verify his password.
  Code samples would be most welcome.
  You can use the login method .
  http://e-docs.bea.com/wls/docs81/javadocs/weblogic/security/services/Authent
  ication.html

• How to check a list of users against AD if they exist

  Hi Scripting Guys,
  I have a powershell script that allows me to query a list of users against AD, and if they exist, it will write their details into a new file.
  I want to adapt this script so that it will still do the same, but if the user does NOT exist anymore, write a line such as "<User-ID> does not exist in AD".
  Here's the code I have so far:
  Import-Module ActiveDirectory
  $UserList = get-content C:\temp\checkAD\Accounts.txt
  Foreach ($Item in $UserList) {
  Get-aduser -filter {samAccountName -eq $Item} | Out-File C:\temp\checkAD\existingAccounts.txt -encoding default -append
  Does anybody know how to achieve that?
  Thanks and best regards,
  Cap'

  Function LDAP_query{
  param
  [Parameter( Mandatory=$true )][String[]]$cID
  # change the DCs to your domain information
  $root = [ADSI]"GC://dc=$($cID[0]),dc=company,dc=com"
  $searcher = new-object System.DirectoryServices.DirectorySearcher($root)
  $searcher.filter = "(sAMAccountName=$($cID[1]))"
  #running LDAP query
  $cAcc = $searcher.findall()
  if($cAcc.Count -ne 0){
  return ($cAcc[0].Properties["samaccountname"][0])
  else{
  Write-Host -BackgroundColor Black -ForegroundColor Red "Error with account:" -NoNewline
  Write-Host " $($cID[0])\$($cID[1])"
  return ""
  The function is waiting for a string array: [domain][user id]
  Return the string of the User ID if valid, return an empty string if not a valid ID

• R/3 users Authntication to LDAP?

  Hello,
  I have configured the LDAP Conenctor using Tx LDAP from R/3 4.7 running on AIX Server to MS-ADS LDAP Server.
  After making all the settigns i have run the report RSLDAPSYNC_USER for synchronizing the users between R/3 amd LDAP.
  Then the Users available in LDAP are getting Updated and Created in R/3, but the users in R/3 are not getting created. Its giving the LDAP_CREATE Failed, Restriction Violated For this I have posted in the previous thread.
  I want to know some of my assumptions are correct / wrong.
  1. If we do all these settings, when the User try to login he will be authenticated to LDAP?
  2. In MS-ADS the password length is more than 8 char we can have, but in SAP its 8 char, do we need to increase this field length.
  3. Or if the user changes the password in MS-ADS, do we need to run the synchronization again.
  4. We are assuming that if the LDAP configuration is finished then the users are not required to maintain or change their passwords in R/3 instead they can use the MS-ADS password and changes also in MS-ADS. Is this assumption right?
  Please Sugegst me.
  I am still investigating for the sync from R/3 to LDAP.
  The User available in LDAP is created in R/3 but there is no password allocated for him. Do i need to mention the password attribute also in the mapping, if so can any one please let me know the attribute and corresponding filed of R/3.
  Thanks & Regards
  Sumanth
  [email protected]

  Hi Prakas,
  I Logged the OSS Message for Checking the Issues of Authentication to LDAP from SAP R/3.
  Please find the Below Clarifications and SAP Replies along with the SAP Notes.
  Questions Posted in OSS Message:
  We need to get confirmation that, is this LDAP is for Authenticating like EP or only for Having the Sync Data between both systems?
  Secondly when the Users are getting created in Active Directory, they are in Deactivate Mode, To make it automatically aactive do we need to set any settings in R/3 or Directory, for this we searched the Notes and Documentation, but could not succeeded.
  Please Suggest. Our main concern is can we achieve the Authentication From LDAP as like in EP -> LDAP in this R/3 or not? The Users are expecting to do authentication, instead to maintain the passwords at different
  places.
  Replies from SAP
  - login in this manner is not possible, see note 603208
  - syncing the password is also not possible.
  - in general, please read note 448360 about features provided in the
  LDAP area.
  0000448360  Requests in the LDAP environment (directory integration) 
  0000603208  Passwords during the LDAP user master synchronization 
  But, I think we can achieve Authentication in Another Way, NTLM Authentication, For this You Need to Do SAP GUI Client Maintenance Also.
  I am in Collection of More DEtails in this Area. Once I get all info and procedure i will update you.
  Regards
  Sumanth