Authentication in LDAP

Similar Messages

• Error in authentication with ldap server with certificate

  Hi,
  i have a problem in authentication with ldap server with certificate.
  here i am using java API to authenticate.
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
  I issued the new certificate which is having the up to 5 years valid time.
  is java will authenticate up to one year only?
  Can any body help on this issue...
  Regards
  Ranga

  sorry i am gettting ythe same error
  javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
  here when i am using the old certificate and changing the system date means i can get the authentication.
  can you tell where we can concentrate and solve the issue..
  where is the issue
  1. need to check with the ldap server only
  2. problem in java code only.
  thanks in advance

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• Shared Services External Authentication using LDAP in 9.3.1

  Hi,
  I have installed Hyperion Shared Services with native directory. And now planning to setup external authentication using LDAP. I need some guidance to understanding how the external authentication works.
  Questions:
  1. Is it possible to setup Shared Services to use both Native and LDAP user directory? What I mean is some users will be able to login using Native directory, and some others will need to login using User Directory (external authentication).
  2. For User Directory (say we use LDAP), when the user is added into Shared Services, can they be assigned with Groups created in Native directory? We want to explore to use just the external authentication and define all of the groups within shared services.
  If not possible, can we manage the Groups of the User directory using shared services? How is the groups work with external authentication?
  Any feedback would be much appreciated.
  Thanks,
  Lian

  Hi,
  Yes you can use both Native and external authentication. When you add the external provider the native is left by defaut anyway.
  Yes you can add your external users to native groups. You can also provision the groups in the AD if you wish.
  Gee

• SAP J2EE Engine -Config Tool authentication test(LDAP only)

  Hello. Can i know what causes the directory server authentication test(LDAP only) in the SAP J2EE Engine config Tool to fail to authenticate.
  Error message i got was: authentication failed: Unprocessed Continuation Reference(s).
  Please advise.

  Hi,
  what kind of directory server are you using?
  I'm not sure but it is possible that your ds uses referrals returns a referral to your client and the client does not follow them. Do you have any referrals configured?
  Cheers

• How can I implement Authentication in LDAP

  How can I implement Authentication in LDAP.

  Hi,
  If ur using JAAS, then use NTLoginModule in ur conf file and your own defined CallbackHandler for validating and obtaining the Subject (user connected to your domain).
  Remember the user is the one which the code obtains when u login to your Domain based machine.
  Apart from this, Apache Http Server also provides you with a popup window asking for the user's credentials when u set the SSPIDomain in the httpd.conf file.
  httpd.conf
  ========
  <Location /Seet/servlet/ >
  SSPIAuth On
  AllowOverride None
  Order allow,deny
  Allow from all
  AuthName "seet190 auth"
  AuthType SSPI
  SSPIAuth On
  SSPIAuthoritative On
  require valid-user
  SSPIDomain seet190
  </Location>
  seet190 is the domain name
  Actually so far in the Security Forum, u might refer to some of the replies posted for more help but actual LDAP authentication can be done by passing the user's info too.
  HTH,
  Seetesh

• Authentication ACS LDAP PEAP ?

  Hello
  Could you tell me if its possible to do 802.1X authentication with LDAP server using PEAP MS-CHAP v2 (Machine autentication) ?
  in fact, with Windows external database, its work fine.
  We use only machine authentication with vlan assignement over PEAP.
  Another think, we wan't to use Mac authentication Bypass for printers or other laptop... but we wonder if it could be work with an external Windows database or LDAP ?
  Thanks for your help

  No this isnt possible as LDAP servers do not support MSCHAP v1 or v2.
  You'd need something that can carry a plain text password inside the EAP tunnel - like EAP-GTC

• APEX 3.2:  Switching between APEX authentication and LDAP?

  I'm building an APEX 3.2 application that has to be deployed automatically to the target environments (by executing the APEX export SQL in the relevant parsing schema).
  One problem is that different environments will have to use different authentication mechanisms:
  Development and System Test will use simple APEX authentication (i.e. APEX users).
  Acceptance Test and Production will use LDAP via OID for single sign-on.
  So how do I set the application up so that it can switch from APEX authentication to LDAP authentication if it is in the Acceptance Test or Production environments?
  My customers seem very reluctant to have a manual step in the process e.g. to switch the authentication scheme for the application after installation, so I need to find a way to do this automatically if possible.
  Any suggestions?
  Thanks.
  Chris

  Chris,
  We do something similar, in that we dynamically switch authentication based on the application you're trying to log in to. Basically, you need to set up a custom authentication procedure which checks which system you're in, and then validates the user appropriately.
  Does that help?
  -David

• ASA Remote Access Authentication with LDAP Server

  Thank you in advance for your help.
  I am configuring an ASA to authenticate with a ldap server for ipsec vpn access.  My customer has 3 networks that are to be accessed by remote users.  However they want to be able to say that one user can get to 2 of the networks and not the 3rd.  So basically they want control over what network behind the firewall each user can access.  This seems doable from my reading and I had planned to creating a group for each network that needs accessible and either do attribute maps to each group with a separate group created on the ldap server for authentication.  Basically a ldap group on the ldap server that will have the users name in the group in order for access.  I can restrict access via acl's or filtering to force my group to only be allowed access to a specific network.  Here is the problem I am having now.
  The ldap server has been created and seems to be working fine.  I have created my AAA groups and servers and I have done the ldap test with a test user vpntest and a password on the ldap server.  When I run the authentication test from the ADSM or command line I get a good authentication successful message.  So I configured a vpn client remotely and attempted to authenticate to this group and it says there is no user by that name.  Below is a paste of the debug.  The second part is when I did a successful test from the ASDM or CLI and it worked great.  The first part is when I attempted from the vpn client.  It all looks the same from the search criteria.  What am I missing here or does anyone more knowledgeable see anything that I am doing wrong.  Can this be done this way or should I try radius.  The customer was just adament about using ldap.
  extvpnasa5510#
  [243] Session Start
  [243] New request Session, context 0xd5713fe0, reqType = 1
  [243] Fiber started
  [243] Creating LDAP context with uri=ldaps://130.18.22.44:636
  [243] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
  [243] supportedLDAPVersion: value = 2
  [243] supportedLDAPVersion: value = 3
  [243] No Login DN configured for server 130.18.22.44
  [243] Binding as administrator
  [243] Performing Simple authentication for  to 130.18.22.44
  [243] LDAP Search:
          Base DN = [ou=employees,o=msues]
          Filter  = [uid=vpntest]
          Scope   = [SUBTREE]
  [243] User DN = [uid=vpntest,ou=employees,o=msues]
  [243] Talking to iPlanet server 130.18.22.44
  [243] No results returned for iPlanet global password policy
  [243] Fiber exit Tx=386 bytes Rx=414 bytes, status=-1
  [243] Session End
  extvpnasa5510#
  [244] Session Start
  [244] New request Session, context 0xd5713fe0, reqType = 1
  [244] Fiber started
  [244] Creating LDAP context with uri=ldaps://130.18.22.44:636
  [244] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
  [244] supportedLDAPVersion: value = 2
  [244] supportedLDAPVersion: value = 3
  [244] No Login DN configured for server 130.18.22.44
  [244] Binding as administrator
  [244] Performing Simple authentication for  to 130.18.22.44
  [244] LDAP Search:
          Base DN = [ou=employees,o=msues]
          Filter  = [uid=vpntest]
          Scope   = [SUBTREE]
  [244] User DN = [uid=vpntest,ou=employees,o=msues]
  [244] Talking to iPlanet server 130.18.22.44
  [244] Binding as user
  [244] Performing Simple authentication for vpntest to 130.18.22.44
  [244] Processing LDAP response for user vpntest
  [244] Authentication successful for vpntest to 130.18.22.44
  [244] Retrieved User Attributes:
  [244]   sn: value = test user
  [244]   givenName: value = vpn
  [244]   uid: value = vpntest
  [244]   cn: value = vpn test user
  [244]   objectClass: value = top
  [244]   objectClass: value = person
  [244]   objectClass: value = organizationalPerson
  [244]   objectClass: value = inetOrgPerson
  [244] Fiber exit Tx=284 bytes Rx=414 bytes, status=1
  [244] Session End

  Hi Larry,
  You can map AD group memberships to specific group policies on the ASA, you can find that configuration here:
  - http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
  Let me know if further assistance is required!
  Please proceed to rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• PL SQL Web Service Authentication through LDAP

  I have created one PL SQL Web Service and I would like to provide token security through LDAP.
  I have configured LDAP for deployed webservice in oracle IAS 10.1.3 Service.
  Problem Description: <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://dbconnection1/MobileWebService.wsdl/types/"><env:Body><env:Fault><faultcode>env:MustUnderstand</faultcode><faultstring>SOAP must understand error: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security</faultstring></env:Fault></env:Body></env:Envelope>
  I have provided LDAP authentication through oracle iAS Setup.
  Please help

  Hi I am looking out for a good friend of mine, Rajeev Dave from Vijaywada, if your the one, please email me [email protected]
  thanks,

• Security Authentication in LDAP

  Hi Chris/Raj/All,
  We have one more generic issue. Please help us if possible.
  I am connecting to LDAP Server(Microsoft ADS) from my weblogic workshop 8.1.We are using DirContext and InitialDirContext(java api) Through the java program I am able to connect to the port 389 by means of simple security authentication.
  Our requirement is for SSL security authentication ie to connect ot port 636.
  From our side we have done the following
  1.We have installed the public certicate in the jre environment(lib/security in both the cacerts and jssecacerts)
  2.We have also installed the cetificate in the ADS Server and enabled the SSL.
  When we try to connect to port 636 with simple authentication we get Communication Exception
  When we try to connect to port 636 with ssl authentication we get AuthenticationNotSupportedException
  We also would like to know whether there is any Authentication Process like password encryption and so on.... to be followed.
  Thanks & Regards,
  Christoper.

  Hi Christoper,
  Based on your description, this seems to be more of a security related question than a workshop one.
  Please post to the security newsgroup at http://forums.bea.com/bea/category.jspa?categoryID=2011
  with information on service pack installed
  Thanks
  Raj

• External Authentication with LDAP

  Has anyone integrated external authentication of Essbase with LDAP? I've searched discussion groups, websites with no luck, and of course, Essbase documentation doesn't help either. Any additional documentation will help.Thanks in advance!

  Thanks for the info. Is this sample code part of the default implementation that comes installed with the product (essldap.dll)? Or is this something completely different.Also, has anyone done anything similar in visual basic? We have a shortage of v c++ skills around here.Thanks again!

• EP Sneak Preview - Moving from Portal Authentication to LDAP

  Has anyone used the EP sneak preview, configuring first against portal authentication alone and then moving users to LDAP and leaving just the roles in the portal db, without having disaster strike and have to reinstall, etc.?
  Thanks in advance.

  hi,
  according to the Quick Install Guide
  <i>(url: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/Quick%20Installation%20Guide%20for%20SAP%20NetWeaver%20EP%20on%20MaxDB,%20Developer%20Edition%20Sneak%20Preview.htm)</i>
  first i installed the latest JDK, which is 1.4.2_08
  manually i set the following environment variables (like i read a few threads before):
  CLASSPATH =
  %JAVA_HOME%lib;%JAVA_HOME%jrelib;
  JAVA_HOME = C:j2sdk1.4.2_08
  Path = %JAVA_HOME%bin;c:j2sdk1.4.2_08bin;c:j2sdk1.4.2_08jrebin;...
  when clicking sapinst.exe it says: <i>latest JRE 1.4.2 with latest Patch level could not be found.</i>
  then i checked startinstgui.bat and get the following error:
  the system cannot find the path.
  Starting SAPinst GUI with local Java Runtime
    Java Runtime found in JAVA_HOME environment variable
    Java path: C:j2sdk1.4.2_08binjava.exe
  a logon screen appears for sagui installation, which wants to logon to localhost and port 21212. this does not work as i have no webserver running...
  i am riding xp - maybe the whole thing really works only on win2000 or win server 2003?
  any comments apreciated.
  Matthias

• ACS 5.1---AD Authentication VS LDAP

  Any help on this subject would be great
  I can manage to get my account logging into the cisco switch throught the Active Directory setup in external Idenity stores but not my LDAP setup here are some logs from the successful log in and unsuccessful log in with ldap.
  AD-SETUP
  Selected Identity Store - AD1
  Current Identity Store does not support the authentication method; Skipping it.
  TACACS+ will use the password prompt from global TACACS+ configuration.
  Returned TACACS+ Authentication Reply
  Received TACACS+ Authentication CONTINUE Request
  Using previously selected Access Service
  Identity Policy was evaluated before; Identity Sequence continuing
  Authenticating user against Active Directory
  User's Groups retrieval from Active Directory succeeded
  User authentication against Active Directory succeeded
  Authentication Passed
  Access Policy
  Access Service:
  Default Device Admin
  Identity Store:
  AD1
  Selected Shell Profile:
  Privilege Mode
  Active Directory Domain:
  Blah.com
  Identity Group:
  Access Service Selection Matched Rule :
  Rule-2
  Identity Policy Matched Rule:
  Default
  Selected Identity Stores:
  AD1
  Query Identity Stores:
  Selected Query Identity Stores:
  Group Mapping Policy Matched Rule:
  Authorization Policy Matched Rule:
  Rule-1
  The only issue with this setup is that i can only add the domain example blah.com and i get massive latency occuring since the authentication process goes over state to other domain controllers instead of the local ones.
  I can tell from the AAA STATUS in monitoring DASHBOARD cause the Latency is around 8000ms, and the slow log in on the switch.
  LDAP-SETUP
  In my LDAP setup i point a primary and secondary hostname closer to home to avoid latency i do a bind test which returns successful on both hosts. Setup my directory Orgainzation Tab and do a test configuration get a return of Group > 100 Subject >100.
  I reset my indenities stores to LDAP instead of AD and try again, but for some reason i get error 22056 subject not found! i just can't work this out here are the details
  Matched rule
  Selected Access Service - Default Device Admin
  Evaluating Identity Policy
  Matched Default Rule
  Selected Identity Store -
  Current Identity Store does not support the authentication method; Skipping it.
  TACACS+ will use the password prompt from global TACACS+ configuration.
  Returned TACACS+ Authentication Reply
  Received TACACS+ Authentication CONTINUE Request
  Using previously selected Access Service
  Identity Policy was evaluated before; Identity Sequence continuing
  Sending request to primary LDAP server
  Authenticating user against LDAP Server
  User search ended with an error
  Primary server failover. Switching to secondary server
  Sending request to secondary LDAP server
  Authenticating user against LDAP Server
  User not found in LDAP Server
  Subject not found in the applicable identity store(s).
  The advanced option that is configured for an unknown user is used.
  The 'Reject' advanced option is configured in case of a failed authentication request.
  Returned TACACS+ Authentication Reply
  Is there any ideas what i can try so it can find my account like the AD structure did? ideas please?
  cheers

  Hi JG,
  Thanks for replying to my post, I am currently using Softerra LDAP adminsitrator software to verify the base DN structure. I now run the test configuration button and i get a return of 1 Group and 1 subject which is correct for the settings i have choosen.
  So LDAP is now seeing my group and seeing my AD user but i still have the same problem when trying to log into my network device. The user is not found?
  can you help with anything else i might need to check JG this is driving me and everyone else in the office up the wall   let me know if you would like some screenshots.
  Regards
  Ed 

• Cisco ISE 1.1.2.145 Admin Authentication using LDAP

  I have configured the LDAP and able to retrive our LDAP directory structure. Now, I am trying to point the 'Admin Access' authentication to "External Identity" Source which is the new LDAP IS I created. But I couldn't find an option to authenticate locally if for any reason the LDAP configuration doesn't work. I learnt that ISE can automatically revert to local auth provided the External Idenitity sources are unreachable. How can I test the LDAP authentication with out breaking our Admin Access? I thought of opening two parallel sessions, one with Super Admin Local Account and the other with Domain account. But I noticed that ISE communication is smart enough to logoff/login any other sessions in different browsers so basically I can't open two parallel sessions from same machine to do the tests. Suggestions? or Am I missing something here?
  Many thanks in advance.

  Hi Srinivas,
  Even if you set up LDAP as an External Identity source for admin access, you can still fallback to Internal without getting locked out. As per the ISE user guide :
  During operation, Cisco ISE is designed to "fall  back" and attempt to perform authentication from the internal identity  database, if communication with the external identity store has not been  established or if it fails. In addition, whenever an administrator for  whom you have set up external authentication launches a browser and  initiates a login session, the administrator still has the option to  request authentication via the Cisco ISE local database by choosing  "Internal" from the Identity Store drop-down selector in the login dialog.
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_identities.html#wp1351543
  Please refer to the attached screenshot from my lab ISE:
  I have configured admin authentication against AD, but I still see both "Internal" and "AD" at the time of login.
  Hope this helps.
  Thanks,
  Aastha