Authentication via server running OpenLDAP

Client: OSX 10.5.6
Server: ubuntu-server 8.04 running slapd (no TLS)
I am posting here as a last resort and after a week of frustration. I am not able to log in as any LDAP user. I have configured LDAPv3 on Leopard via Directory Utility. I can successfully contact the LDAP server, the proof is below. I am using SSH to test logging in. I am able to switch to the user by doing "sudo su elvis," which hardly matters because it wouldn't ask for a password anyway, but I just thought I would mention that for further proof that communication with the LDAP server is at least somewhat working.
$ sudo tail -f -n 0 /var/log/secure.log
Feb 19 22:53:49 iMac com.apple.SecurityServer[21]: checkpw() returned -2; failed to authenticate user elvis (uid 1002).
Feb 19 22:53:49: --- last message repeated 1 time ---
Feb 19 22:53:49 iMac com.apple.SecurityServer[21]: Failed to authorize right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
Feb 19 22:53:49 iMac sshd[2470]: error: PAM: Authentication failure for elvis from XXXXXXXXXXXXXXX
$ finger elvis
Login: elvis Name: Elvis Presley
Directory: /home/elvis Shell: /bin/bash
Never logged in.
No Mail.
No Plan.
$ sudo su elvis
bash: /home/elvis/.bashrc: Input/output error
bash-3.2$ whoami
elvis
$ ldapsearch -x -h u-god -b "uid=elvis,dc=mydomain,dc=com"
# extended LDIF
# LDAPv3
# base <uid=elvis,dc=mydomain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# elvis, mydomain.com
dn: uid=elvis,dc=mydomain,dc=com
authAuthority: ;basic;
uid: elvis
cn: Elvis Presley
homeDirectory: /home/elvis
uidNumber: 1002
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: inetOrgPerson
objectClass: apple-user
gidNumber: 100
gecos: Elvis Presley
sn: Elvis Presley
loginShell: /bin/bash
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

ttt

Similar Messages

Is iPlanet Web Proxy Server support OpenLdap authentication ?

Do you know Is iPlanet Web Proxy Server support OpenLdap authentication ?
Thanks
Regards,

Hi
This as per the HTTP/1.1 RFC (RFC2616)
The Connection general-header field allows the sender to specify options that are desired for that particular connection and MUST NOT be communicated by proxies over further connections.
The Connection header has the following grammar:
Connection = "Connection" ":" 1#(connection-token)
connection-token = token
HTTP/1.1 proxies MUST parse the Connection header field before a message is forwarded and, for each connection-token in this field, remove any header field(s) from the message with the same name as the connection-token. Connection options are signaled by the presence of a connection-token in the Connection header field, not by any corresponding additional header field(s), since the additional header field may not be sent if there are no parameters associated with that connection option.
Read the following at
http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html#sec8.1.3
and
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.10
Regards
Nagendra HK

Cisco Prime Infrastructure 2.1 GUI authentication via RADIUS server (Cisco ISE 1.2 integrated with AD)

Hi,
I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:
My authentication and authorization rules relating that case are as on following screenshots:
So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:
Looking in ISE's Authentication section I can see following:
Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:
So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?

Hi,
-- Please Go to Administration > Logging > set the Message level to TRACE > Click save
-- Then try to add the ISE.
-- Once it fails, collect the logs from Administration > Logging >
check the "ncs-0-0.log" & search the file for "ERROR" & paste the results here. This will give us exact reason.
- Ashok
Please rate the post or mark as correct answer as it will help others looking for similar information

NAC authentication via Windows AD

Hi,
we have a Nac enviroment with users that are defined on the ACS. Also the groups are defined on this machine.
The problem is that we have to move all the users from the ACS to the domain controller, so all the users will become AD users.
In which way we have to configure the NAC enviroment to permit the authentication via Active Directory instead of Radius that runs on the ACS?
Thanks a lot!
Leonardo

You have to create a map rule if you have two or
more Roles authenticating in the same LDAP Auth Server
and not if you have two or more auth servers
If the users authenticating today in Radius Server ACS is associated with a single Role XYZ, then you can configure the LDAP Server linking users to the same Role XYZ.
You will have two providers for the same Role.

Problem getting an LDAPContext after authenticating via Kerberos

Hi,
I am trying to create a Java program that can query an Active Directory server using the currenlty logged in Windows user's credentials to authenticate via LDAP.
I am getting the following error in my output when trying to create the LdapContext object.
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
The full output is as follows
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
KinitOptions cache name is C:\Documents and Settings\Administrator.THALES-3D8PWWDM\krb5cc_AdministratorAcquire default native Credentials
Obtained TGT from LSA: Credentials:
[email protected]
server=krbtgt/[email protected]
authTime=20090618162927Z
startTime=20090618162927Z
endTime=20090619022927Z
renewTill=20090625162927Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Principal is [email protected]
Commit Succeeded
Subject:
 Principal: [email protected]
 Private Credential: Ticket (hex) =
0000: 61 82 03 BC 30 82 03 B8 A0 03 02 01 05 A1 0A 1B a...0...........
<REMOVED>4 8A 8C BE 6B FD 65 5D 2F .R..t#@d...k.e]/
Client Principal = [email protected]
Server Principal = krbtgt/[email protected]
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: C0 62 F6 3F 5C 29 F4 7B C1 FC AB A0 77 D1 E7 E0 .b.?\)......w...
Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket true
Initial Ticket true
Auth Time = Thu Jun 18 17:29:27 BST 2009
Start Time = Thu Jun 18 17:29:27 BST 2009
End Time = Fri Jun 19 03:29:27 BST 2009
Renew Till = Thu Jun 25 17:29:27 BST 2009
Client Addresses Null
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Jun 19 03:29:27 BST 2009
KinitOptions cache name is C:\Documents and Settings\Administrator.THALES-3D8PWWDM\krb5cc_AdministratorAcquire default native Credentials
Obtained TGT from LSA: Credentials:
[email protected]
server=krbtgt/[email protected]
authTime=20090618162927Z
startTime=20090618162927Z
endTime=20090619022927Z
renewTill=20090625162927Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Jun 19 03:29:27 BST 2009
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
 at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
 at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
 at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
 at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
 at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
 at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
 at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
 at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
 at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
 at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
 at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
 at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
 at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
 at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
 at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
 at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
 at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
 at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
 at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
 at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
 at javax.naming.InitialContext.init(Unknown Source)
 at javax.naming.InitialContext.<init>(Unknown Source)
 at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
 at com.thalesgroup.planit.ldap.LDAPAction.performLDAPOperation(Main.java:87)
 at com.thalesgroup.planit.ldap.LDAPAction.run(Main.java:66)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAs(Unknown Source)
 at com.thalesgroup.planit.ldap.Main.main(Main.java:46)
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate I am running this using the following VM arguments
-Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=true
Finally my jaas config file is as follows
fsta {
 com.sun.security.auth.module.Krb5LoginModule required
debug=true client=false useTicketCache=true;
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};I am running this locally on the AD server (running Windows Server 2003).
Does anybody know how I can get rid of the exception and create an authenticated LdapContext?
Any suggestions would be greatly appreciated.
Thanks
Graeme

My java source is as follows (its a modified example I found online)
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import com.sun.security.auth.callback.TextCallbackHandler;
public class Main {
 public static void main(String[] args) {
 java.util.Properties p = new java.util.Properties(System.getProperties());
 p.setProperty("java.security.krb5.realm", "fsta.com");
 p.setProperty("java.security.krb5.kdc", "192.168.1.10");
 p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
 System.setProperties(p);
 // 1. Log in (to Kerberos)
 LoginContext lc = null;
 try {
 lc = new LoginContext("fsta", new TextCallbackHandler());
 // Attempt authentication
 lc.login();
 } catch (LoginException le) {
 System.err.println("Authentication attempt failed" + le);
 System.exit(-1);
 Subject subject = lc.getSubject();
 System.out.println(subject.toString());
 // 2. Perform JNDI work as logged in subject
 Subject.doAs(subject, new LDAPAction(args));
 // 3. Perform LDAP Action
 * The application must supply a PrivilegedAction that is to be run
 * inside a Subject.doAs() or Subject.doAsPrivileged().
 class LDAPAction implements java.security.PrivilegedAction {
 private String[] args;
 private static String[] sAttrIDs;
 private static String sUserAccount = new String("Administrator");
 public LDAPAction(String[] origArgs) {
 this.args = origArgs.clone();
 public Object run() {
 performLDAPOperation(args);
 return null;
 private static void performLDAPOperation(String[] args) {
 // Set up environment for creating initial context
 Hashtable env = new Hashtable(11);
 env.put(Context.INITIAL_CONTEXT_FACTORY,
 "com.sun.jndi.ldap.LdapCtxFactory");
 // Must use fully qualified hostname
 env.put(Context.PROVIDER_URL, "ldap://192.168.1.10:389");
 // Request the use of the "GSSAPI" SASL mechanism
 // Authenticate by using already established Kerberos credentials
 env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
// env.put("javax.security.sasl.server.authentication", "true");
 try {
 /* Create initial context */
 DirContext ctx = new InitialDirContext(env);
 /* Get the attributes requested */
 //Create the search controls
 SearchControls searchCtls = new SearchControls();
 //Specify the attributes to return
 String returnedAtts[]={"sn","givenName","mail"};
 searchCtls.setReturningAttributes(returnedAtts);
 //Specify the search scope
 searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
 //specify the LDAP search filter
 String searchFilter = "(&(objectClass=user)(mail=*))";
 //Specify the Base for the search
 String searchBase = "DC=fsta,DC=com";
 //initialize counter to total the results
 int totalResults = 0;
 // Search for objects using the filter
 NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
 //Loop through the search results
 while (answer.hasMoreElements()) {
 SearchResult sr = (SearchResult)answer.next();
 totalResults++;
 System.out.println(">>>" + sr.getName());
 // Print out some of the attributes, catch the exception if the attributes have no values
 Attributes attrs = sr.getAttributes();
 if (attrs != null) {
 try {
 System.out.println(" surname: " + attrs.get("sn").get());
 System.out.println(" firstname: " + attrs.get("givenName").get());
 System.out.println(" mail: " + attrs.get("mail").get());
 catch (NullPointerException e) {
 System.err.println("Error listing attributes: " + e);
 System.out.println("RABOTIII");
 System.out.println("Total results: " + totalResults);
 ctx.close();
 } catch (NamingException e) {
 e.printStackTrace();
}Edited by: GraemeK on Jun 18, 2009 11:56 AM

Authentication via weblogic security realm

 My servlet needs to access a session bean. The action in the session bean requires
 that a user has been authorized, i.e. at some point the session been calls
 String name = d_ctx.getCallerPrincipal().getName()
 This name may not be null at this time.
 What I would like to have is that the user executing the URL gets authenticated
 by my server realm 'myrealm' and that the associated prinicpal gets passed to
 the session bean. Is this possible. If so, how can the user pass along the username
 and password as this query is executed programmatically?
 markus


http://www.weblogic.com/docs51/classdocs/API_acl.html
Michael Girdley
BEA Systems Inc
"gennot" <[email protected]> wrote in message
news:[email protected]..
Could you send me the complete URL of these example, please?
Thanks
Enrico
Michael Girdley <[email protected]> wrote in message
39b87078$[email protected]..
The passing of the client's certificate should be automatic to WebLogic.We
have an example of getting the client side certificate from inside of
WebLogic in our documentation.
This does not require for SSL to be used from the Web server to
WebLogic.
>>
Thanks,
Michael
Michael Girdley
BEA Systems Inc
"Bob Simonoff" <[email protected]> wrote in message
news:[email protected]..
I have read through the docs and haven't found anything that would
address
the following confusion:
Suppose I want to use Apache or IPlanet as the webserver with WebLogicas
the back end application server (obviously). I have the need to use 2way
SSL authentication. As I understand it the following applies:
Client (browser) has a certificate as does the web server. Theyauthenticate
each other.
Now, the web server and weblogic need to communicate. WebLogic, in our
environment does authentication via the security realm.
What do I have to do to get the the web server (Apache or IPlanet) to
communicate the client's certificate to WebLogic so the WebLogic canperform
the authentication?
Does the communication between the web server and WebLogic also need
to
be
SSL?
Thanks
Bob Simonoff

WPA2-Enterprise Radius Authentication Windows Server 2008 R2

Hello,
I have tried a few online tutorials for providing secure wireless access. I currently have a server running Server 2008 R2 that has RRAS, NAP, and AD CS installed on it. My goal is to create a wireless SSID that utilizes WPA2-Entperise for users
to connect. Their AD credentials would need to belong to my "Wireless Users" group. I have seen tutorials that involved certificates, and some tutorials that simply added the RADIUS clients along with the network/connection policies,
and then added the settings to the router. When I've tried both ways, the wireless network never connects to the network. If I un-check the "Use Windows login credentials" a username/password field pops up. I enter the credentials
(tried both username and domain\username) of an account that is part of "Wireless Users". When I hit OK it sits for a few moments, and then pops back up again. When I do check "Use Windows login credentials" it says it can't
connect.
I have tried different firmware on the router, and I know the router is not the issue. This server is joined to my domain controller. It feels like the NAP server is not reaching the domain to authenticate credentials. Am I doing anything
wrong that I should be made aware of? In NAP if I right click the server, the "register in active directory" is greyed out, which I assume is because it's already joined to the domain.
I appreciate any help you can provide.
-Ken

I've searched in "Event Viewer" on the NPS server, and came across an interesting error. I have Google'd the error, and there are only a select few articles about it. If I try to connect, often times I will get two information events:
Event ID 4400 "A LDAP connection with domain controller DC-VPN-IIS-01.dc.cooper.org for domain COOPER is established."
And now...the issue
Event ID 6273
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: COOPER\LAPTOP3-W7$
Account Name: host/laptop3-w7.dc.cooper.org
Account Domain: COOPER
Fully Qualified Account Name: COOPER\LAPTOP3-W7$
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: c0c1c074bfb6
Calling Station Identifier: 00216a902b70
NAS:
NAS IPv4 Address: 172.16.4.2
NAS IPv6 Address: -
NAS Identifier: c0c1c074bfb6
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 11
RADIUS Client:
Client Friendly Name: CiscoAP
Client IP Address: 172.16.4.2
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: dc-vpn-iis-01.dc.cooper.org
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
Clearly, when I try to connect, it's completely bypassing the network policy I created, but going to the "Connections to other access servers", which by default denys access. I've tried everything....removed and re-added the security policy...added
2 network policies for wireless. Does anyone know why the network policy I create for wireless is not being recognized?

Can Crystal Reports XI Server run in JRun4 platform?

I am a newbbie of using Crystal Reports Server~ My company discuss to purchase Crystal Reports Server XI because our web services need to provide a lot of chart for user to download. Now we developed the service through java, java servlet, JSP technology on a server running Macromedia JRun 4 which provide environment to run such kind of java code.I have been told to download the trial version and try it to make decission to purchase or not. I follow the installation guide but cannot start Crystal Reports Server, I can say that the server service is running but cannot access link mention in installation guide.Anyone face the same problem and find solution? Any advice can give me?

Crystal Reports Server has an application called the 'Central Configuration Manager' (CCM). The job of the CCM is to tell you the status of all the Crystal Report Server services. There are many services not just one. When you open the CCM you will see a service called the Central Management Server (CMC). Make sure it is running. You may also see a Tomcat server running in the CCM.If the Tomcat server and the CMC are running then you should be able to access the web interface to Crystal Reports Server via this link:<a href="http://localhost:8080/businessobjects/enterprise115/adminlaunch/launchpad.html">http://localhost:8080/businessobjects/enterprise115/adminlaunch/launchpad.html</a> If that doesn't work or you can't find a Tomcat server try this link for IIS:<a href="http://localhost/businessobjects/enterprise115/WebTools/adminlaunch/default.aspx">http://localhost/businessobjects/enterprise115/WebTools/adminlaunch/default.aspx</a> Hopefully this helps get you started. Rob Hornehttp://diamond.businessobjects.com/blog/10

Migrating data from Sun ONE directory server into openLDAP

Hi,
I was to migrate the data from Sun ONE directory server into openldap. Has anybody done this or know about this. Can you please share the steps that needs to be done.
NOTE: I have exported the data into LDIF file but when I run with ldapadd into the open ldap
ldap_add: Invalid syntax (21)
additional info: objectClass: value #1 invalid per syntax
Are there specific schemas that i need. Where can I find them?
Thanks

Why would you want to migrate data into an OpenLDAP server ?Good Question, let me explain you my problem with Sun DS.
No Question DS is the better product (even Red Hat realized this).
Problem: DS is not a base Solaris 10 OS component, for patch support
you need some additional plan, now sun marketing nightmare comes ;o)
Every year service plans are changed (want a SJES or a DS or a DSEE ?)
so use solaris with OpenLDAP, or linus with NSDS.
Sun please give us a Solaris Core Component called LDAP Server (no need for trillions of entries).
joe

Self Assigned IP even though I am Authenticated via PEAP(MSCHAPv2) to WPA2

Help!
After installing Snow Leopard 10.6.1 on my 2.16 GHz Core Duo MacBook Pro running OS 10.5, I can no longer connect to the WPA2 Enterprise network at the University of Ottawa. I can still connect to other encrypted networks, such as my home WEP encrypted network. Before the installation I was able to connect to the WPA2 enterprise network.
When attempting to connect, under network preferences I can see that my computer is Authenticated via PEAP(MSCHAPv2) and a timer showing my time connected is running. However under status, it says that I have a self assigned IP and that I cannot connect to the internet. As a result I cannot connect to the internet.
I have included a picture that describes my problem exactly:
Does anyone have this problem? Can anyone help me?
Thanks!

The thing you and many others forget is that these forums are for those with problems. Those for whom the installs works without fault do not visit here. They do not post. There are about 9,000 topics in the Installation and Using forums (the largest two) and even if every topic were an unique fault, this would mean a small fraction of the installed base.
According to AppleInsider the Q1 sales of SL would be circa 5 million copies, and other reports indicate these numbers have been surpassed in the early months. So lets go for one months sales at only 1.5 million copies. 9,000 faults in 1.5 million copies is only a 0.6% rate and that's if every topic is a different fault (which it plainly isn't).
So I'm afraid your argument is even less convincing - a few people report your fault, and even if only 1% of the installed base uses it, its still infinitesimal. IMO, the vast majority of problems arise from an initial Leopard installation that had enough variability of build to make enhancements problematical. I'd be the first to admit its not Apples finest hour, but its certainly not bad for the overwhelming majority.
Perhaps you could apply to be an Apple tester, to help solve this issue ? Its better than standing on the sidelines complaining about everyone elses work for certain.
Or log a fault request as it will get looked at I can assure you, but only if there is a tester who is actually able and willing to test that particular piece of functionality.

Creating NetRestore Image of OS X Yosemite (10.10) from Mac Mini Server Running Mavericks (10.9)

Hello all,
We are attempting to create a NetRestore image of a Macbook Pro running Yosemite (10.10) from a Mavericks (10.9) Mac Mini running OS X Server. Previously we connected a Macbook Pro in target mode to our Mac Mini (both running Mavericks) using System Image Utility to create a NetRestore SP0 from which we could deploy to all of the computers in our lab running Mavericks. We did this as a method to update the applications on each iMac locally from the hosted NetRestore image we created. We are now receiving several new iMacs and Mac Pros running Yosemite (10.10) native and we wish to use the same process to update these machines from our Mac Mini (Mavericks) running OS X Server.
We are now trying create a NetRestore image from a native Yosemite Macbook Pro using System Image Utility on our Mac Mini (running Mavericks) however when the Yosemite Macbook Pro is connected in target mode, System Image Utility does not recognize the volume although it is recognized by our Mac mini (e.g., the yellow-orange image icon is displayed on the Mac Mini's desktop). Some of our lab computers are still running Mavericks, and my understanding is that Mavericks NetRestore Images cannot be created from a Mac Mini with OS X Server running Yosemite.
Must we upgrade our Mac mini from Mavericks to Yosemite for System Image Utility to recognize our Yosemite Macbook Pro (connected in target mode) in order to create a Yosemite NetRestore Image?
Note: We know there are better alternatives (e.g., Munki) to deploy updates to our machines via server and are working to establish a more convenient process, but this is the method we have been comfortable using before running into the above issue.
Thanks all!

You could use DeployStudio to 'serve' both Yosemite and Mavericks images from your Mac mini which can still run Mavericks. You would also use DeployStudio to make an image of the MacBook once it has been loaded and then this image can be restored to multiple machines.
See http://www.deploystudio.com

Finnicky epson scanner via server

We have an Epson Perfection 3200 scanner connected to our (less than 2 months old) Mac mini server running Snow Leopard Server. We have been using Image Capture on user machines to access the shared scanner via ethernet connection. It works great.. for a while. The problem is that every few days, the scanner stops responding. Image Capture opens, but when you click on the scanner in the list of devices, it just reads "Trying to open scanner session..." and never resolves.
Sometimes restarting the scanner will fix this problem, but not always. We end up having to restart the server and kick everybody off that's using files at the time in order for the scanner to show up again.
We have tried accessing from multiple user machines (Leopard, SL, diff machines, no result)
We have tried restarting user machines
We have power-cycled and restarted the scanner
We have disconnected and reconnected ethernet at user-machines
We are trying to avoid having to restart the server every time this issue occurs, since we have to scan things several times a day. Any ideas? Thanks.

There is nothing wrong. The USB port on the AirPort Extreme base station (AEBS) does NOT support scanning.

Authenticating via CAS (i.e. w/o Oracle SSO or Page 101)?

As I mentioned in this Re: ERR 1002 Unable to find item ID, I need to use custom authentication that can redirect to a web form and return when the user has been authenticated. I'm struggling to use the Apex default API with this authentication scheme. Basically the timing of when the Apex actions happen seem to conflict with the CAS method.
Our authentication is based on a home-grown Oracle package that talks to our implementation of the CAS (Central Authentication Service project) authentication server. Our instance pops up a web form to get username and password, then calls CAS and handles the return. So Apex never gets the username/password, so there's no need to show page 101.
So my authentication scheme is almost empty. Except for the Page Sentry function. The only way I could get this to work was to put my Oracle call to CAS in the Page Sentry, where it returns TRUE/FALSE.
It's been a while since I messed with this but as I recall, when I moved the CAS authentication call to any other point in the scheme, it wouldn't fire at the proper point. Plus I got lost how to get the Apex Login function called, since there's no Submit process from page 101.
I've seen suggestions that this is similar to what happens in the LDAP authentication, but I'm still lost on which actions happen when (though I've read through Apex's Flow Chart page for my scheme).
To complicate matters, I have a Post-Authentication process that needs to run. Since I'm not running the Authentication Scheme's Login Processing Authentication Function, code I put in the Post-Authentication Process doesn't get run either.
Can anyone at least suggest to me how I can get the Login Processing steps (including Pre- and Post-) to run w/o using the regular login page?
I'm at my wit's end over this.
Thanks,
Stew

Scott,
Thanks for the offer but there's no way I can replicate our environment there.
I was looking for more-general information.
For example, my brain tells me that I should be able to do all my steps in the Login Processing section of my Authentication scheme.
1) Set up the Pre-Authentication Process process to call my CAS authentication procedure.
2) Define the Authentication Function to call my authorization routine to determine if the person is authorized to run my application. If they're authorized, have this step call APEX_CUSTOM_AUTH.LOGIN to establish a standard Apex session. Then return TRUE (that they've successfully authenticated.
3) Define the Post-Authentication Process to do any other setup I need.
4) Set the Page Sentry function to use the standard wwv_flow_custom_auth_std.is_session_valid function.
Then I think I should simply be able to define the security for Page 1 as "Is not Public User", which should call the authentication steps to run.
But I'm clearly not getting it, as this model didn't seem to work for me. It was a while ago I tried this, but it didn't seem to call the authentication steps without a Submit from Page 101.
Can you clear up my confusion on how things really work vs my simplistic thoughts above?
Thanks,
Stew

Report server running in integrated mode , but cannot deploy reports again and again prompts for login

Report server running in integrated mode , but cannot deploy reports again and again prompts for login
Nur Mondal

Hello,
How are you deploying the reports? Via Visual Studio, Report builder or manually uploading RDL files?
Paul
Paul Mather | Twitter |
http://pwmather.wordpress.com | CPS

No X window server running

I can not get an X window server running on my sunrays. Sorry I am new to using SunRays. I installed SunRay Server 3.1 and it seemed to install with no problems. I then configured using ./utadm -A not a problem [I am using a LAN configuration I set up the DHCP server ], then ./utconfig I let it configure my web server and enabled remote admin. I did not enable Controlled Access Mode [don't need it].
The Web Admin GUI works. Now when I start my first SunRay 170, it undated the firmware [I could see the OSD icon]. But no X server is started?
I looked up the OSD icons and numeric icon code. I get the Ethernet Address and assigned IP address [looks correct], I get the Auhtentication server IP address [looks correct]. I get an hour glass with 100 F [this means full duplex] and the numeric icon code at the right bottom is 26 D which means: 26 The Sun Ray has connected to the server and is waiting for graphics traffic (this is the GNC state). and D DHCP provided all expected parameters. I looked up this problem on the Admin Guide and it says its the "Wait for Session OSD". the fix is to cp Xservers and Xconfig from usr/dt/config to /etc/dt/config but this does not work. Also the Install guide mentions [page 45] a possible corruption problem. I never had any diff between these files, so I do not know how entries to /etc/dt/config/Xserver are made? I think this might be the problem but I do not know what to do next. The Install guide also mentions that when you replace them Xserver and Xconfig extra lines are automatically rebuilt? from where and how do you force them to do so.
Just in case i am running intel Solaris 10 on a sunfire v20z
Thanks in advance
-James

I have gone ahead and unistalled I ran ./utinstall -u and the program uninstalled but I figure it did not uninstall everything [go figure].
I again reinstalled and checked the log file everything said it installed successfully. I ran ./utadm -A subnet# then ./utrestart then ./utconfig, sync sync init 6.
I think at this point it has messed something up with the web admin bit, or did not uninstall its previous configuration. I still get the Wait for Session OSD, but in the web admin I can not edit the policy it says an error has occured and I can not restart it either [I could before]. This does take me to the next question because it is setting a group policy somewhere:
utpolicy: [ID 702911 user.info] # Reading policy file: /etc/opt/SUNWut/policy/utpolicy # Current Policy: /opt/SUNWut/lib/utgenpolicy -a -g -z both
I want Access All Users to be set this is just one Sun Ray server not belonging to a group and I do not have any card readers [another annoying thing that loads why?]. Does anyone know how to use command line utpolicy to set up all user access? maybe this is the problem?
I have also downloaded the new Sun Ray Software 4 which is really just Sun Ray 3.1 [kind of pissed off about this], but does have Sun Desktop Manager. I do not know what this is but does anyone think it might give me more control in accepting or authenticating sun ray clients? I now think it is an authentication problem [from my previous errors] and might be something to do with the default policy [from these new errors].
I will again uninstall this software and try it again. If anyone knows how to uninstall this cleanly [better than ./utinstall -u ] or knows of better software for unix terminals than sun ray please let me know.
Thanks in advance.
-James

Authentication via server running OpenLDAP

Similar Messages

Maybe you are looking for