BOXI r2 - SSO in Active Directory multi domain

Similar Messages

• Problem authenticating user in Active Directory cross domain

  Hi,
  We have two different AD servers serving our London and Tokyo networks. My application runs in London network but used by both London and Tokyo users.
  The two ADs have domain trust setup between them. I have groups defined in London AD to which users from both the London and Tokyo ADs are assigned.
  'm trying to connect to London AD using the "users credentials" and retrieve the groups they are assigned to.
  I can connect to the London AD using any of the London user and I could retrieve the groups. But when I use a Tokyo user credentials to connect using the London AD server 'm getting Security exception with a code indicating "User Not Found".
  The code I use which is very basic is given below . The code below run as such gives me the following error,
  [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece.
  If I change in the code below, Provider URL to Tokyo AD Server URL then it works but I can't use that due to security restrictions. As per the Windows Team the domain trust should allow me to connect/bind to the London AD Server with the Tokyo credentials.
  Hashtable<String, String> env = new Hashtable<String, String>();
  env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL, "london ldap server url"); 
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  env.put(Context.REFERRAL, "follow");
  env.put(Context.SECURITY_PRINCIPAL, "[email protected]"); 
  env.put(Context.SECURITY_CREDENTIALS, "password"); 
  env.put(LdapContext.CONTROL_FACTORIES, "com.sun.jndi.ldap.ControlFactory");
  ctx = new InitialLdapContext(env, null);
  I would like to know how to authenticate a user in a cross domain Active Directory environment. I read in one of the blogs that the "simple bind" will not work for cross domain user authentication. Unfortunately the blogger didn't mention what would work :( . Any help is much appreciated.
  Please bear with me if my query is a naive one and point me in the right direction.
  Thanks
  Jothi                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

  Hi Praveen,
  to avoid losing data when user objects are moved to new locations in the LDAP server, it is possible to configure the User Management Engine to use the value of a specific unique attribute as part of the unique ID instead of the distinguished name.
  For this, you have to change the following UME properties:
  For user objects: ume.ldap.unique_user_attribute=<attributename>
  For account objects: ume.ldap.unique_uacc_attribute=<attributename>
  For group objects: ume.ldap.unique_grup_attribute=<attributename>
  Be aware that the attribute (i.e. cn or uid) must be unique in the configured user/group path.
  Please read SAPNote 777640 for more information regarding this problem and the way to change the UME properties.
  Best regards,
  Robert

• Active Directory multi forest Kerberos authentication Tomcat

  Sorry. It is wrong forum. I forwarded my question to Business Objects forum.
  Hi,
  I have Business Objects Enterprise XI R2 with Tomcat installed on Windows 2003. My BO server and users are placed in different Active Directory forests (BO domain x forest A, users domain y forest B). I would like to authenticate users from domain y in my BO using Kerberos.
  There is a trust between whose domains. I also set SPN and configured "Windows AD" tab in Central Management Console.
  I can add AD group from domain y and list users from that domain in Central Mangement Console. But when user from domain y tries to logon to BO he gets error java.lang.NullPointerException. Due to this error, he is unable to connect.
  There is also an error logged in Tomcat stdout.log file:
  70051106 [http-8080-Processor22] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction  - LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
  If anyone has come across this situation, please share the solution.
  Thanks & Regards,
  Piotr
  Edited by: Piotr Heise on Mar 27, 2009 2:08 PM

  Hi
  Is your enterprise is configured to a Java Active Directory?
  Then there can bemultiple causes:
  - The Java and the Central Management Server (CMS) are using encryption types that do not match.
  - The Service Principal Name in the CMC is incorrect
  Then to resolve this perform the following steps:
  - In the Central Configuration Manager, double-click the CMS, and note the service account used.
  - In Windows Domain users and computers, go to account properties for the CMS service account.
  - Select Use DES encryption types for this account. In large AD deployments this change can take time to propagate.
  - Login to the CMC and verify (Authentication -> Active Directory -> Service Principal Name) is in the format BOBJCentralMS/HOSTNAME.DOMAIN.COM
  - Restart the CMS server and log on.
  In a clustered CMS environment ensure that all CMS's are running under the same domain account.
  Hope this helps!!!
  Regards
  Sourashree

• Authentication Plug-ins for active directory Multiple Domains(oidspad2.sh)

  hi ,
  i have use note 294791.1 from metalink to try link to active directory i have 2 one is staff and another is student
  i first ran oidspadi.sh to create plugin for staff it works then i edit the 2 script to oidspad2.pls and oidspad2.sh with the require changes inside the files then i ran it it work but now the problem is the first ad now cant work this is my changes below
  FOR oidspad2.pls
  Rem
  Rem $Header: oidspada.pls 02-aug-2004.04:45:11 saroy Exp $
  Rem
  Rem oidspads.pls
  Rem
  Rem Copyright (c) 2002, 2004, Oracle. All rights reserved.
  Rem
  Rem NAME
  Rem oidspada.pls - 9.0.4 OID Password Active Directory
  Rem External Authentication Plug-in
  Rem
  Rem
  Rem NOTES
  Rem <other useful comments, qualifications, etc.>
  Rem
  Rem MODIFIED (MM/DD/YY)
  Rem saroy 08/02/04 - Fix for bug 3807482
  Rem qdinh 01/27/04 - bug 3374115
  Rem dlin 01/08/04 - pingan perf
  Rem dlin 08/22/03 - 3111770 bug fix
  Rem dlin 08/27/03 - change the way to get name
  Rem dlin 08/13/03 - bug 2962082 fix
  Rem dlin 02/21/03 - plug-in install changes
  Rem dlin 02/13/03 - dlin_bug-2625027
  Rem dlin 02/05/03 - fix ssl & failover
  Rem dlin 01/31/03 - dlin_adextauth1
  Rem dlin 01/30/03 - Created
  Rem
  SET echo off;
  SET serveroutput off;
  SET feedback off;
  SET verify off;
  CREATE OR REPLACE PACKAGE OIDADPSW2 AS
  PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
  result OUT INTEGER,
  dn IN VARCHAR2,
  passwd IN VARCHAR2,
  rc OUT INTEGER,
  errormsg OUT VARCHAR2
  PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
  result OUT INTEGER,
  dn IN VARCHAR2,
  attrname IN VARCHAR2,
  attrval IN VARCHAR2,
  rc OUT INTEGER,
  errormsg OUT VARCHAR2
  AD_HANDLE DBMS_LDAP.session DEFAULT NULL;
  END OIDADPSW2;
  SHOW ERROR
  CREATE OR REPLACE PACKAGE BODY OIDADPSW2 AS
  SUBTYPE LDAP_SESSION IS RAW(32);
  SUBTYPE LDAP_MESSAGE IS RAW(32);
  SUBTYPE LDAP_BER_ELEMENT IS RAW(32);
  SUBTYPE ATTRLIST IS DBMS_LDAP.STRING_COLLECTION;
  SUBTYPE MOD_ARRAY IS RAW(32);
  SUBTYPE BERLIST IS DBMS_LDAP.BERVAL_COLLECTION;
  PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
  result OUT INTEGER,
  dn IN VARCHAR2,
  passwd IN VARCHAR2,
  rc OUT INTEGER,
  errormsg OUT VARCHAR2
  IS
  retval pls_integer;
  lresult BOOLEAN;
  my_session DBMS_LDAP.session;
  my_session1 DBMS_LDAP.session;
  tmp_session DBMS_LDAP.session;
  adupname VARCHAR2(1024) DEFAULT NULL;
  BEGIN
  plg_debug( '=== Begin when_bind_replace()');
  DBMS_LDAP.USE_EXCEPTION := FALSE;
  result := 49;
  adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
  IF (adupname IS NULL) THEN
  result := 1;
  plg_debug('Can not get ADUserPrincipalName');
  rc := DBMS_LDAP.SUCCESS;
  errormsg := 'Exception in when_bind_replace: Can not get ADUserPrincipalName';
  plg_debug( '=== End when_bind_replace() ===');
  RETURN;
  END IF;
  plg_debug( 'Go to AD for authentication');
  -- externally authenticate user
  IF ('&1' = 'n') THEN
       IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
       my_session := DBMS_LDAP.init('&2', &3);
       OIDADPSW2.AD_HANDLE := my_session;
       ELSE
       my_session := OIDADPSW2.AD_HANDLE;
       END IF;
  plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
  retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
  plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
  -- Retry logic should be invoked only
  -- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
  -- Should free the old session if retry logic kept failing
  -- to cause the number of outstanding sessions exceeding the
  -- limit session number
       IF (retval = 52 OR retval = 53 OR retval = 81) THEN
       retval := DBMS_LDAP.unbind_s(my_session);
       plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
       my_session1 := DBMS_LDAP.init('&4', &5);
       plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
       tmp_session := my_session1;
       retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
       plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
       IF (retval != 52 AND retval != 53 AND retval != 81) THEN
       OIDADPSW2.AD_HANDLE := tmp_session;
       ELSE
       retval := DBMS_LDAP.unbind_s(tmp_session);
       plg_debug( 'unbind_res result ' || TO_CHAR(retval));
       END IF;
       END IF;
  ELSE
  -- SSL bind
       IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
       my_session := DBMS_LDAP.init('&6', &7);
       plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
       retval := DBMS_LDAP.open_ssl(my_session,
                           'file:' || '&8', '&9', 2);
       IF (retval != 0) THEN
       plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
       retval := DBMS_LDAP.unbind_s(my_session);
       plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
       result := 82;
       RETURN;
       END IF;
       plg_debug( 'open_ssl: ' || TO_CHAR(retval));
       OIDADPSW2.AD_HANDLE := my_session;
       ELSE
       my_session := OIDADPSW2.AD_HANDLE;
       END IF;
  retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
  plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
  -- Retry logic should be invoked only
  -- when retval = LDAP_UNWILLING_TO_PERFORM
  -- or LDAP_UNAVAILABLE
       IF (retval = 52 OR retval = 53 OR retval = 81) THEN
       retval := DBMS_LDAP.unbind_s(my_session);
       plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
       my_session1 := DBMS_LDAP.init('&10', &11);
       plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
       tmp_session := my_session1;
       retval := DBMS_LDAP.open_ssl(my_session1,
                           'file:' || '&12', '&13', 2);
       IF (retval != 0) THEN
       plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
       retval := DBMS_LDAP.unbind_s(my_session1);
       plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
       result := 82;
       RETURN;
       END IF;
       plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
       retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
       plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
       IF (retval != 52 AND retval != 53 AND retval != 81) THEN
       OIDADPSW2.AD_HANDLE := tmp_session;
       ELSE
       retval := DBMS_LDAP.unbind_s(tmp_session);
       plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
       END IF;
       END IF;
  END IF;
  -- for failover to connect to the secondary server
  IF ('&14' = 'y' AND retval != 0) THEN
  IF ('&15' = 'n') THEN
       IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
       my_session := DBMS_LDAP.init('&16', &17);
       OIDADPSW2.AD_HANDLE := my_session;
       ELSE
       my_session := OIDADPSW2.AD_HANDLE;
       END IF;
  plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
  retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
  plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
       IF (retval = 52 OR retval = 53 OR retval = 81) THEN
       retval := DBMS_LDAP.unbind_s(my_session);
       plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
       my_session1 := DBMS_LDAP.init('&18', &19);
       plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
       tmp_session := my_session1;
       retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
       plg_debug( 'retry simple_bind_res again: ' || TO_CHAR(retval));
       IF (retval != 52 AND retval != 53 AND retval != 81) THEN
            OIDADPSW2.AD_HANDLE := tmp_session;
       ELSE
       retval := DBMS_LDAP.unbind_s(tmp_session);
            plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
       END IF;
       END IF;
  ELSE
       IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
       my_session := DBMS_LDAP.init('&20', &21);
       plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
       retval := DBMS_LDAP.open_ssl(my_session,
                           'file:' || '&22', '&23', 2);
       IF (retval != 0) THEN
       plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
       retval := DBMS_LDAP.unbind_s(my_session);
       plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
       result := 82;
       RETURN;
       END IF;
       plg_debug( 'open_ssl: ' || TO_CHAR(retval));
       OIDADPSW2.AD_HANDLE := my_session;
       ELSE
       my_session := OIDADPSW2.AD_HANDLE;
       END IF;
  retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
  plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
  -- Retry logic should be invoked only
  -- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
       IF (retval = 52 OR retval = 53 OR retval = 81) THEN
       retval := DBMS_LDAP.unbind_s(my_session);
       plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
       my_session1 := DBMS_LDAP.init('&24', &25);
       plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
       tmp_session := my_session1;
       retval := DBMS_LDAP.open_ssl(my_session1,
                           'file:' || '&26', '&27', 2);
       IF (retval != 0) THEN
       plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
       retval := DBMS_LDAP.unbind_s(my_session);
       plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
       result := 82;
       RETURN;
       END IF;
       plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
       retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
       plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
       IF (retval != 52 AND retval != 53 AND retval != 81) THEN
            OIDADPSW2.AD_HANDLE := tmp_session;
       ELSE
       retval := DBMS_LDAP.unbind_s(tmp_session);
       plg_debug( 'unbind_res result ' || TO_CHAR(retval));
       END IF;
       END IF;
       END IF;
  END IF;
  IF (retval = 0) THEN
  result := 0;
  plg_debug('AD auth return TRUE');
  ELSE
       result := retval;
  plg_debug('AD auth return FALSE or ERROR');
  END IF;
  -- retval := DBMS_LDAP.unbind_s(my_session);
  -- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
  rc := DBMS_LDAP.SUCCESS;
  errormsg := 'No error msg.';
  plg_debug( '=== End when_bind_replace() ===');
  EXCEPTION
  WHEN OTHERS THEN
  rc := DBMS_LDAP.OPERATIONS_ERROR;
       retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
       OIDADPSW2.AD_HANDLE := NULL;
       plg_debug( ' exception unbind_res returns ' || TO_CHAR(retval));
  errormsg := 'Exception: when_bind_replace plugin';
  plg_debug( 'Exception in when_bind_replace(). Error code is ' ||
            TO_CHAR(sqlcode));
  plg_debug( ' ' || Sqlerrm);
  END;
  PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
  result OUT INTEGER,
  dn IN VARCHAR2,
  attrname IN VARCHAR2,
  attrval IN VARCHAR2,
  rc OUT INTEGER,
  errormsg OUT VARCHAR2
  IS
  retval pls_integer;
  lresult BOOLEAN;
  my_session DBMS_LDAP.session;
  my_session1 DBMS_LDAP.session;
  tmp_session DBMS_LDAP.session;
  adupname VARCHAR2(1024) DEFAULT NULL;
  BEGIN
  plg_debug( '=== Begin when_compare_replace()');
  result := DBMS_LDAP.COMPARE_FALSE;
  DBMS_LDAP.USE_EXCEPTION := FALSE;
  adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
  IF (adupname IS NULL) THEN
  result := DBMS_LDAP.COMPARE_FALSE;
  plg_debug('Can not get ADuserPrincipalName');
  rc := DBMS_LDAP.SUCCESS;
  errormsg := 'Exception in when_compare_replace: Can not get ADUserPrincipalName';
  plg_debug( '=== End when_compare_replace() ===');
  RETURN;
  END IF;
  -- externally authenticate user
  IF ('&28' = 'n') THEN
       IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
       my_session := DBMS_LDAP.init('&29', &30);
       OIDADPSW2.AD_HANDLE := my_session;
       ELSE
       my_session := OIDADPSW2.AD_HANDLE;
       END IF;
  plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
  retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
  plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
  -- Retry logic should be invoked only
  -- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
  IF (retval = 52 OR retval = 53 OR retval = 81) THEN
       retval := DBMS_LDAP.unbind_s(my_session);
  plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
       my_session1 := DBMS_LDAP.init('&31', &32);
       plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
       tmp_session := my_session1;
       retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
       plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
       IF (retval != 52 AND retval != 53 AND retval != 81) THEN
       OIDADPSW2.AD_HANDLE := tmp_session;
  ELSE
       retval := DBMS_LDAP.unbind_s(tmp_session);
       plg_debug( 'unbind_res result ' || TO_CHAR(retval));
       END IF;
       END IF;
  ELSE
       IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
       my_session := DBMS_LDAP.init('&33', &34);
       plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
       retval := DBMS_LDAP.open_ssl(my_session,
                           'file:' || '&35', '&36', 2);
       IF (retval != 0) THEN
       plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
       retval := DBMS_LDAP.unbind_s(my_session);
       plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
       result := 82;
       RETURN;
       END IF;
       plg_debug( 'open_ssl: ' || TO_CHAR(retval));
       OIDADPSW2.AD_HANDLE := my_session;
       ELSE
       my_session := OIDADPSW2.AD_HANDLE;
       END IF;
  retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
  plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
  -- Retry logic should be invoked only
  -- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
  IF (retval = 52 OR retval = 53 OR retval = 81) THEN
       retval := DBMS_LDAP.unbind_s(my_session);
  plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
       my_session1 := DBMS_LDAP.init('&37', &38);
       plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
       tmp_session := my_session1;
       retval := DBMS_LDAP.open_ssl(my_session1,
                           'file:' || '&39', '&40', 2);
  IF (retval != 0) THEN
       plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
       retval := DBMS_LDAP.unbind_s(my_session);
       plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
       result := 82;
       RETURN;
       END IF;
       plg_debug( 'open_ssl: ' || TO_CHAR(retval));
       retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
       plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
       IF (retval != 52 AND retval != 53 AND retval != 81) THEN
       OIDADPSW2.AD_HANDLE := tmp_session;
  ELSE
       retval := DBMS_LDAP.unbind_s(tmp_session);
       plg_debug( 'unbind_res result ' || TO_CHAR(retval));
       END IF;
       END IF;
  END IF;
  -- for failover to connect to the secondary AD
  IF ('&41' = 'y' AND retval != 0) THEN
  IF ('&42' = 'n') THEN
       IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
       my_session := DBMS_LDAP.init('&43', &44);
       OIDADPSW2.AD_HANDLE := my_session;
       ELSE
       my_session := OIDADPSW2.AD_HANDLE;
       END IF;
  plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
  retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
  plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
  -- Retry logic should be invoked only
  -- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
       IF (retval = 52 OR retval = 53 OR retval = 81) THEN
       retval := DBMS_LDAP.unbind_s(my_session);
  plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
       my_session1 := DBMS_LDAP.init('&45', &46);
       plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
       tmp_session := my_session1;
       retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
       plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
       IF (retval != 52 AND retval != 53 AND retval != 81) THEN
            OIDADPSW2.AD_HANDLE := tmp_session;
  ELSE
       retval := DBMS_LDAP.unbind_s(tmp_session);
       plg_debug( 'unbind_res result ' || TO_CHAR(retval));
       END IF;
       END IF;
       ELSE
       IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
       my_session := DBMS_LDAP.init('&47', &48);
       plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
       retval := DBMS_LDAP.open_ssl(my_session,
                           'file:' || '&49', '&50', 2);
       IF (retval != 0) THEN
       plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
       retval := DBMS_LDAP.unbind_s(my_session);
       plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
       result := 82;
       RETURN;
       END IF;
       plg_debug( 'open_ssl: ' || TO_CHAR(retval));
       OIDADPSW2.AD_HANDLE := my_session;
       ELSE
       my_session := OIDADPSW2.AD_HANDLE;
       END IF;
  retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
  plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
  -- Retry logic should be invoked only
  -- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
       IF (retval = 52 OR retval = 53 OR retval = 81) THEN
       retval := DBMS_LDAP.unbind_s(my_session);
  plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
       my_session1 := DBMS_LDAP.init('&51', &52);
       plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
       tmp_session := my_session1;
       retval := DBMS_LDAP.open_ssl(my_session1,
                           'file:' || '&53', '&54', 2);
       IF (retval != 0) THEN
       plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
       retval := DBMS_LDAP.unbind_s(my_session1);
       plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
       result := 82;
       RETURN;
       END IF;
       plg_debug( 'open_ssl: ' || TO_CHAR(retval));
       retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
       plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
       IF (retval != 52 AND retval != 53 AND retval != 81) THEN
            OIDADPSW2.AD_HANDLE := tmp_session;
       ELSE
       retval := DBMS_LDAP.unbind_s(tmp_session);
       plg_debug( 'unbind_res result ' || TO_CHAR(retval));
       END IF;
       END IF;
       END IF;
  END IF;
  IF (retval = 0) THEN
  result := DBMS_LDAP.COMPARE_TRUE;
  plg_debug('AD auth return TRUE');
  ELSE
  result := DBMS_LDAP.COMPARE_FALSE;
  plg_debug('AD auth return FALSE or ERROR');
  END IF;
  -- retval := DBMS_LDAP.unbind_s(my_session);
  -- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
  rc := DBMS_LDAP.SUCCESS;
  errormsg := 'No error msg.';
  plg_debug( '=== End when_compare_replace() ===');
  EXCEPTION
  WHEN OTHERS THEN
  rc := DBMS_LDAP.OPERATIONS_ERROR;
  errormsg := 'Exception: when_compare_replace plugin';
  plg_debug( 'Exception in when_compare_replace(). Error code is ' ||
            TO_CHAR(sqlcode));
  plg_debug( ' ' || Sqlerrm);
       retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
       OIDADPSW2.AD_HANDLE := NULL;
  END;
  END OIDADPSW2;
  SHOW ERRORS
  EXIT;
  -- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
  -- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
  -- secwalletloc, secwalletpwd
  -- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
  -- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
  -- secwalletloc, secwalletpwd
  FOR oidspadi.sh
  #!/bin/sh
  # $Header: oidspadi.sh 13-may-2005.13:48:51 saroy Exp $
  # oidspadi.sh
  # Copyright (c) 2002, 2005, Oracle. All rights reserved.
  # NAME
  # oidspadi.sh - AD external authentication plug-in install
  # DESCRIPTION
  # <short description of component this file declares/defines>
  # NOTES
  # <other useful comments, qualifications, etc.>
  # MODIFIED (MM/DD/YY)
  # saroy 05/13/05 - Fix for bug 4233817
  # saroy 02/18/05 - Fix for bug 4054414
  # saroy 11/02/04 - Fix for bug 3980370
  # qdinh 01/19/04 - bug 3374115
  # dlin 07/10/03 - turn off debug
  # dlin 02/21/03 - plug-in install changes
  # dlin 02/13/03 - dlin_bug-2625027
  # dlin 07/22/02 - Creation
  ADHOST="A"
  ADPORT="1"
  ADSSLPORT="1"
  WALLETLOC="A"
  WALLETPWD="A"
  WALLETPWD2="A"
  CONNECT="A"
  ODSPWD="A"
  ODSPWD2="A"
  OIDHOST="A"
  OIDPORT="1"
  ORCLADMINPWD="A"
  ORCLADMINPWD2="A"
  PRGDN="A"
  SCUSB="A"
  EP="A"
  ISSSL="n"
  ISFAILOVER="n"
  ISFAILOVERSSL="n"
  SECADHOST="A"
  SECADPORT="1"
  SECADSSLPORT="1"
  SECWALLETLOC="A"
  SECWALLETPWD="A"
  SECWALLETPWD2="A"
  clear
  echo "---------------------------------------------"
  echo " OID Active Directory Plug-in Configuration"
  echo "---------------------------------------------"
  echo " "
  echo "Please make sure Database and OID are up and running."
  echo " "
  LDAP_DIR=${ORACLE_HOME}/ldap
  LDAP_LOG=${LDAP_DIR}/log
  ## ORACLE_HOME
  if [ -z $ORACLE_HOME ] ; then
  echo " ORACLE_HOME must be set for this installation script"
  exit 0
  fi
  # gather required information
  if [ ${ADHOST} = "A" ] ; then
  printf "Please enter Active Directory host name: "
  read ADHOST
  fi
  ## active directory host name is required
  if [ "${ADHOST}" = "" ]
  then
  echo "Active Directory host name is required";
  exit 1;
  fi
  printf "Do you want to use SSL to connect to Active Directory? (y/n) "
  read ISSSL
  if [ "${ISSSL}" = "n" ]
  then
  if [ ${ADPORT} = "1" ] ; then
  printf "Please enter Active Directory port number [389]: "
  read ADPORT
  if [ "${ADPORT}" = "" ]
  then
  ADPORT="389"
  fi
  fi
  fi
  if [ "${ISSSL}" = "y" ]
  then
  if [ ${ADSSLPORT} = "1" ] ; then
  printf "Please enter Active Directory SSL port number [636]: "
  read ADSSLPORT
  if [ "${ADSSLPORT}" = "" ]
  then
  ADSSLPORT="636"
  fi
  fi
  if [ ${WALLETLOC} = "A" ] ; then
  echo " "
  printf "Please enter Oracle wallet location: "
  read WALLETLOC
  fi
  ## wallet location is required
  if [ "${WALLETLOC}" = "" ]
  then
  echo "Oracle wallet location is required";
  exit 1;
  fi
  if [ ${WALLETPWD} = "A" ] ; then
  printf "Please enter Oracle wallet password: "
  stty -echo ; read WALLETPWD ; stty echo ; echo
  fi
  if [ "${WALLETPWD}" = "" ]
  then
  echo "Oracle wallet password is required";
  exit 1;
  fi
  if [ ${WALLETPWD2} = "A" ] ; then
  printf "Please enter confirmed Oracle wallet password: "
  stty -echo ; read WALLETPWD2 ; stty echo ; echo
  fi
  if [ "${WALLETPWD}" != "${WALLETPWD2}" ]
  then
  echo "The input passwords are not matched";
  exit 1;
  fi
  fi
  if [ ${CONNECT} = "A" ] ; then
  echo " "
  printf "Please enter DB connect string: "
  read CONNECT
  fi
  if [ ${ODSPWD} = "A" ] ; then
  printf "Please enter ODS password: "
  stty -echo ; read ODSPWD ; stty echo ; echo
  fi
  ## password is required
  if [ "${ODSPWD}" = "" ]
  then
  echo "ODS password is required";
  exit 1;
  fi
  if [ ${ODSPWD2} = "A" ] ; then
  printf "Please enter confirmed ODS password: "
  stty -echo ; read ODSPWD2 ; stty echo ; echo
  fi
  if [ "${ODSPWD}" != "${ODSPWD2}" ]
  then
  echo "The input passwords are not matched";
  exit 1;
  fi
  if [ "${CONNECT}" = "" ]
  then
  CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD} "
  else
  CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD}@${CONNECT} "
  fi
  # Check if ODS password and connect string is correct
  ${ORACLE_HOME}/bin/sqlplus -L ods/${ODSPWD}@${CONNECT} << END 1>/dev/null 2>/dev/null
  exit;
  END
  if [ $? -ne 0 ]; then
  echo "Incorrect connect string or ODS password specified"
  exit 1;
  fi
  if [ ${OIDHOST} = "A" ] ; then
  echo " "
  printf "Please enter OID host name: "
  read OIDHOST
  fi
  ## oid host is required
  if [ "${OIDHOST}" = "" ]
  then
  echo "OID host name is required";
  exit 1;
  fi
  if [ ${OIDPORT} = "1" ] ; then
  printf "Please enter OID port number [389]: "
  read OIDPORT
  if [ "${OIDPORT}" = "" ]
  then
  OIDPORT="389"
  fi
  fi
  # Check if OID host and port is correct
  ${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} 1>/dev/null 2>/dev/null
  if [ $? -ne 0 ]; then
  echo "Incorrect OID host or port specified"
  exit 1;
  fi
  if [ ${ORCLADMINPWD} = "A" ] ; then
  printf "Please enter orcladmin password: "
  stty -echo ; read ORCLADMINPWD ; stty echo ; echo
  fi
  if [ "${ORCLADMINPWD}" = "" ]
  then
  echo "orcladmin password is required";
  exit 1;
  fi
  if [ ${ORCLADMINPWD2} = "A" ] ; then
  printf "Please enter confirmed orcladmin password: "
  stty -echo ; read ORCLADMINPWD2 ; stty echo ; echo
  fi
  if [ "${ORCLADMINPWD}" != "${ORCLADMINPWD2}" ]
  then
  echo "The input passwords are not matched";
  exit 1;
  fi
  # Check if orcladmin password is correct
  ${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} 1>/dev/null 2>/dev/null
  if [ $? -ne 0 ]; then
  echo "Incorrect orcladmin password specified"
  exit 1;
  fi
  echo " "
  if [ ${SCUSB} = "A" ] ; then
  printf "Please enter the subscriber common user search base [orclcommonusersearchbase]: "
  read SCUSB
  if [ "${SCUSB}" = "" ]
  then
  SCUSB=`${ORACLE_HOME}/bin/ldapsearch -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} -s base -b 'cn=common,cn=products,cn=oraclecontext' -L 'objectclass=*' orclcommonusersearchbase | head -2 | grep -v 'dn:' | awk '{printf $2}'`
  fi
  fi
  if [ ${PRGDN} = "A" ] ; then
  printf "Please enter the Plug-in Request Group DN: "
  read PRGDN
  fi
  if [ ${EP} = "A" ] ; then
  printf "Please enter the exception entry property [(!(objectclass=orcladuser))]: "
  read EP
  if [ "${EP}" = "" ]
  then
  EP='(!(objectclass=orcladuser))'
  fi
  fi
  echo " "
  printf "Do you want to setup the backup Active Directory for failover? (y/n) "
  read ISFAILOVER
  if [ "${ISFAILOVER}" = "y" ]
  then
  if [ ${SECADHOST} = "A" ] ; then
  printf "Please enter the backup Active Directory host name: "
  read SECADHOST
  if [ "${SECADHOST}" = "" ]
  then
  echo "Backup Active Directory host name is required";
  exit 1;
  fi
  fi
  printf "Do you want to use SSL to connect to the backup Active Directory? (y/n) "
  read ISFAILOVERSSL
  if [ "${ISFAILOVERSSL}" = "n" ]
  then
  if [ ${SECADPORT} = "1" ] ; then
  printf "Please enter the backup Active Directory port number [389]: "
  read SECADPORT
  if [ "${SECADPORT}" = "" ]
  then
  SECADPORT="389"
  fi
  fi
  fi
  if [ "${ISFAILOVERSSL}" = "y" ]
  then
  if [ ${SECADSSLPORT} = "1" ] ; then
  printf "Please enter the backup Active Directory SSL port number [636]: "
  read SECADSSLPORT
  if [ "${SECADSSLPORT}" = "" ]
  then
  SECADSSLPORT="636"
  fi
  fi
  if [ ${SECWALLETLOC} = "A" ] ; then
  echo " "
  printf "Please enter Oracle wallet location: "
  read SECWALLETLOC
  fi
  ## wallet location is required
  if [ "${SECWALLETLOC}" = "" ]
  then
  echo "Oracle wallet location is required";
  exit 1;
  fi
  if [ ${SECWALLETPWD} = "A" ] ; then
  printf "Please enter Oracle wallet password: "
  stty -echo ; read SECWALLETPWD ; stty echo ; echo
  fi
  if [ "${SECWALLETPWD}" = "" ]
  then
  echo "Oracle wallet password is required";
  exit 1;
  fi
  if [ ${SECWALLETPWD2} = "A" ] ; then
  printf "Please enter confirmed Oracle wallet password: "
  stty -echo ; read SECWALLETPWD2 ; stty echo ; echo
  fi
       if [ "${SECWALLETPWD}" != "${SECWALLETPWD2}" ]
       then
       echo "The input passwords are not matched";
       exit 1;
       fi
  fi
  fi
  # install the plug-in PL/SQL packages
  echo " "
  echo "Installing Plug-in Packages ..."
  echo " "
  # install plug-in debug tool
  cp $ORACLE_HOME/ldap/admin/oidspdsu.pls $LDAP_LOG
  chmod +w $LDAP_LOG/oidspdsu.pls
  echo "EXIT;" >> $LDAP_LOG/oidspdsu.pls
  ${CMDNAME} @$LDAP_LOG/oidspdsu.pls
  rm $LDAP_LOG/oidspdsu.pls
  ${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspdof.pls
  # install plug-in packages
  ${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
  #stty -echo; eval ${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
  # usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
  # isfailover, isfailoverssl, sechost, secport, sechost, secsslport
  # secwalletloc, secwalletpwd
  # usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
  # isfailover, isfailoverssl, sechost, secport, sechost, secsslport
  # secwalletloc, secwalletpwd
  # register the plug-ins
  echo " "
  echo "Registering Plug-ins ..."
  echo " "
  $ORACLE_HOME/bin/ldapadd -h ${OIDHOST} -p ${OIDPORT} -D cn=orcladmin -w ${ORCLADMINPWD} << EOF
  dn: cn=adwhencompare2,cn=plugin,cn=subconfigsubentry
  objectclass:orclPluginConfig
  objectclass:top
  orclpluginname:OIDADPSW2
  orclplugintype:operational
  orclplugintiming:when
  orclpluginldapoperation:ldapcompare
  orclpluginenable:1
  orclpluginversion:1.0.1
  orclPluginIsReplace:1
  cn:adwhencompare2
  orclpluginsubscriberdnlist:${SCUSB}
  orclpluginattributelist:userpassword
  orclpluginrequestgroup:${PRGDN}
  orclpluginentryproperties:${EP}
  dn: cn=adwhenbind2,cn=plugin,cn=subconfigsubentry
  objectclass:orclPluginConfig
  objectclass:top
  orclpluginname:OIDADPSW2
  orclplugintype:operational
  orclplugintiming:when
  orclpluginldapoperation:ldapbind
  orclpluginenable:1
  orclpluginversion:1.0.1
  orclPluginIsReplace:1
  cn:adwhenbind2
  orclpluginsubscriberdnlist:${SCUSB}
  orclpluginrequestgroup:${PRGDN}
  orclpluginentryproperties:${EP}
  EOF
  cat <<DONE
  Done.
  DONE

  Hi,
  This is a problem that is not made clear in the note. What is probably happening here is that both plugins are being fired when a user logs in. OID will only read the value returned from the final plugin to fire. This can be a problem if the user authenticates correctly against the first plug-in but fails on the second. This is entirely legitimate as this note tells you to configure this way but the OID only observes the final result. The note doesn't tell us this.
  Here's an example:
  We've two OID User users in different containers: cn=Al is in container cn=usersA,dc=oracle,dc=com and cn=BOB is in container cn=usersB,dc=oracle,dc=com.
  We have two plugins: pluginA and PluginB. Installed in that order.
  When Al logs in the two plugins fire. pluginA finds Al and returns a true, but then pluginB fires and returns a false undoing the good result. OID only accepts the final answer and so rejects the user. When Bob logins in both plugins fire again but it's the second plugin that returns the answer again. This is true and bob gets in.
  There's a couple of ways around this and one of the more effective ways is to associate the plugin with the dn. So in our example, we associate the pluginA to fire only for the dn cn=usersA,dc=oracle,dc=com and pluginB only to fire when a user is in cn=usersB,dc=oracle,dc=com. This gets around the problem of mulitple plugins firing and giving conflicting answers as the appropriate plugin only fires once.
  I've used this solution in a realtime environment when connecting and provisioning multiple ADs into one OID and found it to be extremely effective.
  Another solution is to associate the plugins with groups.
  Both of these options may be configured easily by modifying the plugin properties in ODM. Don't forget to restart OID after you've made the changes.
  HTH!
  Phil.
  If

• OracleAS SSO - Microsoft Active Directory External Authentication Plug-in

  hi ,
  I recently inherited support of a Oracle SSO/OID environment where we use AD and a external Authentication Plug-
  in to talk to it as user credentials are managed in AD,
  We have a lot of domain controllers for AD in our env , so my questions is
  1) How do I find out which AD server is the plugin currently referring to ,
  I need to know this info ASAP as lot of AD servers are getting decomissioned and I want to make sure the SSO env
  is not talking to a AD server that would get decomissioned soon

  hi,
  Look in the integration part in oidadmin. ActiveChgImp
  $ORACLE_HOME/bin/oidadmin
  or look for ad2oid.properties
  or look at this URL http://www.oracle.com/technology/obe/obe_as_10g/im/ads_import/import.htm
  is what I used to configure ours
  Regards

• Active Directory Cached Domain Login question

  Hi all,
  I would like to seek assistance on the following scenario setup where I have 2 independent AD forest setup
  Production Forest #1 - Contoso
  Test Lab Forest #2 - Contoso
  Assuming both AD forests domain controllers are issued with Domain Controller Certs (to support smartcard login) from the same CA, and there exists a AD user acct - Mark in Production Forest #1 and this user is currently using a issued smartcard to perform
  AD login on desktop client #1
  Would it be possible to create a AD user acct - Mark in Test Lab Forest #2 and use the same issued production smartcard to perform AD login on laptop client #2 which is joined to Test Lab Forest #2? If not technically possible, why??? :(
  I am trying to find a solution where I can have the laptop clients support login using the issued production smartcard. The challenge here is not all the laptop clients site have access to the production domain controllers hence am thinking of building the
  Test Lab Forest #2 on another "server" laptop which provides a mobile means to allow the laptop clients to be joined to the Test Lab Forest and then supporting the issued production smartcard via domain cached login.

  So far I know the only requirement is that the UPN match and that the PKI is trusted (in NTAuth) in the forest, but I'm not a PKI expert. I suggest to ask this question in the security forum as well:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Active Directory Groups - Domain Users Group

  Using the AD resource adpater, I am able to assign groups and remove groups, but I noticed that the Domain Users group does not appear in the list of groups the user belongs to. Looking AD the user does belong, but in IDM it does not list this group membership. Is this normal ?

  Thanks for the reply. I noticed there are quite a few issues with trying to UNC map to any share outside of the local MXE3500. I'm also seeing some issues with FTP watches on an EMC NAS, that has been FTP enabled. The problem I'm seeing now is that the watch will only work, if the watch is at the root level. If I add a file path, its accepted as valid when I save the directory watch, but looking at the fa.log its appending the last directory on twice.
  So if my watch is looking at FTP Directory Path of: lifelink
  The fa.log shows: .../lifelink/lifelink/
  the word lifelink is displayed twice, causing an error, stating: "Error checking file size delay"
  thanks,
  Dave

• Prevent Active Directory Parent Domain Admins from accessing Child Domain

  We want to prevent Parent domain administrators (or a similar profile?) from accessing and/or administering child domains. Is this possible, or do parent domain admins have irrevocable administrative access to any child domain?
  Asked another way, can a restricted profile be configured for administration of the parent domain that does not cross domain boundaries effectively isolating each domain's administrative needs?
  Thanks in advance for input and advice!
  Best regards.

  Sorry, I was replying again after I read your second paragraph. The parent domain is the Forest root. we have parentdomain.com
  parent.parentdomain.com
  child1.parentdomain.com
  child2.parentdomain.com
  child3.parentdomain.com
  We do not want the Domain Administrator for parentdomain.com to be able to administer, or preferably, even access the Child Domains.
  1.) Can we remove that user from "Enterprise Admin" role and assign a different role so that they can only administer parentdomain.com (effectively demoting that user)?
  2.) Promote a Child.parentdomain.com user to Enterprise Admin?
  Thanks sorry for the confusion.
  Ah ok.
  Yes, you can. the answer is the same basically. The group membership is what counts. So in the child domain, remove the enterprise admins group from the child domain admins groups. OR make sure the domain admins of the forest root are not members of the
  enterprise admins group. that way they are still only admins in the parent domain.
  It is really only depending on group members ship and including those groups in the child domain. by default the enterprise group is included for example, but nothing stops you from removing those groups.
  based on the group membership you can also deny them the ability to log on.
  the only thing you cannot prevent is the forest administrator account from doing something.
  One thing I would like to add though: any admin in the forest domain likely has the ability to still get access if he wants to force his way in.

• VDI 3 + Active Directory Child Domain Setup Question

  Hi Everyone,
  Quick question. Will this config work because I'm having some issues.
  Domain A
  Child Domains A.A, B.A, C.A, etc..
  Kerbros is setup and pointing at domain A with admin account access.
  VDI3 can see all the domains when I pull down the domain selector... however!... I can only log into the parent domain A. Attempts to log into child domains A.A, B.A, etc give me an 'Unknown user/password error'.
  Will this config work? All child domains are part of the same forest which I thought was supported.
  Many thanks in advanced for any replies.
  Dono

  Hello,
  yes, forests with multiple child domains are supported and your configuration should be working.
  In order to troubleshoot the problem, please follow the instructions at:
  http://wikis.sun.com/display/VDI3/End-users+cannot+access+their+virtual+machines.
  The cacao logs should contain more details about the error.
  Thanks,
  Katell

• Lync 2013 & Active Directory Intra Domain Migrations

  Hi all,
  Hopefully this is the correction forum to ask.  Suppose the following scenario
  Parent Domain containing Lync 2013 Servers
  Child domains consisting of user accounts
  It is intended that child domains containing Lync 2013 enabled users be migrated to the parent domain. 
  A few questions
  Is it possible to migrate user accounts to another domain and configure the migrated (technically new) account to link back to Lync so as to retain contact information?
  Or prior to migration have contacts exported so they can be imported into the new Lync 2013 accounts?
  Thanks,

  Within a single forest it quite possible to have Lync installed in one domain and User a part of another domain 
  All we have to do during the Lync server install process run the domain prepaerationn wizard for all the domain weher we shall either have Lync user object or Lync server object 
  Please refer http://technet.microsoft.com/en-us/library/gg398630.aspx
  I believe As long as the user SIP URI Doesn't change you can export the user data information and after the migration if you can import in user information 
  Please refer http://technet.microsoft.com/en-us/library/jj204897.aspx
  PLEASE REMEMBER, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answered"

• How to script out to connect to Active Directory specific domain controller server?

  How to script out a script that enable us to connect to the specific domain controller server, it is because I have 2 different servers version and both of them have been communicate with powershell, thus, I wanted to powershell to communicate with one
  server version. How to script this out? 

  Please see the Posting Guidlines:
  http://social.technet.microsoft.com/Forums/en-US/a0def745-4831-4de0-a040-63b63e7be7ae/posting-guidelines?forum=ITCG
  and this article on how to ask questions in a technical forum:
  http://sincealtair.blogspot.com/2010/04/how-to-ask-questions-in-technical-forum.html
  [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

• Active Directory domain failed

  Hello Team,
  When i joined to our active directory, everytime bui gives same error messages:
  The attempt to join the Active Directory domain failed either because the clocks of the appliance and the domain controller are skewed or the administrative user
  does not have the appropriate permissions to create a computer account in Active Directory.
  It is recommended that NTP be used to keep clocks synchronized when using Active Directory.
  Storage Appliance: 7310 One Controller, No firewall for ntp server also which connect directly NTP Domain server. Actually my believe is that no time sync issue.
  Firmware version is latest patch.
  What is your idea about this issue?
  i did many times this action plan: but result is same
  ActiveDirectoryTasks
  B)Joining a Domain
  1.Configure an ActiveDirectory site in the CIFS context. (optional)
  2.Configure a preferred domain controller in the CIFS context. (optional)
  3.Enable NTP, or ensure that the clocks of the appliance and domain controller are synchronized
  to within five minutes.
  4.Ensure that your DNS infrastructure correctly delegates to the ActiveDirectory domain, or add
  your domain contoller's IP address as an additional name server in the DNS context.
  5.Configure the ActiveDirectory domain, administrative user, and administrative password.
  6.Apply/commit the configuration.
  A)Joining aWorkgroup
  Configure theworkgroup name.
  Apply/commit the configuration.
  1. First of all LAN Compatibility Mode 4 works fine with Win 2003 (AD Server)
  2. While trying to join the AD, using a non ADMIN username and passsword will not help
  Try using a username/pass which has Administrative Privileges (specifically having the rights for Account Creation in
  the AD Server) on the AD server.
  (I was trying by a different username/pass but it was not joing the storage to AD. It joined when i tried a user having
  the privileges to create Machine Accounts in AD)
  3. For Clock Sync, the tolerance limit is upto 5 Minutes..So you can take care that the difference does not go beyond
  5 minutes.
  Thanks
  Can
  Gantek Tech.

  Your first post to these OTN forums.
  You posted your inquiry to a HARDWARE forum.
  Your issue seems to be a Microsoft OS issue and you just happen to have your OS volumes on a model 7310 appliance.
  I suggest you go find a forum somewhere that is hosted for Microsoft AD issues.
  If you happen to need the documentation for that piece of storage hardware, there are currently three PDF's available:
  http://docs.oracle.com/cd/E19935-01/index.html
  They are the Installation Guide, the hardware Administration Guide, and the Service Manual.
  There are no current Oracle-published documents for that box as related to Active Directory.

• Authenticating Workgroup Manager to Active Directory.

  Dear all,
  I've searched the forums and Internet and tried various things that could help my situation but I'm still having issues.
  I am running 10.4.11 server 10.4.11 client machines. All machines and server are connected to Active Directory via the built in AD plugin.
  Logging on to a client machine with an AD login works fine, no issues.
  System image deployment over the network from the Xserve work fine.
  The I have is implementing managed preferences from Workgroup Manager. When I open it, it will show me all of the users and groups. It says:
  *Viewing directory: /Active Directory/All domains. Not authenticated*
  When I click the padlock to authenticate, and enter my domain admin username and password, it says:
  *The login information is not valid for this server.*
  My login works as it allows me  to add machines to the domain.
  More info available as needed. If anyone can assist, thanks in advance.
  Regards,
  M.

  Hi
  Viewing directory: /Active Directory/All domains. Not authenticated
  When you bound the server to the Active Directory Realm what user name and password did you use? It will be this name and password that you will need to authenticate to the Active Directory node. This name and password should be the one that already exists on the AD that has authority for that server. Its also the name and password that should be used when binding mac clients to the AD node using the Active Directory plugin in Directory Access.
  This name and password can be the same as the one created for promoting your server to OD Master (diradmin). Its a good idea to create this account on the AD first (make it authoratative for the AD) before promotion and client binding.
  If you want to augment the AD with OSX Server managed preferences (MCX) then create a group within the /LDAPv3/127.0.0.1 node (assuming you have promoted the server to OD Master and disabled sso). Have two windows open in WGM (better done from a client). One window will show you the AD node and the other the OD node. Drag users or groups from the AD node into the newly created group in the OD node.
  Apologies if you already know this, Tony

• MS Active Directory 2008 as UME datasource for AS Java

  Hello,
  We are running SAP EP on top of a SAP AS Java using LDAP certification, so users
  from MS Active Directory 2003 domain are trusted by the Portal
  I've now a problem with the version upgrade of MS Active Directory from 2003 to 2008,
  it seems only SAP AS ABAP supports MS AD 2008, and our instance is JAVA only
  Note 983808 - "Certified LDAP servers" also confirm this
  Do you know if AD 2008 is supported, if any note has been released about this and
  any document to help me wiith this issue?
  thanks in advance!
  Rafael

  Hi Patrick, thanks for the answer
  I checked the note and it refers about Windows 2008 and a scenario with SSO, that's not our case.
  We just have AD as a LDAP UME datasource, users must still pass user and password which
  is then checked and then login is authorized
  you mentioned AD 2008 is supported for Netweaver AS Java, could you send me any document
  or note with procedures or anything for configuring it ?
  kind regards,
  Rafael

• Time services in Active Directory

  We have an old Ubuntu box running as an NTP server and as part updating our systems we are planning to decommission it.  However, this system has been set as the local machines NTP server via DHCP scope options and via group policy.  If I just
  switch it off then all the Windows clients or any DHCP client on the network will not know where to get the correct time from and could cause connectivity issues on the domain.
  I have tested a new GPO on an isolated machine to see what the effects are and not a lot changed, the client machine effected by this new GPO just reports DC01 as the NTPServer when I run w32tm /query /configuration and reports the source as being local
  CMOS clock when i run w32tm /query /status.  Is this normal?
  Running the same thing on my PDC shows the clock as being Free running system clock, should this be set to an online time service, or should it not matter (as long as the clients are only getting their time
  from the PDC?
  What I would like to know is is there a best practice guide somewhere I can read through?
  I have been trawling various searches but can't seem to find anything relevant.
  Drac

  We have an old Ubuntu box running as an NTP server and as part updating our systems we are planning to decommission
  it.  However, this system has been set as the local machines NTP server via DHCP scope options and via group policy.  If I just switch it off then all the Windows clients or any DHCP client on the network will not know where to get the correct time
  from and could cause connectivity issues on the domain.
  You can use GPOs to make your Windows Client computers use your AD forest topology for time sync. I have described that in this Wiki article:http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
  Once you are sure that all Windows client computers (and non-Windows computers if you have some) are using your AD forest topology for time sync, you can remove your Ubunto box.
  I have tested a new GPO on an isolated machine to see what the effects are and not a lot changed, the client
  machine effected by this new GPO just reports DC01 as the NTPServer when I run w32tm /query /configuration and reports the source as being local CMOS clock when i run w32tm /query /status.  Is this normal?
  Is the client you use running as a VM? If yes, you can consider disabling the time sync feature with the hypervisor. 
  Otherwise, please consider running the following commands to re-create registry entries for time sync configuration:
  w32tm /unregister
  w32tm /register
  Currently the PDC does not sync with any online time server, just its own internal clock (this is a virtual Windows
  2012 server with the guest set not to sync time with host, if that makes any difference?).  So i need to set this to use an online time server and then "reset" the clients to use the PDC instead of the internal NTP server.  The other DC's in our
  domain all use the PDC as their time server along with all other infrastructure servers.
  You need to configure the PDC emulator of the root domain in your forest to sync its time with at least two reliable NTP external servers. 
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password