BOXI r2 - SSO in Active Directory multi domain
Hi all,
I have a customer with XI r2 on windows and infoview deployed on Tomcat. Security is (OK until yesterday) sedWinAD with SSO via Vintela. Yesterday they have add a new domain in krbc5.ini and new domain's users cannot login. Tomcat trace reports the following:
INFO: Server startup in 8516 ms
24625 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.GSSManager - No Subject found on the current thread
24641 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - GSS: Acceptor supports: KRB5
24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - Ticket service name is: HTTP/svrcrmboprod.sti.stg***STI.STG
24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - GSS name is: HTTP/svrcrmboprod.STI.STG***STI.STG
24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - Using keytab entry for: HTTP/svrcrmboprod.STI.STG***STI.STG
24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - ** decrypting ticket .. **
with key
Principal: HTTP/svrcrmboprod.STI.STG***STI.STG
Type: 1
TimeStamp: Thu Jan 01 01:00:00 CET 1970
KVNO: 6
Key: [3, a8 7f 51 1a f1 40 e3 19 ]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - decrypted ticket:
Ticket:
encryption type: 3 (DECRYPTED OK)
service principal: HTTP/svrcrmboprod.sti.stg***STI.STG
TransitedEncoding:
client: Quattri***BFP.STG
session key: [3, 9e 46 40 31 df a8 68 1 ]
ticket flags: forwardable renewable ok-as-delegate preauthent
valid from: Thu Sep 24 17:19:40 CEST 2009
valid till: Fri Sep 25 03:19:40 CEST 2009
valid for:
all addresses
auth data:
[1, 30 82 3 62 30 82 3 5e a0 4 2 2 0 80 a1 82 3 54 4 82 3 50 4 0 0 0 0 0 0 0 1 0 0 0 c0 2 0 0 48 0 0 0 0 0 0 0 a 0 0 0 18 0 0 0 8 3 0 0 0 0 0 0 6 0 0 0 14 0 0 0 20 3 0 0 0 0 0 0 7 0 0 0 14 0 0 0 38 3 0 0 0 0 0 0 1 10 8 0 cc cc cc cc b0 2 0 0 0 0 0 0 0 0 2 0 15 d6 9d 6f 2a 3d ca 1 ff ff ff ff ff ff ff 7f ff ff ff ff ff ff ff 7f c2 f0 21 d3 2f 2d ca 1 c2 70 86 cb c2 44 ca 1 c2 70 4f bc e8 73 ca 1 e 0 e 0 4 0 2 0 20 0 20 0 8 0 2 0 0 0 0 0 c 0 2 0 0 0 0 0 10 0 2 0 44 0 44 0 14 0 2 0 4 0 4 0 18 0 2 0 45 6 0 0 de 4 0 0 1 2 0 0 3 0 0 0 1c 0 2 0 20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 14 0 16 0 20 0 2 0 6 0 8 0 24 0 2 0 28 0 2 0 0 0 0 0 0 0 0 0 14 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 0 0 0 2c 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 7 0 0 0 0 0 0 0 7 0 0 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 0 0 10 0 0 0 0 0 0 0 10 0 0 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 20 0 4c 0 6f 0 72 0 65 0 64 0 61 0 6e 0 61 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 22 0 0 0 0 0 0 0 22 0 0 0 5c 0 5c 0 73 0 76 0 72 0 62 0 66 0 70 0 66 0 73 0 68 0 66 0 2e 0 62 0 66 0 70 0 2e 0 73 0 74 0 67 0 5c 0 48 0 4f 0 4d 0 45 0 24 0 5c 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 2 0 0 0 0 0 0 0 2 0 0 0 4d 0 3a 0 3 0 0 0 1 2 0 0 7 0 0 0 9a 4 0 0 7 0 0 0 48 e 0 0 7 0 0 0 b 0 0 0 0 0 0 0 a 0 0 0 53 0 56 0 52 0 42 0 46 0 50 0 44 0 43 0 30 0 32 0 4 0 0 0 0 0 0 0 3 0 0 0 42 0 46 0 50 0 0 0 4 0 0 0 1 4 0 0 0 0 0 5 15 0 0 0 3b c2 da 85 8 fa d1 16 fe 9b 47 2f 4 0 0 0 30 0 2 0 7 0 0 0 34 0 2 0 7 0 0 0 38 0 2 0 7 0 0 0 3c 0 2 0 7 0 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 82 8b a6 28 4b 2c bc 1a 7 e5 3b 2b 36 40 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 82 8b a6 28 4b 2c bc 1a 7 e5 3b 2b 99 33 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 82 8b a6 28 4b 2c bc 1a 7 e5 3b 2b d0 12 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 9b 11 b 6a 91 78 ec 27 6b 53 ee 1b 7a c 0 0 0 0 0 0 0 8e 60 6f 2a 3d ca 1 e 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 76 ff ff ff 16 15 71 e5 8 76 59 2a 0 de 13 b9 f8 a3 c4 94 0 0 0 0 76 ff ff ff a6 9f 99 90 c7 63 41 c6 4a b4 f 8d c2 70 44 9f 0 0 0 0 ]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.GSSContext - Setting context expiry to [1253841580000]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.GSSContext - Current wall time is [1253805580586]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - ** decrypting application request .. **
with key
[3, 9e 46 40 31 df a8 68 1 ]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - decrypted application request:
++++ KRB-AP-REQ Message ++++
encryption type: 3 (DECRYPTED OK)
ap options: mutual-required
Ticket:
encryption type: 3
service principal: HTTP/svrcrmboprod.sti.stg***STI.STG
client: Quattri***BFP.STG
subkey: [3, da 34 d3 4 8f f2 e9 b9 ]
client time: Thu Sep 24 17:19:40 CEST 2009
cusec: 1546
sequence number: 1846075710
++++++++++++++++++++++++++++
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - Got delegated credential
24703 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - Delegated credential:
++++ KRB-CRED Message ++++
encryption type: 0 (DECRYPTED OK)
sender address: null
receiver address: null
nonce: -1
timestamp: null
credentials:
Credential
client: Quattri***BFP.STG
session key: [3, 1 62 43 b3 a2 15 1f 70 ]
service principal: krbtgt/BFP.STG***BFP.STG
valid from: Thu Sep 24 17:19:40 CEST 2009
valid till: Fri Sep 25 03:19:40 CEST 2009
renewable till: Thu Oct 01 17:19:40 CEST 2009
Ticket:
encryption type: 23
service principal: krbtgt/BFP.STG***BFP.STG
ticket flags: forwardable forwarded renewable preauthent
valid for: all addresses
++++++++++++++++++++++++++++
24703 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - ** creating application response .. **
with key
[3, 9e 46 40 31 df a8 68 1 ]
24703 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - created application response:
++++ KRB-AP-REP Message ++++
encryption type: 3
sequence number: 162921799
sub session key: null
client time: Thu Sep 24 17:19:40 CEST 2009
cusec: 1546
++++++++++++++++++++++++++++
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker -
GSS: Initiator supports: KRB5
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker -
GSS: Initiator TGS key type:
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker - 3
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker -
Found acceptor realm: null
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker - GSS: Initiator getting service ticket for: BO_Admin
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - ** requesting service ticket .. **
with credentials:
Credential
client: Quattri***BFP.STG
session key: [3, 1 62 43 b3 a2 15 1f 70 ]
service principal: krbtgt/BFP.STG***BFP.STG
valid from: Thu Sep 24 17:19:40 CEST 2009
valid till: Fri Sep 25 03:19:40 CEST 2009
renewable till: Thu Oct 01 17:19:40 CEST 2009
Ticket:
encryption type: 23
service principal: krbtgt/BFP.STG***BFP.STG
ticket flags: forwardable forwarded renewable preauthent
valid for: all addresses
for service principal: BO_Admin
at realm: BFP.STG
26250 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.impl.DefaultKdcResolver - Resolving KDC for realm: BFP.STG
26250 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Resolver -
UDP attempt #0 to DNS server svrstidc01.sti.stg/172.20.1.103
26250 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Resolver - Data sent:
0d 20 01 00 00 01 00 00 00 00 00 00 09 5f 6b 65 72 62 65 72
6f 73 04 5f 75 64 70 03 42 46 50 03 53 54 47 00 00 21 00 01
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Resolver - Data received:
0d 20 81 80 00 01 00 01 00 00 00 01 09 5f 6b 65 72 62 65 72
6f 73 04 5f 75 64 70 03 42 46 50 03 53 54 47 00 00 21 00 01
c0 0c 00 21 00 01 00 00 01 c6 00 1a 00 00 00 64 00 58 0a 73
76 72 62 66 70 64 63 30 32 03 62 66 70 03 73 74 67 00 c0 3a
00 01 00 01 00 00 00 00 00 04 ac 15 01 66
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response - params: 1000000110000000
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response - Query sent:
Qname: _kerberos._udp.BFP.STG
Qtype: 33
Qclass: 1
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response -
Record
Name: _kerberos._udp.BFP.STG
Class: 1
TTL: 454
Type: SRV
Priority: 0
Weight: 100
Port: 88
Target: svrbfpdc02.bfp.stg
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response -
Record
Name: svrbfpdc02.bfp.stg
Class: 1
TTL: 0
Type: A
IP Address: 172.21.1.102
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.impl.DefaultKdcResolver - Available KDC found: svrbfpdc02.bfp.stg/172.21.1.102:88
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Sending message to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Sending UDP request: svrbfpdc02.bfp.stg/172.21.1.102:88
26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - --- got 79-byte response, initial byte = 0x7e
26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Message sent sucessfully to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
26297 [http-8080-Processor25] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database)
26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/logon/logon.jsp, pathInfo=null, queryString=null, name=null
26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/common/bannerheader.jsp, pathInfo=null, queryString=null, name=null
26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/logon/_logon.jsp, pathInfo=null, queryString=null, name=null
26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
Do yuo have any tips?
Thanks in advance
Fabrizio
Sorry,
I noticed that the trace is too long, so I put the most important
Thanks
F.
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response -
Record
Name: svrbfpdc02.bfp.stg
Class: 1
TTL: 0
Type: A
IP Address: 172.21.1.102
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.impl.DefaultKdcResolver - Available KDC found: svrbfpdc02.bfp.stg/172.21.1.102:88
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Sending message to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Sending UDP request: svrbfpdc02.bfp.stg/172.21.1.102:88
26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - --- got 79-byte response, initial byte = 0x7e
26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Message sent sucessfully to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
26297 [http-8080-Processor25] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database)
26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/logon/logon.jsp, pathInfo=null, queryString=null, name=null
26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/common/bannerheader.jsp, pathInfo=null, queryString=null, name=null
26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/logon/_logon.jsp, pathInfo=null, queryString=null, name=null
26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
Similar Messages
-
Problem authenticating user in Active Directory cross domain
Hi,
We have two different AD servers serving our London and Tokyo networks. My application runs in London network but used by both London and Tokyo users.
The two ADs have domain trust setup between them. I have groups defined in London AD to which users from both the London and Tokyo ADs are assigned.
'm trying to connect to London AD using the "users credentials" and retrieve the groups they are assigned to.
I can connect to the London AD using any of the London user and I could retrieve the groups. But when I use a Tokyo user credentials to connect using the London AD server 'm getting Security exception with a code indicating "User Not Found".
The code I use which is very basic is given below . The code below run as such gives me the following error,
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece.
If I change in the code below, Provider URL to Tokyo AD Server URL then it works but I can't use that due to security restrictions. As per the Windows Team the domain trust should allow me to connect/bind to the London AD Server with the Tokyo credentials.
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "london ldap server url");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.REFERRAL, "follow");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put(LdapContext.CONTROL_FACTORIES, "com.sun.jndi.ldap.ControlFactory");
ctx = new InitialLdapContext(env, null);
I would like to know how to authenticate a user in a cross domain Active Directory environment. I read in one of the blogs that the "simple bind" will not work for cross domain user authentication. Unfortunately the blogger didn't mention what would work :( . Any help is much appreciated.
Please bear with me if my query is a naive one and point me in the right direction.
Thanks
JothiHi Praveen,
to avoid losing data when user objects are moved to new locations in the LDAP server, it is possible to configure the User Management Engine to use the value of a specific unique attribute as part of the unique ID instead of the distinguished name.
For this, you have to change the following UME properties:
For user objects: ume.ldap.unique_user_attribute=<attributename>
For account objects: ume.ldap.unique_uacc_attribute=<attributename>
For group objects: ume.ldap.unique_grup_attribute=<attributename>
Be aware that the attribute (i.e. cn or uid) must be unique in the configured user/group path.
Please read SAPNote 777640 for more information regarding this problem and the way to change the UME properties.
Best regards,
Robert -
Active Directory multi forest Kerberos authentication Tomcat
Sorry. It is wrong forum. I forwarded my question to Business Objects forum.
Hi,
I have Business Objects Enterprise XI R2 with Tomcat installed on Windows 2003. My BO server and users are placed in different Active Directory forests (BO domain x forest A, users domain y forest B). I would like to authenticate users from domain y in my BO using Kerberos.
There is a trust between whose domains. I also set SPN and configured "Windows AD" tab in Central Management Console.
I can add AD group from domain y and list users from that domain in Central Mangement Console. But when user from domain y tries to logon to BO he gets error java.lang.NullPointerException. Due to this error, he is unable to connect.
There is also an error logged in Tomcat stdout.log file:
70051106 [http-8080-Processor22] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
If anyone has come across this situation, please share the solution.
Thanks & Regards,
Piotr
Edited by: Piotr Heise on Mar 27, 2009 2:08 PMHi
Is your enterprise is configured to a Java Active Directory?
Then there can bemultiple causes:
- The Java and the Central Management Server (CMS) are using encryption types that do not match.
- The Service Principal Name in the CMC is incorrect
Then to resolve this perform the following steps:
- In the Central Configuration Manager, double-click the CMS, and note the service account used.
- In Windows Domain users and computers, go to account properties for the CMS service account.
- Select Use DES encryption types for this account. In large AD deployments this change can take time to propagate.
- Login to the CMC and verify (Authentication -> Active Directory -> Service Principal Name) is in the format BOBJCentralMS/HOSTNAME.DOMAIN.COM
- Restart the CMS server and log on.
In a clustered CMS environment ensure that all CMS's are running under the same domain account.
Hope this helps!!!
Regards
Sourashree -
Authentication Plug-ins for active directory Multiple Domains(oidspad2.sh)
hi ,
i have use note 294791.1 from metalink to try link to active directory i have 2 one is staff and another is student
i first ran oidspadi.sh to create plugin for staff it works then i edit the 2 script to oidspad2.pls and oidspad2.sh with the require changes inside the files then i ran it it work but now the problem is the first ad now cant work this is my changes below
FOR oidspad2.pls
Rem
Rem $Header: oidspada.pls 02-aug-2004.04:45:11 saroy Exp $
Rem
Rem oidspads.pls
Rem
Rem Copyright (c) 2002, 2004, Oracle. All rights reserved.
Rem
Rem NAME
Rem oidspada.pls - 9.0.4 OID Password Active Directory
Rem External Authentication Plug-in
Rem
Rem
Rem NOTES
Rem <other useful comments, qualifications, etc.>
Rem
Rem MODIFIED (MM/DD/YY)
Rem saroy 08/02/04 - Fix for bug 3807482
Rem qdinh 01/27/04 - bug 3374115
Rem dlin 01/08/04 - pingan perf
Rem dlin 08/22/03 - 3111770 bug fix
Rem dlin 08/27/03 - change the way to get name
Rem dlin 08/13/03 - bug 2962082 fix
Rem dlin 02/21/03 - plug-in install changes
Rem dlin 02/13/03 - dlin_bug-2625027
Rem dlin 02/05/03 - fix ssl & failover
Rem dlin 01/31/03 - dlin_adextauth1
Rem dlin 01/30/03 - Created
Rem
SET echo off;
SET serveroutput off;
SET feedback off;
SET verify off;
CREATE OR REPLACE PACKAGE OIDADPSW2 AS
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
AD_HANDLE DBMS_LDAP.session DEFAULT NULL;
END OIDADPSW2;
SHOW ERROR
CREATE OR REPLACE PACKAGE BODY OIDADPSW2 AS
SUBTYPE LDAP_SESSION IS RAW(32);
SUBTYPE LDAP_MESSAGE IS RAW(32);
SUBTYPE LDAP_BER_ELEMENT IS RAW(32);
SUBTYPE ATTRLIST IS DBMS_LDAP.STRING_COLLECTION;
SUBTYPE MOD_ARRAY IS RAW(32);
SUBTYPE BERLIST IS DBMS_LDAP.BERVAL_COLLECTION;
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_bind_replace()');
DBMS_LDAP.USE_EXCEPTION := FALSE;
result := 49;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := 1;
plg_debug('Can not get ADUserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_bind_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_bind_replace() ===');
RETURN;
END IF;
plg_debug( 'Go to AD for authentication');
-- externally authenticate user
IF ('&1' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&2', &3);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
-- Should free the old session if retry logic kept failing
-- to cause the number of outstanding sessions exceeding the
-- limit session number
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&4', &5);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
-- SSL bind
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&6', &7);
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&8', '&9', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM
-- or LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&10', &11);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&12', '&13', 2);
IF (retval != 0) THEN
plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session1);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
-- for failover to connect to the secondary server
IF ('&14' = 'y' AND retval != 0) THEN
IF ('&15' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&16', &17);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&18', &19);
plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'retry simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&20', &21);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&22', '&23', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&24', &25);
plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&26', '&27', 2);
IF (retval != 0) THEN
plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
END IF;
IF (retval = 0) THEN
result := 0;
plg_debug('AD auth return TRUE');
ELSE
result := retval;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_bind_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
OIDADPSW2.AD_HANDLE := NULL;
plg_debug( ' exception unbind_res returns ' || TO_CHAR(retval));
errormsg := 'Exception: when_bind_replace plugin';
plg_debug( 'Exception in when_bind_replace(). Error code is ' ||
TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
END;
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_compare_replace()');
result := DBMS_LDAP.COMPARE_FALSE;
DBMS_LDAP.USE_EXCEPTION := FALSE;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('Can not get ADuserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_compare_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_compare_replace() ===');
RETURN;
END IF;
-- externally authenticate user
IF ('&28' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&29', &30);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&31', &32);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&33', &34);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&35', '&36', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&37', &38);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&39', '&40', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
-- for failover to connect to the secondary AD
IF ('&41' = 'y' AND retval != 0) THEN
IF ('&42' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&43', &44);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&45', &46);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&47', &48);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&49', '&50', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&51', &52);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&53', '&54', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session1);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
END IF;
IF (retval = 0) THEN
result := DBMS_LDAP.COMPARE_TRUE;
plg_debug('AD auth return TRUE');
ELSE
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_compare_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
errormsg := 'Exception: when_compare_replace plugin';
plg_debug( 'Exception in when_compare_replace(). Error code is ' ||
TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
OIDADPSW2.AD_HANDLE := NULL;
END;
END OIDADPSW2;
SHOW ERRORS
EXIT;
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
FOR oidspadi.sh
#!/bin/sh
# $Header: oidspadi.sh 13-may-2005.13:48:51 saroy Exp $
# oidspadi.sh
# Copyright (c) 2002, 2005, Oracle. All rights reserved.
# NAME
# oidspadi.sh - AD external authentication plug-in install
# DESCRIPTION
# <short description of component this file declares/defines>
# NOTES
# <other useful comments, qualifications, etc.>
# MODIFIED (MM/DD/YY)
# saroy 05/13/05 - Fix for bug 4233817
# saroy 02/18/05 - Fix for bug 4054414
# saroy 11/02/04 - Fix for bug 3980370
# qdinh 01/19/04 - bug 3374115
# dlin 07/10/03 - turn off debug
# dlin 02/21/03 - plug-in install changes
# dlin 02/13/03 - dlin_bug-2625027
# dlin 07/22/02 - Creation
ADHOST="A"
ADPORT="1"
ADSSLPORT="1"
WALLETLOC="A"
WALLETPWD="A"
WALLETPWD2="A"
CONNECT="A"
ODSPWD="A"
ODSPWD2="A"
OIDHOST="A"
OIDPORT="1"
ORCLADMINPWD="A"
ORCLADMINPWD2="A"
PRGDN="A"
SCUSB="A"
EP="A"
ISSSL="n"
ISFAILOVER="n"
ISFAILOVERSSL="n"
SECADHOST="A"
SECADPORT="1"
SECADSSLPORT="1"
SECWALLETLOC="A"
SECWALLETPWD="A"
SECWALLETPWD2="A"
clear
echo "---------------------------------------------"
echo " OID Active Directory Plug-in Configuration"
echo "---------------------------------------------"
echo " "
echo "Please make sure Database and OID are up and running."
echo " "
LDAP_DIR=${ORACLE_HOME}/ldap
LDAP_LOG=${LDAP_DIR}/log
## ORACLE_HOME
if [ -z $ORACLE_HOME ] ; then
echo " ORACLE_HOME must be set for this installation script"
exit 0
fi
# gather required information
if [ ${ADHOST} = "A" ] ; then
printf "Please enter Active Directory host name: "
read ADHOST
fi
## active directory host name is required
if [ "${ADHOST}" = "" ]
then
echo "Active Directory host name is required";
exit 1;
fi
printf "Do you want to use SSL to connect to Active Directory? (y/n) "
read ISSSL
if [ "${ISSSL}" = "n" ]
then
if [ ${ADPORT} = "1" ] ; then
printf "Please enter Active Directory port number [389]: "
read ADPORT
if [ "${ADPORT}" = "" ]
then
ADPORT="389"
fi
fi
fi
if [ "${ISSSL}" = "y" ]
then
if [ ${ADSSLPORT} = "1" ] ; then
printf "Please enter Active Directory SSL port number [636]: "
read ADSSLPORT
if [ "${ADSSLPORT}" = "" ]
then
ADSSLPORT="636"
fi
fi
if [ ${WALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read WALLETLOC
fi
## wallet location is required
if [ "${WALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${WALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read WALLETPWD ; stty echo ; echo
fi
if [ "${WALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${WALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read WALLETPWD2 ; stty echo ; echo
fi
if [ "${WALLETPWD}" != "${WALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
if [ ${CONNECT} = "A" ] ; then
echo " "
printf "Please enter DB connect string: "
read CONNECT
fi
if [ ${ODSPWD} = "A" ] ; then
printf "Please enter ODS password: "
stty -echo ; read ODSPWD ; stty echo ; echo
fi
## password is required
if [ "${ODSPWD}" = "" ]
then
echo "ODS password is required";
exit 1;
fi
if [ ${ODSPWD2} = "A" ] ; then
printf "Please enter confirmed ODS password: "
stty -echo ; read ODSPWD2 ; stty echo ; echo
fi
if [ "${ODSPWD}" != "${ODSPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
if [ "${CONNECT}" = "" ]
then
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD} "
else
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD}@${CONNECT} "
fi
# Check if ODS password and connect string is correct
${ORACLE_HOME}/bin/sqlplus -L ods/${ODSPWD}@${CONNECT} << END 1>/dev/null 2>/dev/null
exit;
END
if [ $? -ne 0 ]; then
echo "Incorrect connect string or ODS password specified"
exit 1;
fi
if [ ${OIDHOST} = "A" ] ; then
echo " "
printf "Please enter OID host name: "
read OIDHOST
fi
## oid host is required
if [ "${OIDHOST}" = "" ]
then
echo "OID host name is required";
exit 1;
fi
if [ ${OIDPORT} = "1" ] ; then
printf "Please enter OID port number [389]: "
read OIDPORT
if [ "${OIDPORT}" = "" ]
then
OIDPORT="389"
fi
fi
# Check if OID host and port is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect OID host or port specified"
exit 1;
fi
if [ ${ORCLADMINPWD} = "A" ] ; then
printf "Please enter orcladmin password: "
stty -echo ; read ORCLADMINPWD ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" = "" ]
then
echo "orcladmin password is required";
exit 1;
fi
if [ ${ORCLADMINPWD2} = "A" ] ; then
printf "Please enter confirmed orcladmin password: "
stty -echo ; read ORCLADMINPWD2 ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" != "${ORCLADMINPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
# Check if orcladmin password is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect orcladmin password specified"
exit 1;
fi
echo " "
if [ ${SCUSB} = "A" ] ; then
printf "Please enter the subscriber common user search base [orclcommonusersearchbase]: "
read SCUSB
if [ "${SCUSB}" = "" ]
then
SCUSB=`${ORACLE_HOME}/bin/ldapsearch -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} -s base -b 'cn=common,cn=products,cn=oraclecontext' -L 'objectclass=*' orclcommonusersearchbase | head -2 | grep -v 'dn:' | awk '{printf $2}'`
fi
fi
if [ ${PRGDN} = "A" ] ; then
printf "Please enter the Plug-in Request Group DN: "
read PRGDN
fi
if [ ${EP} = "A" ] ; then
printf "Please enter the exception entry property [(!(objectclass=orcladuser))]: "
read EP
if [ "${EP}" = "" ]
then
EP='(!(objectclass=orcladuser))'
fi
fi
echo " "
printf "Do you want to setup the backup Active Directory for failover? (y/n) "
read ISFAILOVER
if [ "${ISFAILOVER}" = "y" ]
then
if [ ${SECADHOST} = "A" ] ; then
printf "Please enter the backup Active Directory host name: "
read SECADHOST
if [ "${SECADHOST}" = "" ]
then
echo "Backup Active Directory host name is required";
exit 1;
fi
fi
printf "Do you want to use SSL to connect to the backup Active Directory? (y/n) "
read ISFAILOVERSSL
if [ "${ISFAILOVERSSL}" = "n" ]
then
if [ ${SECADPORT} = "1" ] ; then
printf "Please enter the backup Active Directory port number [389]: "
read SECADPORT
if [ "${SECADPORT}" = "" ]
then
SECADPORT="389"
fi
fi
fi
if [ "${ISFAILOVERSSL}" = "y" ]
then
if [ ${SECADSSLPORT} = "1" ] ; then
printf "Please enter the backup Active Directory SSL port number [636]: "
read SECADSSLPORT
if [ "${SECADSSLPORT}" = "" ]
then
SECADSSLPORT="636"
fi
fi
if [ ${SECWALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read SECWALLETLOC
fi
## wallet location is required
if [ "${SECWALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${SECWALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read SECWALLETPWD ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${SECWALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read SECWALLETPWD2 ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" != "${SECWALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
fi
# install the plug-in PL/SQL packages
echo " "
echo "Installing Plug-in Packages ..."
echo " "
# install plug-in debug tool
cp $ORACLE_HOME/ldap/admin/oidspdsu.pls $LDAP_LOG
chmod +w $LDAP_LOG/oidspdsu.pls
echo "EXIT;" >> $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$LDAP_LOG/oidspdsu.pls
rm $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspdof.pls
# install plug-in packages
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
#stty -echo; eval ${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# register the plug-ins
echo " "
echo "Registering Plug-ins ..."
echo " "
$ORACLE_HOME/bin/ldapadd -h ${OIDHOST} -p ${OIDPORT} -D cn=orcladmin -w ${ORCLADMINPWD} << EOF
dn: cn=adwhencompare2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapcompare
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhencompare2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginattributelist:userpassword
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
dn: cn=adwhenbind2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapbind
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhenbind2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
EOF
cat <<DONE
Done.
DONEHi,
This is a problem that is not made clear in the note. What is probably happening here is that both plugins are being fired when a user logs in. OID will only read the value returned from the final plugin to fire. This can be a problem if the user authenticates correctly against the first plug-in but fails on the second. This is entirely legitimate as this note tells you to configure this way but the OID only observes the final result. The note doesn't tell us this.
Here's an example:
We've two OID User users in different containers: cn=Al is in container cn=usersA,dc=oracle,dc=com and cn=BOB is in container cn=usersB,dc=oracle,dc=com.
We have two plugins: pluginA and PluginB. Installed in that order.
When Al logs in the two plugins fire. pluginA finds Al and returns a true, but then pluginB fires and returns a false undoing the good result. OID only accepts the final answer and so rejects the user. When Bob logins in both plugins fire again but it's the second plugin that returns the answer again. This is true and bob gets in.
There's a couple of ways around this and one of the more effective ways is to associate the plugin with the dn. So in our example, we associate the pluginA to fire only for the dn cn=usersA,dc=oracle,dc=com and pluginB only to fire when a user is in cn=usersB,dc=oracle,dc=com. This gets around the problem of mulitple plugins firing and giving conflicting answers as the appropriate plugin only fires once.
I've used this solution in a realtime environment when connecting and provisioning multiple ADs into one OID and found it to be extremely effective.
Another solution is to associate the plugins with groups.
Both of these options may be configured easily by modifying the plugin properties in ODM. Don't forget to restart OID after you've made the changes.
HTH!
Phil.
If -
OracleAS SSO - Microsoft Active Directory External Authentication Plug-in
hi ,
I recently inherited support of a Oracle SSO/OID environment where we use AD and a external Authentication Plug-
in to talk to it as user credentials are managed in AD,
We have a lot of domain controllers for AD in our env , so my questions is
1) How do I find out which AD server is the plugin currently referring to ,
I need to know this info ASAP as lot of AD servers are getting decomissioned and I want to make sure the SSO env
is not talking to a AD server that would get decomissioned soonhi,
Look in the integration part in oidadmin. ActiveChgImp
$ORACLE_HOME/bin/oidadmin
or look for ad2oid.properties
or look at this URL http://www.oracle.com/technology/obe/obe_as_10g/im/ads_import/import.htm
is what I used to configure ours
Regards -
Active Directory Cached Domain Login question
Hi all,
I would like to seek assistance on the following scenario setup where I have 2 independent AD forest setup
Production Forest #1 - Contoso
Test Lab Forest #2 - Contoso
Assuming both AD forests domain controllers are issued with Domain Controller Certs (to support smartcard login) from the same CA, and there exists a AD user acct - Mark in Production Forest #1 and this user is currently using a issued smartcard to perform
AD login on desktop client #1
Would it be possible to create a AD user acct - Mark in Test Lab Forest #2 and use the same issued production smartcard to perform AD login on laptop client #2 which is joined to Test Lab Forest #2? If not technically possible, why??? :(
I am trying to find a solution where I can have the laptop clients support login using the issued production smartcard. The challenge here is not all the laptop clients site have access to the production domain controllers hence am thinking of building the
Test Lab Forest #2 on another "server" laptop which provides a mobile means to allow the laptop clients to be joined to the Test Lab Forest and then supporting the issued production smartcard via domain cached login.So far I know the only requirement is that the UPN match and that the PKI is trusted (in NTAuth) in the forest, but I'm not a PKI expert. I suggest to ask this question in the security forum as well:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog -
Active Directory Groups - Domain Users Group
Using the AD resource adpater, I am able to assign groups and remove groups, but I noticed that the Domain Users group does not appear in the list of groups the user belongs to. Looking AD the user does belong, but in IDM it does not list this group membership. Is this normal ?
Thanks for the reply. I noticed there are quite a few issues with trying to UNC map to any share outside of the local MXE3500. I'm also seeing some issues with FTP watches on an EMC NAS, that has been FTP enabled. The problem I'm seeing now is that the watch will only work, if the watch is at the root level. If I add a file path, its accepted as valid when I save the directory watch, but looking at the fa.log its appending the last directory on twice.
So if my watch is looking at FTP Directory Path of: lifelink
The fa.log shows: .../lifelink/lifelink/
the word lifelink is displayed twice, causing an error, stating: "Error checking file size delay"
thanks,
Dave -
Prevent Active Directory Parent Domain Admins from accessing Child Domain
We want to prevent Parent domain administrators (or a similar profile?) from accessing and/or administering child domains. Is this possible, or do parent domain admins have irrevocable administrative access to any child domain?
Asked another way, can a restricted profile be configured for administration of the parent domain that does not cross domain boundaries effectively isolating each domain's administrative needs?
Thanks in advance for input and advice!
Best regards.Sorry, I was replying again after I read your second paragraph. The parent domain is the Forest root. we have parentdomain.com
parent.parentdomain.com
child1.parentdomain.com
child2.parentdomain.com
child3.parentdomain.com
We do not want the Domain Administrator for parentdomain.com to be able to administer, or preferably, even access the Child Domains.
1.) Can we remove that user from "Enterprise Admin" role and assign a different role so that they can only administer parentdomain.com (effectively demoting that user)?
2.) Promote a Child.parentdomain.com user to Enterprise Admin?
Thanks sorry for the confusion.
Ah ok.
Yes, you can. the answer is the same basically. The group membership is what counts. So in the child domain, remove the enterprise admins group from the child domain admins groups. OR make sure the domain admins of the forest root are not members of the
enterprise admins group. that way they are still only admins in the parent domain.
It is really only depending on group members ship and including those groups in the child domain. by default the enterprise group is included for example, but nothing stops you from removing those groups.
based on the group membership you can also deny them the ability to log on.
the only thing you cannot prevent is the forest administrator account from doing something.
One thing I would like to add though: any admin in the forest domain likely has the ability to still get access if he wants to force his way in. -
VDI 3 + Active Directory Child Domain Setup Question
Hi Everyone,
Quick question. Will this config work because I'm having some issues.
Domain A
Child Domains A.A, B.A, C.A, etc..
Kerbros is setup and pointing at domain A with admin account access.
VDI3 can see all the domains when I pull down the domain selector... however!... I can only log into the parent domain A. Attempts to log into child domains A.A, B.A, etc give me an 'Unknown user/password error'.
Will this config work? All child domains are part of the same forest which I thought was supported.
Many thanks in advanced for any replies.
DonoHello,
yes, forests with multiple child domains are supported and your configuration should be working.
In order to troubleshoot the problem, please follow the instructions at:
http://wikis.sun.com/display/VDI3/End-users+cannot+access+their+virtual+machines.
The cacao logs should contain more details about the error.
Thanks,
Katell -
Lync 2013 & Active Directory Intra Domain Migrations
Hi all,
Hopefully this is the correction forum to ask. Suppose the following scenario
Parent Domain containing Lync 2013 Servers
Child domains consisting of user accounts
It is intended that child domains containing Lync 2013 enabled users be migrated to the parent domain.
A few questions
Is it possible to migrate user accounts to another domain and configure the migrated (technically new) account to link back to Lync so as to retain contact information?
Or prior to migration have contacts exported so they can be imported into the new Lync 2013 accounts?
Thanks,Within a single forest it quite possible to have Lync installed in one domain and User a part of another domain
All we have to do during the Lync server install process run the domain prepaerationn wizard for all the domain weher we shall either have Lync user object or Lync server object
Please refer http://technet.microsoft.com/en-us/library/gg398630.aspx
I believe As long as the user SIP URI Doesn't change you can export the user data information and after the migration if you can import in user information
Please refer http://technet.microsoft.com/en-us/library/jj204897.aspx
PLEASE REMEMBER, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answered" -
How to script out to connect to Active Directory specific domain controller server?
How to script out a script that enable us to connect to the specific domain controller server, it is because I have 2 different servers version and both of them have been communicate with powershell, thus, I wanted to powershell to communicate with one
server version. How to script this out?Please see the Posting Guidlines:
http://social.technet.microsoft.com/Forums/en-US/a0def745-4831-4de0-a040-63b63e7be7ae/posting-guidelines?forum=ITCG
and this article on how to ask questions in a technical forum:
http://sincealtair.blogspot.com/2010/04/how-to-ask-questions-in-technical-forum.html
[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " " -
Active Directory domain failed
Hello Team,
When i joined to our active directory, everytime bui gives same error messages:
The attempt to join the Active Directory domain failed either because the clocks of the appliance and the domain controller are skewed or the administrative user
does not have the appropriate permissions to create a computer account in Active Directory.
It is recommended that NTP be used to keep clocks synchronized when using Active Directory.
Storage Appliance: 7310 One Controller, No firewall for ntp server also which connect directly NTP Domain server. Actually my believe is that no time sync issue.
Firmware version is latest patch.
What is your idea about this issue?
i did many times this action plan: but result is same
ActiveDirectoryTasks
B)Joining a Domain
1.Configure an ActiveDirectory site in the CIFS context. (optional)
2.Configure a preferred domain controller in the CIFS context. (optional)
3.Enable NTP, or ensure that the clocks of the appliance and domain controller are synchronized
to within five minutes.
4.Ensure that your DNS infrastructure correctly delegates to the ActiveDirectory domain, or add
your domain contoller's IP address as an additional name server in the DNS context.
5.Configure the ActiveDirectory domain, administrative user, and administrative password.
6.Apply/commit the configuration.
A)Joining aWorkgroup
Configure theworkgroup name.
Apply/commit the configuration.
1. First of all LAN Compatibility Mode 4 works fine with Win 2003 (AD Server)
2. While trying to join the AD, using a non ADMIN username and passsword will not help
Try using a username/pass which has Administrative Privileges (specifically having the rights for Account Creation in
the AD Server) on the AD server.
(I was trying by a different username/pass but it was not joing the storage to AD. It joined when i tried a user having
the privileges to create Machine Accounts in AD)
3. For Clock Sync, the tolerance limit is upto 5 Minutes..So you can take care that the difference does not go beyond
5 minutes.
Thanks
Can
Gantek Tech.Your first post to these OTN forums.
You posted your inquiry to a HARDWARE forum.
Your issue seems to be a Microsoft OS issue and you just happen to have your OS volumes on a model 7310 appliance.
I suggest you go find a forum somewhere that is hosted for Microsoft AD issues.
If you happen to need the documentation for that piece of storage hardware, there are currently three PDF's available:
http://docs.oracle.com/cd/E19935-01/index.html
They are the Installation Guide, the hardware Administration Guide, and the Service Manual.
There are no current Oracle-published documents for that box as related to Active Directory. -
Authenticating Workgroup Manager to Active Directory.
Dear all,
I've searched the forums and Internet and tried various things that could help my situation but I'm still having issues.
I am running 10.4.11 server 10.4.11 client machines. All machines and server are connected to Active Directory via the built in AD plugin.
Logging on to a client machine with an AD login works fine, no issues.
System image deployment over the network from the Xserve work fine.
The I have is implementing managed preferences from Workgroup Manager. When I open it, it will show me all of the users and groups. It says:
*Viewing directory: /Active Directory/All domains. Not authenticated*
When I click the padlock to authenticate, and enter my domain admin username and password, it says:
*The login information is not valid for this server.*
My login works as it allows me to add machines to the domain.
More info available as needed. If anyone can assist, thanks in advance.
Regards,
M.Hi
Viewing directory: /Active Directory/All domains. Not authenticated
When you bound the server to the Active Directory Realm what user name and password did you use? It will be this name and password that you will need to authenticate to the Active Directory node. This name and password should be the one that already exists on the AD that has authority for that server. Its also the name and password that should be used when binding mac clients to the AD node using the Active Directory plugin in Directory Access.
This name and password can be the same as the one created for promoting your server to OD Master (diradmin). Its a good idea to create this account on the AD first (make it authoratative for the AD) before promotion and client binding.
If you want to augment the AD with OSX Server managed preferences (MCX) then create a group within the /LDAPv3/127.0.0.1 node (assuming you have promoted the server to OD Master and disabled sso). Have two windows open in WGM (better done from a client). One window will show you the AD node and the other the OD node. Drag users or groups from the AD node into the newly created group in the OD node.
Apologies if you already know this, Tony -
MS Active Directory 2008 as UME datasource for AS Java
Hello,
We are running SAP EP on top of a SAP AS Java using LDAP certification, so users
from MS Active Directory 2003 domain are trusted by the Portal
I've now a problem with the version upgrade of MS Active Directory from 2003 to 2008,
it seems only SAP AS ABAP supports MS AD 2008, and our instance is JAVA only
Note 983808 - "Certified LDAP servers" also confirm this
Do you know if AD 2008 is supported, if any note has been released about this and
any document to help me wiith this issue?
thanks in advance!
RafaelHi Patrick, thanks for the answer
I checked the note and it refers about Windows 2008 and a scenario with SSO, that's not our case.
We just have AD as a LDAP UME datasource, users must still pass user and password which
is then checked and then login is authorized
you mentioned AD 2008 is supported for Netweaver AS Java, could you send me any document
or note with procedures or anything for configuring it ?
kind regards,
Rafael -
Time services in Active Directory
We have an old Ubuntu box running as an NTP server and as part updating our systems we are planning to decommission it. However, this system has been set as the local machines NTP server via DHCP scope options and via group policy. If I just
switch it off then all the Windows clients or any DHCP client on the network will not know where to get the correct time from and could cause connectivity issues on the domain.
I have tested a new GPO on an isolated machine to see what the effects are and not a lot changed, the client machine effected by this new GPO just reports DC01 as the NTPServer when I run w32tm /query /configuration and reports the source as being local
CMOS clock when i run w32tm /query /status. Is this normal?
Running the same thing on my PDC shows the clock as being Free running system clock, should this be set to an online time service, or should it not matter (as long as the clients are only getting their time
from the PDC?
What I would like to know is is there a best practice guide somewhere I can read through?
I have been trawling various searches but can't seem to find anything relevant.
DracWe have an old Ubuntu box running as an NTP server and as part updating our systems we are planning to decommission
it. However, this system has been set as the local machines NTP server via DHCP scope options and via group policy. If I just switch it off then all the Windows clients or any DHCP client on the network will not know where to get the correct time
from and could cause connectivity issues on the domain.
You can use GPOs to make your Windows Client computers use your AD forest topology for time sync. I have described that in this Wiki article:http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
Once you are sure that all Windows client computers (and non-Windows computers if you have some) are using your AD forest topology for time sync, you can remove your Ubunto box.
I have tested a new GPO on an isolated machine to see what the effects are and not a lot changed, the client
machine effected by this new GPO just reports DC01 as the NTPServer when I run w32tm /query /configuration and reports the source as being local CMOS clock when i run w32tm /query /status. Is this normal?
Is the client you use running as a VM? If yes, you can consider disabling the time sync feature with the hypervisor.
Otherwise, please consider running the following commands to re-create registry entries for time sync configuration:
w32tm /unregister
w32tm /register
Currently the PDC does not sync with any online time server, just its own internal clock (this is a virtual Windows
2012 server with the guest set not to sync time with host, if that makes any difference?). So i need to set this to use an online time server and then "reset" the clients to use the PDC instead of the internal NTP server. The other DC's in our
domain all use the PDC as their time server along with all other infrastructure servers.
You need to configure the PDC emulator of the root domain in your forest to sync its time with at least two reliable NTP external servers.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password
Maybe you are looking for
-
When I try and authorise I get this message.The required directory was not found or has a permissions error. Correct this permissions problem and try again, or deauthorize this computer if the permissions cannot be changed. How do I rectify?
-
Business Area into New Company code.
Hi Peers, My Client is selling one of its Business Area and the Buyer wants to be able to use the existing SAP system. We have dicided to create a new CCD and trsansfer all the AR/AP open items of this perticulat business area in old CCD to the new c
-
My iPad keeps trying to authenticate an email that isn't mine, what should I do?
It also does it on my iPhone. And recently all my contacts disappeared off my iPad. I recovered them but I feel like there is a virus or something messing with my apple products and they say they don't get viruses. Any helper?!
-
Can Business Objects work with NoSQL DB?
hi, I'm pretty new to BusinessObjects. Anyways, from reading a little bit, I've noticed that the "Universe Designer" is the tool for modeling the data, and that it works on relational DB. Is that true? can it work only on relational DB? in my project
-
IPhone 5 not sending or receiving texts to iPhone 4
iPhone 5 not sending or receiving texts to iPhone 4