C100 LDAP accept to multiple AD domains?

Similar Messages

• LDAP supporting multiple DNS domains

  I have an environment with multiple DNS domains, and am configuring a Directory server (DS 6.3.1) to centralize various OS configuration maps including user authentication. None of the DNS domains have unique data, so I'd like to do something like storing all the real data in one suffix, then somehow have all clients look to that primary suffix. I am aware that the Solaris Native LDAP client wants to bind to a nisDomainObject that matches its DNS domain. I'm just having a hard time believing that I really need to manage all those individual suffixes when they don't have unique data requirements.
  Take as an example the following domains to be supported: foo.example.com, bar.example.com, dev.example.com, qa.example.com, prd.example.com (no hosts are actually in "example.com", they are all in subdomains). Again, all share common configuration data, same user IDs, etc - no unique maps are required.
  I created a suffix, "dc=example, dc=com", set it up with idsconfig. All is well there.
  [A] My first thought is to bind all Solaris clients, regardless of their DNS domain, to the baseDN of "dc=example, dc=com" in order to avoid having a separate suffix for each DNS domain. I tried to do this using "-a defaultSearchPath=dc=example,dc=com" with ldapclient init, but it failed with an error indicating it wants to see the nisDomainObject of its real DNS domain.
  The second though I had, which I don't believe is possible, is to find some sort of a LDAP equivalent of a symbolic link so that I could actually have an object for each DNS domain, but it would simply point back to "dc=example,dc=com". I can't find anything in the documentation which suggests this is possible, but I'd love to be wrong!
  [C] Perhaps this could be somehow done with a rats nest of SSDs, but that really seems unwieldy, right? I plan on using a fair amount of the available objects, so it would be many SSDs per suffix. Yuck.
  Can anyone comment on my above thoughts, or provide how they would go about supporting multiple DNS domains that have common configuration data?
  Thank you,
  Chris

  Ok, I answered my own question. Turns out it's pretty easy. Just use the "-a domainName=example.com" option with `ldapclient` then make sure that the FQDN of the LDAP server is available (or use its IP address). My problem was that the ldapclient overwriting nsswotch.conf was clobbering the SSL session because I used the FQDN which couldn't resolve.
  This leaves an interesting condition of having the output of "domainname" not match the DNS domain. I'm testing now to see if this causes any unexpected issues with our environmnet, but I suspect it's not a problem.

• LDAP Acceptance Query

  Hello everybody,
  I would like to know if it's possible to enable a "LDAP Acceptance query" only for one domain protected by Ironport?
  I explain myself:
  Our Ironport is used by 3 companies. One company has an exchange server and so LDAP is possible - and it works well. But (badly but) the others has another product as mail server which does not support LDAP query.
  So I would like to enable LDAP acceptance query for the first company and nothing fir the 2 others.
  Last, I would like to enable LDAP authentication for Spam Quarantine if possible.
  Regards,
  GALLEZ Antony

  Hi there, Bypass LDAP Accept is the easiest way, but a way to give you more control would be to create a seperate MX record for each company.
  On the IronPort have an individual listener for each company, that way you can have multiple routing, accept and group queries for each company.
  But as you have already found the Bypass LDAP in the RAT is the easiest option :lol:
  Different MX Records means that we need different public IP adresses and we only have one. So, I'll use the "Bypass LDAP Accept" option.
  BTW, thanks for your response, I haven't thought at different MX Record...

• In RSA Authentication Manager 7.1, how create multiple security domains

  Hi,
  RSA Authentication Manager 7.1 in configured with LDAP(Sun java system directory server); how create multiple security domains 7.1, is this security domains is releted to LDAP?
  thanks

  I think what you need to do is create an identity sequence with RSA as the selection in
  Authentication and Attribute Retrieval Search List and AD in Additional Attribute Retrieval Search List. Then select this sequence as the result in the identity policy for the service

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• Ideas for features needed in new Conversational LDAP Accept

  Mark, sorry should have given you this list months ago. My guess is you've already thought of all of these and more.
  Everyone else, feel free to add to the list or tell me I'm nuts... or better yet ask what for.
  1) A good DHAP (directory harvest attack prevention) solution. I'm guessing this would be along the same lines as current post-conversation LDAP Accept. - completely obvious
  2) Sender Group specific settings, also like the current DHAP. This allows for different bounce/drop rates based on Sender Group or SRBS. Also the ability to Drop vs. Bounce based on Sender Group, not just a global setting.
  3) The ability to do conversational bounces based on the MAIL FROM: in addition to the RCPT TO:. This allows for conversational bounces for Internet inbound emails where the MAIL FROM: may be your own domain (spoofed).
  4) LDAP Accept still needs to be post HAT, Domain Map and RAT processing.
  5) Rates and counts added to the Mail Flow monitor stats, specifically: Invalid LDAP rates: Total, Bounce and Drop.
  6) LDAP lookup status, very much like DNS with cache hit/miss rates, number of lookups, etc. Also rates along with counts.
  7) Warnings when LDAP lookup timeout is exceeded, vs. server connection failures. Configurable LDAP lookup timeout.
  8) If connection to LDAP server fails or times out, emails are accepted by default.

  Erich,
  This is all very good feedback. The vast majority of it will be included in the conversational LDAPACCEPT feature coming in a maintenance release in the short term.
  There are a couple items that we'll have to get to in a later release:
  - Drop vs. bounce in the sender group. Good idea, beyond what we'll be able to do in this release. But you'll be able to enable/disable and set thresholds per sender group.
  - Conversational bounces on the Envelope Sender. This is coming in the Hard Rock release, planned for Q405.
  - LDAP lookup status will be in the Hard Rock release
  Everything else looks to be in there.
  Peter Schlampp
  Sr. Dir., Product Management
  IronPort Systems

• SCOT - Configuring multiple default domain

  Hi,
  Is it possible to configure multiple default domain in SCOT in a client?
  I have set the default domain to e.g. "company1.com" and mails with this domain are sent out.  However, mails with "company2.com" are not sent out.  The message in SOST is "Delivery Attempted" and the mails were never received.
  I tried setting the default domain in SCOT to "company1.com, company2.com" but it didn't work.  So I'm assuming that it will only accept one default domain.
  "company1.com" and "company2.com" are my subsidiary companies and not "yahoo" or "gmail" domains.
  Thanks

  Hi my friend
  Default domain can be only one as it's called "default", which involves another setting: the SMTP mail host you define also can be only one, it can't work for 2 different mail domains.
  Regards,
  Effan

• Multiple DNS Domain support in Single instance of Portal

  Can BEA portal support multiple DNS domains in a single instance of BEA Portal.
  For example can I setup portal to respond as bothe www.xxx.com and www.yyy.com
  and keep those urls as trhough the entire portal?

  Hi,
  thanks for your quick response. You mean we should run only one copy of the package I mentioned and seperate the plants and machines by logic implemented in the package? Well, I think this is critical in case of deploying a new version, since all machines at all sites won't have the system available at the same time. At the moment we do not have things in the system that are needed to go on with production, but we have planned to implement some things that will be indispensable and in this stage we need a clear seperation of the plants to minimize the risk of a simultaneous stand at all plants.
  Thanks for your suggestion and best regards,
  Matthias

• CUPS 8.6 - Supporting Multiple SIP Domains on a per-user basis

  Working on a CUPS 8.6 PoC with a customer who currently is running a deployed OCS environment. 
  Users all sign into a single domain internally but have multiple SMTP domains for email as this customer has many different companies they have aquired.
  OCS  is able to support and route multiple SIP domains by specifing the SIP address under AD User settings such that two users both signed into the same OCS server can send IM's to each other even though they have different SIP addresses.  sip:[email protected] , sip:[email protected]
  CUPS on the other hand does not seem to allow this on a per-user basis.  It places every user in the sip domain that the server is a member of.
  The Jabber client allows you to specify a domain but I am not how this is used as the actual user account in CUPS is only ever the one domain and if you try and specify a different domain in the Jabber Connection Settings, it will not allow you to login.
  It is not a big deal for internal communications if everyone is on the same domain, but where it is important is for future B2B IM.  Users need to be able to give out THEIR IM address with THEIR respective domain.
  Does anyone else know for a fact that I will only be able to have one domain per CUP cluster?
  Any thoughts on this design?

  Not sure on the design perspective but as for CUPS Domain, we can only have single domain per cluster. As you have already found out that for any user licensed for CUPS, their IM address would be userid@CUPSDomain
  CUPS does have funtionality of federating with foreign domains such as AOL/GoogleTalk/WebEx Connect.

• How to delete multiple data domains with single step ?

  how to delete multiple data domains with single step ?

  You can go to your Endeca-Server domain home e.g.($WEBLOGIC-HOME$/user_projects/domains/endeca_server_domain/EndecaServer/bin)
  run
  [HOST]$ ./endeca-cmd.sh list-dd
  default is enabled.
  GettingStarted is enabled.
  endeca is enabled.
  BikeStoreTest is enabled.
  create a new file from the output just with the domains that you want to delete and then create a loop
  [HOST]$ vi delete-dd.list
  default
  GettingStarted
  endeca
  BikeStoreTest
  [HOST]$ for i in $(cat delete-dd.list); do; ./endeca-cmd.sh delete-dd $i; done
  Remember that this can not be undone, unless you have a backup.

• LDAP accept query (space within email) got pass

  Version: 5.1.2-005
  ldap accept query is very effective here and have been using since day-1.
  Recently, we discover some backend mta log that rejecting invalid address.
  We haven't change ironport or the backend ldap software for a while. So it is not something that due to recent change.
  Here is a funny finding, note the space.
  > ldaptest
  Select which LDAP query to test:
  1. MXLDAP.accept
  2. MXLDAP.smtpauth
  3. VDELDAP.accept
  4. group
  [1]> 1
  Address to use in query:
  []> sys [email protected]
  LDAP query test results:
  Query: MXLDAP.accept
  Address: sys [email protected]
  Action: pass
  LDAP query test finished.
  I run a ldapsearch on the backend LDAP server and the ldapsearch does not return the 'sys [email protected]' as valid LDAP entry. So it seems it is not related to LDAP.
  This is our ldap accept query
  (&(|(mail={a})(mailalternateaddress={a}))(mailboxstatus=A)
  Our ldap backend is Openwave MX LDAP directory.
  We do considering upgrading to 5.5 version but it was not due to this problem. but rather than try to keep our version reasonably up-to-date.

  In the latest version it is also accepting addresses that contain spaces. However, the exact behavior depends on how address parsing is configured on your listener.
  If it is set to "loose parsing", it accepts but actually delivers the message to .
  When using "strict parsing", it doesn't alter the recipient address and the message gets delivered to .
  In the LDAP accept query however, it seems to ignore that setting. It always strips spaces from the address before it sends the query (you can see this in ldap debug).
  I don't know whether all this is by design or not. Especially the ldapaccept part looks more like a bug to me, i'd expect it to check the address its going to use to deliver the mail. Its probably best to create a support request for this.

• OID - LDAP:error code 19 -Admin domain

  Exception creating Entry : javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - Admin domain does not contain schema information for objectclass person.]; remaining name 'cn=oriondes,ou=servidoresmiembro,ou=internos,cn=users,dc=superfinanciera,dc=gov,dc=co'
  [LDAP: error code 19 - Admin domain does not contain schema information for objectclass person.]
  javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - Admin domain does not contain schema information for objectclass person.]; remaining name 'cn=oriondes,ou=servidoresmiembro,ou=internos,cn=users,dc=superfinanciera,dc=gov,dc=co'
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3001)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
  at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
  at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
  at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)
  at oracle.ldap.odip.gsi.LDAPWriter.createEntry(LDAPWriter.java:1056)
  at oracle.ldap.odip.gsi.LDAPWriter.insert(LDAPWriter.java:409)
  at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java:748)
  at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:335)
  at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:581)
  at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
  at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
  DIP_LDAPWRITER_ERROR_CREATE
  DIP_LDAPWRITER_ERROR_CREATE
  at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:722)
  at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
  at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
  DIP_LDAPWRITER_ERROR_CREATE
  ActiveChgImp:Error in Mapping EngineDIP_LDAPWRITER_ERROR_CREATE
  DIP_LDAPWRITER_ERROR_CREATE
  at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:741)
  at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
  at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
  ActiveChgImp:about to Update exec status
  Updated Attributes
  orclodipLastExecutionTime: 20100906150632
  orclodipConDirLastAppliedChgNum: 34086144
  orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted

  Hi,
  Please let me know if this has been resolved. Also, please post the solution if you find any.
  -Mahendra.

• People Picker search order with multiple forest domains

  I had customer with multiple forest domain environment. Now the problem is that all users from one domain synced to the resource domain(Domain A) where sharepoint is installed.
  The peoplepicker is now finding at first the user in Domain A where sharepoint is installed. My Solution is now to specify the order of searching in People Picker that first all users in Domain B will return and if there is noting will return Domain A.
  All SharePoint Server(s) had Network Access to the other Domains. And there are two-way-trust konfigured.
  Any Solution for that?
  Thanks for your feedback!
  P.

  Regardless of search order, you would get both results returned. Have you tried using the UserAccountDirectoryPath property on the Site Collection to specify DC=domainB,DC=com?
  Trevor Seward
  Follow or contact me at...
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
  Nice to now that i can set it up per site collection. But it do not work in my case, it indeed returned users from Domain B but Domain A, C, D and F(Examples) are excluded from People Picker.

• IOS AIR3.6  runtime error 3747 Multiple application domains are not supported on this operating syst

  3747
  Multiple application domains are not supported on this operating system.
  I'm getting this error from an IOS app compiled with air 3.6.
  No code has changed  from Air 3.5 which is error free. Web app / android versions of the same codebase do not error.
  See the stackTrace below ( well done Adobe for providing this since air 3.5 !! )
  I use swfloaders for loading embedded swf vector art graphics. This has not caused any issue until now. Should I load all art into the main app's application domain ?
  The error does not crash the app and I could suppress it easily but is could the tip of the iceberg because application domains are scary stuff.
  Error: Error #3747
          at flash.display::Loader/loadBytes()
          at mx.core::MovieClipLoaderAsset()
          at mx.controls::SWFLoader/loadContent()
          at mx.controls::SWFLoader/load()
          at mx.controls::SWFLoader/initializeHandler()
          at flash.events::EventDispatcher/dispatchEvent()
          at mx.core::UIComponent/dispatchEvent()
          at mx.core::UIComponent/set processedDescriptors()
          at mx.core::UIComponent/initialize()
          at com.komodomath.app::ImageSWFloader/initialize()
          at mx.core::UIComponent/http://www.adobe.com/2006/flex/mx/internal::childAdded()
          at mx.core::UIComponent/addChildAt()
          at spark.components::Group/addDisplayObjectToDisplayList()
          at spark.components::Group/http://www.adobe.com/2006/flex/mx/internal::elementAdded()
          at spark.components::Group/setMXMLContent()
          at spark.components::Group/set mxmlContent()
          at spark.components::SkinnableContainer/set mxmlContent()
          at spark.components::SkinnableContainer/createDeferredContent()
          at spark.components::SkinnableContainer/createContentIfNeeded()
          at spark.components::SkinnableContainer/createChildren()
          at mx.core::UIComponent/initialize()
          at com.komodomath.lesson::SaveStatusCheck/initialize()
          at mx.core::UIComponent/http://www.adobe.com/2006/flex/mx/internal::childAdded()
          at mx.core::UIComponent/addChildAt()
          at spark.components::Group/addDisplayObjectToDisplayList()
          at spark.components::Group/http://www.adobe.com/2006/flex/mx/internal::elementAdded()
          at spark.components::Group/addElementAt()
          at mx.states::AddItems/addItemsToContentHolder()
          at mx.states::AddItems/apply()
          at mx.core::UIComponent/applyState()
          at mx.core::UIComponent/commitCurrentState()
          at mx.core::UIComponent/setCurrentState()
          at mx.core::UIComponent/set currentState()
          at com.komodomath.maingroups::LessonGroup/handleNewLessonClick()
          at com.komodomath.maingroups::LessonGroup/___LessonGroup_KButton1_click_lessonOver()

  same issue as http://forums.adobe.com/message/4736711

• Multiple Application Domain Error with Preloader

  Hi all,
  I'm attempting to upgrade to Air 3.6. My app runs as a swf on the web and also meant to be packaged as a "slow" build (not interpreter) for iOS since I need the performance of Starling. Since it's a fat app, so thus it has a preloader for the web, which works perfectly. However when I try to start the app in ios-debug on my iPad, I get:
  [Fault] exception, information=Error: Error #3747: Multiple application domains are not supported on this operating system.
  mPreloader = new PreloaderSwfEmbed();
  mPreloaderLoader = Loader(mPreloader.getChildAt(0));        // need to wait until the swf loads before grabbing all the information from it
  mPreloaderLoader.contentLoaderInfo.addEventListener(Event.COMPLETE, EmbeddedPreloaderLoadCompleteCB);
  On the first line of my code snippet here. How can I insert permission regarding multiple application domains for embedded swfs?
  Thanks!
    ZS

  Ok so I got the swf to load by changing the code above to the following:
            var context:LoaderContext = new LoaderContext(false, ApplicationDomain.currentDomain);
                 context.allowCodeImport = true;
                 mPreloaderLoader = new Loader();
                 mPreloaderLoader.contentLoaderInfo.addEventListener(Event.COMPLETE, EmbeddedPreloaderLoadCompleteCB);
                 mPreloaderLoader.loadBytes(new PreloaderSwfEmbed(), context);
  But now when I run the app I get a message dialog on the iPad saying:
  Uncompiled ActionScript
  Your application is attempting to run uncompiled ActionScript, probably due to the use of an embedded SWF. This is unsupposed on iOS. See the Adobe Developer Connection website for more info.
  And yes I am using Adobe Air SDK 3.6, and building with -swf-version=19, at least on the main swf. The other swf was made with an fla with Flash Pro.
  Any help people? Why is this still not working? I thought it was fixed in 3.6. I must be missing something.
  Thanks!