Cisco ACS 5.2 authentication against multiple LDAP servers
Hi Folks,
I have a wireless network that uses ACS 5.2 to handle authentication. The ACS is integrated with an Active Directory LDAP server (my_ldap) and is working correctly at the moment. The authentication flow looks like this:
- User tries to associate to WLAN
- Authentication request is sent to ACS
- Service selection rule chooses an access-policy (wireless_access_policy)
- wireless_access_policy is configured to use my_ldap as identity source.
A sister company is about to move into our offices, and will need access to the same WLAN. Users in the sister company are members of a separate AD domain (sister_company_ldap). I would like to modify the wireless_access_policy so that when it receives an authentication request it will query both my_ldap and sister_company_ldap, and return a passed authentication if either attempt is successful. Is this possible?
Assuming you're already authenticating using your AD binding and AD1 as your identity source, you can add a further LDAP server as another identity source and add this to your identity store sequence in your access policy to authenticate against both.
You can also add multiple LDAP servers and add them both to the identity store sequence (if you're not using AD1).
Similar Messages
-
LDAP Authentication Scheme - Multiple LDAP Servers?
How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.
How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.
-
[ SOLVED] Authentication against two openldap servers.
Hi everyone.
Here is the deal. I have two openldap servers, used for user authentication (master and slave). I have all the clients to be able to authenticate users against the master openldap server, and that is working fine. I want to make them to be able to authenticate against the slave server, if the master is down for any reasons. Is there a way to configure the clients, and is that the way to manage this, or I have to use another software as heartbeat or something like heartbeat.
Regards.
PS: Sorry. I found it. It is written in the /etc/ldap.conf file. If you want authentication against several ldap servers, you have to specify them in the 'uri' row, separated by spaces.
Last edited by Gruntz (2009-03-10 08:57:31)Hi,
Is there a possibility to configure somewhere an external LDAP just for authentication purposes (possibly PKI), leaving everything else in OID?
Yes, in our project we are using a third party LDAP server for authentication, whereas the rest of the user information is stored in the OID. I don't know the details about the implementation but we used DIP (Directory Integration Platform) to create and register a plugin. The plugin replaces the default 'ldapcompare' method that the SSO uses with our own method that makes a call to a third party ldap. Our code was written in PL/SQL and used the DBMS_LDAP package.
You should be able to find more info from OID developers guide. http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/manage.902/a95193.pdf
Good luck!
/Rikard -
Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed
Hi,
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
tacacs-server key 7 "xxxxxxxxxxxxx"
aaa group server tacacs+ tac_admin
server xx.xx.xx.xx
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group tac_adminHi,
Since the ACS is receiving the request.
Could you please ensure that In ACE on every context (including Admin and other) you have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ tac_admin
server x.x.x.x
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts. -
Multiple LDAP Servers in Fusion Middleware (OBIEE 11g)
Hello,
I have a question, regarding integration of multiple LDAP servers with single Weblogic Server of Fusion Middleware (OBIEE 11g). We are currently using OBIEE 10g. We are on verge of migrating to 11g. However, I have a question regarding the LDAP server.
Our two applications run on two distinct LDAP servers. The plan is to provide a single sign on link for OBIEE 11g reports to the end users and depending on what application they are using, they must be authenticated against the respective LDAP server.
So, my question, is it possible to Integrate two different LDAP servers in the Weblogic of Fusion Middleware (OBIEE 11g). If so, what would be the steps. Any helpful document will also be appreciated.
Thank you,
Chandu.Yes, you can configure multiple authentication providers one by one as you generally do.
When you configure multiple Authentication providers, use the JAAS Control Flag for each provider to control how the Authentication providers are used in the login sequence. You can set the JAAS Control Flag in the WebLogic Administration Console.
REQUIRED—The Authentication provider is always called, and the user must always pass its authentication test. If authentication succeeds or fails, authentication still continues down the list of providers.
REQUISITE—The user is required to pass the authentication test of the Authentication provider. If the user passes the authentication test of this Authentication provider, subsequent providers are executed but can fail (except for Authentication providers with the JAAS Control Flag set to REQUIRED).
SUFFICIENT—The user is not required to pass the authentication test of the Authentication provider. If authentication succeeds, no subsequent Authentication providers are executed. If authentication fails, authentication continues down the list of providers.
OPTIONAL—The user is allowed to pass or fail the authentication test of this Authentication provider. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.
refer - http://docs.oracle.com/cd/E13222_01/wls/docs92/secmanage/atn.html
Regards
Mukesh Negi
http://weblogicserveradministration.blogspot.in/ -
Multiple LDAP Servers and Attribute-Based Data Partitioning
Hello
We currently want to implement following szenario on Netweaver 2004s. From the
following SAP Help documentation we want attribute based data partitioning:
http://help.sap.com/saphelp_nw70/helpdata/EN/4e/4d0d40c04af72ee10000000a1550b0/frameset.htm
The difference to the SAP document is that we want a distribution of attributes over
multiple LDAP servers. So we tried to fit that concept into xml. see attached xml source.
The Portal finds both LDAP Systems but it is NOT that the useres are beeing merged
but they appear as two distict users in the portal UME. If you do a lookup in the portal
usernamagent system you get and see two users.
User1: unique ID = USER.Datasource1.uid
User2: unique ID = USER.Datasource2.uid
Obviously the UME system was not able to merge that information of the two distict
LDAP Systems. MSADS and Lotus Notes.
Hence my questions:
1) is it possible to distribute attributes over multiple ldap data sources
2) any ideas why UME constructs two different users based in Datasource ID's specified in XML
Thanks for any contributions or ideas,
Ulrich Scherb
<?xml version="1.0" encoding="UTF-8"?>
<dataSources>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</responsibleFor>
<privateSection>
</privateSection>
</dataSource>
<dataSource id="NOTES_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="true"
isPrimary="true">
<homeFor/>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user"/>
<attribute name="logonalias"/>
<attribute name="j_password"/>
<attribute name="userid"/>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal"/>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname" populateInitially="true"/>
<attribute name="lastname" populateInitially="true"/>
<attribute name="email"/>
<attribute name="uniquename" populateInitially="true"/>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER"/>
</nameSpace>
</principal>
</responsibleFor>
<attributeMapping>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user">
<physicalAttribute name="uid"/>
</attribute>
<attribute name="logonalias">
<physicalAttribute name="uid"/>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"/>
</attribute>
<attribute name="userid">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal">
<physicalAttribute name="uid"/>
</attribute>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname">
<physicalAttribute name="givenname"/>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"/>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="uid"/>
</attribute>
<attribute name="loginid">
<physicalAttribute name="*null*"/>
</attribute>
<attribute name="email">
<physicalAttribute name="mail"/>
</attribute>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"/>
</attribute>
</nameSpace>
</principal>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.server_name>ldap1</ume.ldap.access.server_name>
<ume.ldap.access.server_port>389</ume.ldap.access.server_port>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.user>xxxxx</ume.ldap.access.user>
<ume.ldap.access.password>xxxxx</ume.ldap.access.password>
<ume.ldap.access.base_path.user>O=SMT_TEST</ume.ldap.access.base_path.user>
<ume.ldap.record_access>TRUE</ume.ldap.record_access>
<ume.ldap.unique_uacc_attribute>uid</ume.ldap.unique_uacc_attribute>
<ume.ldap.unique_user_attribute>uid</ume.ldap.unique_user_attribute>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>person</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>person</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>uid</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>uid</ume.ldap.access.auxiliary_naming_attribute.uacc>
</privateSection>
</dataSource>
<dataSource id="CORP_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="true"
isPrimary="true">
<homeFor/>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user"/>
<attribute name="logonalias"/>
<attribute name="j_password"/>
<attribute name="userid"/>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal"/>
<attribute name="realm"/>
<attribute name="domain"/>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname" populateInitially="true"/>
<attribute name="displayname" populateInitially="true"/>
<attribute name="lastname" populateInitially="true"/>
<attribute name="fax"/>
<attribute name="title"/>
<attribute name="department"/>
<attribute name="description"/>
<attribute name="mobile"/>
<attribute name="telephone"/>
<attribute name="streetaddress"/>
<attribute name="uniquename" populateInitially="true"/>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER"/>
</nameSpace>
</principal>
<principal type="group">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="displayname" populateInitially="true"/>
<attribute name="description" populateInitially="true"/>
<attribute name="uniquename"/>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"/>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attribute name="dn"/>
</nameSpace>
</principal>
</responsibleFor>
<attributeMapping>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="logonalias">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"/>
</attribute>
<attribute name="userid">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="realm">
<physicalAttribute name="*null*"/>
</attribute>
<attribute name="domain">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname">
<physicalAttribute name="givenname"/>
</attribute>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"/>
</attribute>
<attribute name="fax">
<physicalAttribute name="facsimiletelephonenumber"/>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="loginid">
<physicalAttribute name="*null*"/>
</attribute>
<attribute name="mobile">
<physicalAttribute name="mobile"/>
</attribute>
<attribute name="telephone">
<physicalAttribute name="telephonenumber"/>
</attribute>
<attribute name="department">
<physicalAttribute name="ou"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="streetaddress">
<physicalAttribute name="postaladdress"/>
</attribute>
<attribute name="pobox">
<physicalAttribute name="postofficebox"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="memberof"/>
</attribute>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"/>
</attribute>
</nameSpace>
</principal>
<principal type="group">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="uniquename" populateInitially="true">
<physicalAttribute name="cn"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
<physicalAttribute name="member"/>
</attribute>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="memberof"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attribute name="dn">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
</principal>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.server_name>ldap2</ume.ldap.access.server_name>
<ume.ldap.access.server_port>389</ume.ldap.access.server_port>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.user>yyyyy</ume.ldap.access.user>
<ume.ldap.access.password>yyyyy</ume.ldap.access.password>
<ume.ldap.access.base_path.user>O=SMT_TEST</ume.ldap.access.base_path.user>
<ume.ldap.access.base_path.grup>O=SMT_TEST</ume.ldap.access.base_path.grup>
<ume.ldap.record_access>TRUE</ume.ldap.record_access>
<ume.ldap.unique_uacc_attribute>samaccountname</ume.ldap.unique_uacc_attribute>
<ume.ldap.unique_user_attribute>samaccountname</ume.ldap.unique_user_attribute>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>Group</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>cn</ume.ldap.access.naming_attribute.grup>
</privateSection>
</dataSource>
</dataSources>Hi Ulrich,
Hope your problem is resolved. We are using EP7 and SP18. We are doing some study on your first issue. i.e. Distributing a user attribute into multiple LDAPs. Can you please let me know the feasibility? If yes, what are all step do I have to follow? Expecting your valuable answer. Thanks in advance!
Regards,
Kabali -
Multiple LDAP servers on single System
hi,
Would like to know if its a good idea to have multiple LDAP servers running on a single System (Hardware) ..
100,000 user base
We would like to run the old and new LDAP databases on the same server till we phase out the old LDAP database after migrating all applications..
System:
2 x V880 4CPU 8GB RAM --multi-master configuration
4 x V420R 4CPU 8GB RAM -- read only replicasShouldnt be an issue - thats not a particularly large user base and thats some heft y HW. Keep in mind though that they will be on different ports so any software you migrate may eventually need tweaking to the default port when the new takes over.
-
Integrating BIP with multiple LDAP servers
Hi,
my question is very simple. In Admin->Security Configuration->Security Model section i've setted Security model combobox with LDAP value. Then i've filled all LDAP information field (for example:URL). All works. But in my rpd i 've multiple LDAP servers (multiple URL) and in the form i can insert information about only one LDAP server.
Is it possible configure BIP with multiple LDAP servers?
Thanks
Giancarlo
P.S. I'm using OBIEE 10gHi,
my question is very simple. In Admin->Security Configuration->Security Model section i've setted Security model combobox with LDAP value. Then i've filled all LDAP information field (for example:URL). All works. But in my rpd i 've multiple LDAP servers (multiple URL) and in the form i can insert information about only one LDAP server.
Is it possible configure BIP with multiple LDAP servers?
Thanks
Giancarlo
P.S. I'm using OBIEE 10g -
Cisco ACS for Unix authentication
My company is looking for a single sign on for all the windows and unix servers mainly for admins. I was wondering if Cisco ACS will work for this.
Basically the authentication will be all for the servers and routers ofcourse. I am thinking if I specifies windows AD in ACS config, Can I get the unix boxes to get authenticated against Radius?
Any help will be appreciated.
MannyHi,
Authentication of unix servers via ACS over radius protocol can be achiveable,check out the below link client end configuration needs to be done for radius authentication
Hope that helps out your query !!
http://www.ibm.com/developerworks/library/l-radius/
Regards
Ganesh.H -
ACS 5.1 Authentication against AD problem
I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44. We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues. His account password recently expired and since changing it he is no longer able to authenticate on devices pointing to the master ACS server, but has no issue with devices pointing to the slave ACS server. Several other users have changed their passwords in AD and have not encountered this problem.
ACS View shows the following error in the TACACS+ authentication log: "24421 Change password against Active Directory failed since it is disabled in configuration". The account we use to connect to active directory does not have permission to send password changes, so I have disabled changing passwords in the AD identity store configuration. As a test, I enabled password changing and instead saw this error: "24407 User authentication against AD failed since user is required to change his password".
I've had him change passwords numerous times, try different SSH clients, and different PCs. I also had him lock his account out, and then try logging on and instead was presented with this error: "24415 User authentication against AD failed since user's account is locked out". So it seems that ACS is correctly querying AD but seems to be caching the fact that his account has expired.
The only difference between the two ACS servers are that they are querying different AD servers. I've gotten our AD team to reset his password, check that his account is not locked on a particular AD server, and that replication is functioning. I've also restarted the services and cold started the ACS virtual machine to no effect. I have yet to try clearing the AD configuration and re-entering it.
show logging application acs reveals the following:
ActiveDirectoryClient,19/10/2011,08:46:25:307,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
ying to reconnect.,ActiveDirectoryClient.cpp:2429
ActiveDirectoryClient,19/10/2011,08:46:25:311,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
ActiveDirectoryClient,19/10/2011,08:49:27:468,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
ying to reconnect.,ActiveDirectoryClient.cpp:2429
ActiveDirectoryClient,19/10/2011,08:49:27:475,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
ActiveDirectoryIDStore,19/10/2011,08:49:27:475,ERROR,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,ActiveDirectoryIDStore::onPlainAuthenticateAndQueryEvent - User password expired but change
password configuration is disabled - authentication failed,ActiveDirectoryIDStore.cpp:525
I am aware that I can upgrade to 5.1.0.44.6 and intend to do so (although CSCsr81297 concerns me as we make extensive use of AD for authentication), but I don't know that there is any guarantee that this will fix it.
Any ideas on what might be the cause, and how I can fix this?
Thanks!Hello,
It is complicated to explain this rule but hopelly you will understand.
I suggest you to do an identity store sequence that will point to the AD and RSA. this is like the user unknow policy in ACS 4.x
Once this is done you can create 2 authorization policies 1 based on RSA authentication and another based on AD authentication.
To give you a better clear example is there any difference between AD and RSA authentication? Do they have the same rights? Please detail what you need to configure besides AD and RSA simultanuos authentication.
Regards,
Sebastian Aguirre -
Authentication against both LDAP and BI repository
I have a lot of user who are authenticated against LDAP. I need add few users who aren't exist in LDAP. I can create user in BI repository and if this user is in an Administrator group he is able to log in. But if this user isn't in an Administrator group he get error "Succesfull execution of intitializtion block LDAP is required". Is there any way how to authenticate users agains both LDAP and BI repository?
Hi,
why dont you create a group in ldap and add the correspondng users to that group.
You can configure the LDAP server with that group and try...
Hope it works...
Regards
Venkat -
All,
We have a requirement where in we want to validate a user against the LDAP of our organisation.
We wil like to build a simple JSP page.
Questions that come to my mind is
1> Can we create a Portal application that wil not ask for a Portal authentication and directly point to the JSP stored in a web application or a portal application?
2> How complex is it to validate a user gainst an LDAP?
3> After successful validation we will like the aplication to trigger an RFC is this possible?
Thanks and Regards
Pradeep BhojakPradeep,
you have to create your own LogonModule to achieve your requirements (not only a jsp page). But on the other hand, why don't you configure your Portal UME to the LDAP anyway?
kr, achim -
Is it possible to configure and use two or more LDAP servers to authenticate OBIEE users? We have users with logins in two different domains that need to log in to our OBI servers.
Yes, It is.
Just list out all the LDAP servers with domain identifiers.
then In your authentication initialization block add all the LDAP servers. So the BI Server will authenticate against each server until it finds a match. or based on domain identifier it will go to the correspondent LDAP server.
- Madan -
User Account Authentication across multiple Solaris servers - Best Practice
Hi,
I am new to Solaris admin and would like to know the best practice/setup for authenticating user accounts across multiple solaris servers.
Currently we have 20 - 30 Solaris 8 & 10 servers which each have their own user accounts setup. I am planning to replace these with a similar number of Solaris 10 servers and would like to centralise the user accounts and their authentication.
I would be grateful for any suggestions on the best setup and any links to tutorials.
Thanks
Joolsi would suggest LDAP + kerberos, LDAP for name lookups and krb5 for auth. provides secure auth + extensable directory for users and other apps if needed. plus, it provides a decent spring board to add other unix plats into the mix since this will support any unix/linux/bsd plat. you could integrate this design with a windows AD env if you want as well.
[http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp] sol + ldap+ AD
[http://docs.lucidinteractive.ca/index.php/Solaris_LDAP_client_with_OpenLDAP_server] sol + ldap (openldap)
[http://aput.net/~jheiss/krbldap/howto.html] sol + ldap + krb5
now these links are all using some diff means, however they should give you some ideas as to whats out there. sol 10 comes with suns ldap server and you can use the krb5 server which comes with it as well. many many diff ways to do this. many many more links out there as welll. these are just a few. -
How to configure sendmail to use multiple LDAP servers ?
Hi everybody!
I have a sendmail running on Solaris 10 and a LDAP server(192.168.1.9) also running Solaris 10 OS. I have configured the sendmail the following way:
bash-3.00# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=email,dc=reso,dc=ru
NS_LDAP_BINDPASSWD= {NS1}*********************
NS_LDAP_SERVERS= 192.168.1.9
NS_LDAP_SEARCH_BASEDN= dc=email,dc=domain,dc=ru
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
I also have another LDAP server (IP 192.168.1.10). It is configured as a replicant of the 192.168.1.9 LDAP server.
The question is how can i configure sendmail to use both LDAP servers ?
The man pages explain how to configure ldapclient to use ONE server and what if want to use two or more? All the settings and the profiles the same.
Thanks in advance =))Hi!
To add LDAP servers to the Solaris ldapclient, you might use the ldapclient command:
ldapclient manual -v -a defaultServerList="servera.yourdomain.com serverb.yourdomain.com"
But this is only failover, AFAIK the Solaris ldapclient does not perform loadbalancing by itself.
But I am not sure about your sendmail programm. Normally, sendmail has its own configuration
and can be configured to use LDAP e.g. for aliases etc.
Regards!
Rainer
Maybe you are looking for
-
BPM finishes when reaching exception in loop block
Hi everybody, we got a loop block in BMP. In the loop block we catch mapping errors by using an exception branch. What we can see is that when an exception is thrown the process steps into the exception branch an than is leaving the loop block!! So t
-
"Disable tracing" as part of custom step type behavior
Hi ! Currently writing custom step types based on sequences (my step type's default adapter is a sequence), I would like to set the "disable tracing" right in my step type definition. The problem is that this option isn't visible in the 'Default Run
-
Premiere cs6 does not recognize USB3 intensity shuttle?
I recently purchased Adobe premiere cs6 and a blackmagic intensity shuttle USB3 for windows. I have succesfully captured video from a deck using the media express software but premiere does not see the blackmagic device. Any ideas?
-
MDX Question - roll up to parent value
Hi, I have a relatively simple issue that I am not able to solve. I have the following calculation as a calculated member in my cube: SUM([Territory].[State - City Hierarchy].[City].CurrentMember.Parent, [Measures].[Total Sales]) What I would expect
-
public class A public method1() method2(); private method2() System.out.println("method1 in class A"); public class B extends A private method2() System.out.println("method1 in class B"); what will happen here?. Am I overirding Class A method in clas