Cisco support LDAP Authentication - Multiple Domains

Hi,
I want to change the LDAP authentication as the multiple domains and my Windows AD environment is the child trust, that mean the root DC is the "abc.com", which have the two child DCs, e.g. "us.abc.com ", "uk.abc.com"
Is it possible I just changed the LDAP auth. with user search space as the root DC is fine?
OR
I must use the "userPrincipalName" ?

But it had the collision SAMAccountName, that would have the same account name between the us.abc.com and uk.abc.com. 
If I changed the "userPrincipalName" LDAP sync to CM, how about the Jabber login?

Similar Messages

  • LDAP Authentication - Multiple Domains

    I want to be able to use the built in LDAP Authentication scheme to allow authentication against multiple AD Domains... each with it's own separate Host IP/Server, and LDAP DN String. The User ID is formated the same among all Domains, so that is not a concern. I am currently authenticating against one Domain and it scans the tree successfully.
    Host: xx.xx.xx.xx
    DN String: %LDAP_USER%@amer.globalco.net
    (amer.globalco.net is the domain)
    How can this be accomplished? Is it possible all you guru's out there?
    I saw one forum thread discussing how to add a drop down list to the login page, then use the value of the page item in the DN String to specify Domain... That makes sense - HOWEVER - I also have to use a different Host Server / IP address for each domain as well.... Now that is 2 fields that need updating based on one select list.
    I can build the select list using "IP/Domain" - but how do I separate the two data bits in the ITEM Value into their own field values?
    Can I use the ldap_dnprep function to do text editing to create two field values from one ITEM value that I can use in the standard LDAP authentication form fields?
    As you can tell - I am not a SQL/PLSQL person... and I want to avoid creating my own LDAP scheme.
    Please include example/suggested SQL -
    Thanks in advance...
    Rich
    Apex v3.2.1
    Oracle 10G Express

    Based on prior post I had similar question and the result was to write custom auth scheme to read the values from the login page, perform auth against appropriate ldap, then return a valid session to proceed with login in apex app. In our case, the issue was having users is different branch nodes on the same ldap server but not being able to search from a common higher-level branch for some reason...
    Another option you could try, not recommended as it would mean multiple pages to maintain, would be a separate login page per ldap/domain, maybe would even have to multiple apps with just a login page and then redirect to the main app... been a really long time since i've tried anything like it, just giving some options to try.

  • LDAP and multiple domains

    Currently migrating to a new domain and is there anyway to configure LDAP to use both during the migration?... We've been able to use one or the other via redirecting the LDAP Configuration Wizard and our test users but they only work for a short time then fail.  I'm thinking there is a keep live period that expires, so is that a possiblity? reset the how long LDAP keeps currently populated users.

    It is not possible to configure Contract Management to connect \ integrate with more than one LDAP authentication server.
    This is an existing Enhancement Request:
    Bug 9724986         15    ABILITY TO ENTER MULTIPLE LDAP SERVERS FOR CONTRACT MANAGEMENT
    The Primavera Administrator only supports variables for a single authentication mode and authentication server.
    Reference: Note 913872.1 How To: Configure / Enable LDAP Authentication using the Primavera Administrator (admincm.cmd)
    This sounds like short term requirement, however, if you would like to be included on the related Enhancement Request, please create an SR to request your organization be added to the Enhancement Request.

  • Does the EP Sneak Preview support LDAP authentication?

    When using the EP Sneak Preview is LDAP authentication supported or is only Portal Authentication supported?
    Thanks in advance.

    Hi Neil and welcome on SDN,
    YES! you can configure EP Sneak Preview with LDAP. Check the documentation on help.sap.com for how to do this.
    Hope this helps,
    Robert

  • LDAP Configuration - Multiple domains

    I have a domain called SA and I have subdomains called IL,NY,TX with corresponding users in the subdomain.It is a deep hierarchy.I want to bring all the users from all these subdomains.
    Below is my environment,
    User path: ou=users,ou=test,dc=IL,dc=SA
    User path: ou=users,ou=map,dc=NY,dc=SA
    User path: ou=users,ou=temp,dc=TX,dc=SA
    If I give a single path, I am able to bring all the LDAP users. What do I need to do to bring all the users from all the subdomains in EP60.

    Dear Anonymous User -
    Have you tried configuring the connection to the LDAP to use port 3268 instead of 389?  Also, you may need to point to the domain controller instead of one of the sub-domains.
    Additionally, you'll want to ensure that the users are unique amongst all of the sub-domains.  If not, you'll find that users may experience intermittant behaviour.
    Finally, you could also configure the portal to use multiple LDAPs, and treat each of th sub-domains as a seperate LDAP even though they physically exist on the same server.
    Regards,
    Kyle

  • Authentication - multiple domains with multiple accounts

    Dear All,
    Consider an environment where a user, Joe Bloggs, has an account on two Windows domains:  DOMA and DOMB.  DOMA is a domain that all users in the organisation are members of.  DOMB is a domain used by a smaller subset of users.  The user's
    machine is part of the DOMB domain.
    I'd like to deploy SharePoint 2013 on DOMA and have the user, logged on to their DOMB machine, seamlessly authenticate (through IWA) with SharePoint 2013.  
    So far, I've thought of the following solutions:
    1.  Build a trust between the two domains.  Possible, but the AD information in DOMA is more up-to-date than that in DOMB and I'd like to use that to populate SharePoint user profiles.  Also, DOMB is likely to be deprecated in the future.
    2.  Use WorkPlace Join.  Unfortunately, devices are running Windows 7 and WorkPlace Join only works for devices running Windows 8.
    I've wondered whether it's possible to map two accounts on separate domains together so that a user on DOMB can effectively masquerade as their corresponding user on DOMA when authenticating with SharePoint, but haven't come across a way of doing this, yet.
    Any ideas?  Or, am I completely mad?!
    Thanks in advance.

    1) Is your only option for seamless logon with IWA. It is not possible to map accounts "together" so-to-speak. SharePoint stores a reference to the user's SID, which must match the user making the request.
    An ADFS trust might be another option, although that increases your deployment footprint and complexity.
    Trevor Seward
    Follow or contact me at...
    &nbsp&nbsp
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • ACS Authentication, multiple domains

    Hi all,
    I have the following problem
    I have a Win 2003 domain (A) and a trust established with another Win
    2003 domain (B). Domain A is the one with the CiscoSecure software.
    We have many trusts with other domains (mostly Win 2000) and have
    configured the mappings by using CiscoSecure.
    But when trying to "add mappings" for this new 2003 Domain (B), I
    continually am getting "failed to enumerate Windows groups. If you are
    using Active Directory consult the installation guide for information."
    I am not able to see domain B's users and groups from within the Cisco
    Secure software.
    However, if I use Active Directory Users and Computers from Domain A,
    and "connect to domain" and choose Domain B, I am able to view all
    users and groups just fine.
    Do you know if there is a problem with configuring two 2003 domains in
    this software? Do you have any other areas that I should investigate?
    Some local policy on Domain B?

    If ACS is installed on a DC of DOM1 and DOM1 has trust relationship to a remote domain DOM2
    1) ACS Services (on DOM1 DC) run under a DOM1 Domain User (and Local Machine Administrator) - "acsacct"
    2) This account (acsacct) has "Act as part of the OS" permission in Domain Security Policy and Domain Controller Security Policy
    3) On DOM2 (The Remote Domain) , we Delegated Control to the acsacct User to the Custom Task of "Group Objects" and "User Objects".

  • Authentication, Multiple domain,different forest lowercase domain.

    We have succesfully configured a BOXI 3.1 SP3 to use SSO using vintela,tomcat for our domain that is on 2000 native mode.
    Let's call this one Domain1.
    In our domain there is another separate domain sitting on a 2003 domain level. (Let's call this one Domain2). They have a 2 way trust, but not transitive.
    Here is the deal:
    1- Users from domain1, where the server is configured are able to access using SSO without issues.  Users from domain2 needs to do manual logon, but using the following format:
    useraccount at DOMAIN2.COM
    If we use the domain as lowercase, login does not work even if we use the domain_realm on krb5.ini  Why?
    2- Do you think that we have to move to domain1 to 2003 native mode and configure 2 way trust in order to have SSO working on both domain that are from different forest?
    Any help would be appreciated.

    Note 1206522 seems to answer my questions, but anyway still not satisfied.

  • LDAP Authentication in Siebel integrated OBI

    Hi, We have OBI integrated in Siebel through Symbolic URL. We want to implement LDAP Authentication in OBI. Can anybody tell me the high level steps on the Siebel side which we need to do for supporting LDAP Authentication.
    thx,
    parag

    1.Register LDAP server on OBIEE Repository and test.
    2. modify authentication init block to use LDAP server.
    3.Create siebel responsibilities in RPD
    4. test obiee answers with a user exist in ldap
    Thanks
    Jay.

  • Multiple domains authentication on Cisco ISE

    Hi,
    Does the current Cisco ISE supports for authenticating on multiple Active Directories ?
    I can only set Cisco ISE to join on single active directory and LDAP
    Does anyone have set Cisco ISE to support EAP-FAST with WPAD or PAC provisioning ?
    Thanks
    Pongsatorn

    Hi,
    We are into a situation where we need to authenticate users of two domains and these two domains are completely independent (no common DNS server). ISE is not able to resolve one of the domain using the DNS server settings and Adding a host entry for the domain name is not sufficient since Kerberos, GC and LDAP SRVs need to be resolvable as well.
    From what I know ISE 1.3 should supports disjointed domains and there is no requirement for ISE to have 2 way trust relationship with domains.
    Please share your experience if someone has faced similar situation before.
    Regards,
    Akhtar

  • LDAP authentication in AD (users from other trusted domain)

    Hi
    I have two domain: my - DOMAINA.LOCAL and other trusted - DOMAINB.LOCAL
    I use LDAP authentication in AD for authentication users (AnyConnect).
    Now, I need to authenticate few users from other trusted domain (DOMAINB.LOCAL).
    I do not want direct connect with the domain contoller in the trusted domain.
    My domain controller (DOMAINA.LOCAL), can authenticate users from other trusted domain (if I use username "DOMAINB\userindomainb"), if I try to connect by RDP client to some server (for example, to my domain controller).
    But if I try to test aaa-server authentication from ASA
    I get error.
    I think, I must use username like "DOMAINB\userindomainb" but this not work.
    Help me please.
    Thanks!
    My config:
    aaa-server ADA protocol ldap
    aaa-server ADA (inside) host 10.0.0.1
     ldap-base-dn dc=domaina, dc=local
     ldap-scope subtree
     ldap-naming-attribute sAMAccountName
     ldap-login-password *****
     ldap-login-dn cn=Cisco ASA, ou=ServiceAccounts, ou=Services, dc=domaina, dc=local
     server-type microsoft

    Hello!
    I see in console (debug LDAP):
    Request for [email protected] returned code (10) Referral
    Does ASA support authentication via LDAP referrals?
    I read old thread:
    https://supportforums.cisco.com/discussion/11132591/cisco-asa-and-ldap-authentification
    And see: CSCsj32153  Symptom:the ASA/PIX doesn't currently support LDAP Referall searches. 
    But I use:
    Cisco Adaptive Security Appliance Software Version 9.2(3)
    Device Manager Version 7.3(3)
    Compiled on Mon 15-Dec-14 05:10 PST by builders
    System image file is "disk0:/asa923-smp-k8.bin"
    Thanks!

  • Supporting Multiple domains in IM&P with and Expressway deployment?

    Hello everyone. This is long winded but the context is needed to explain what I'm looking for. Any help is appreciated.
    My customer has piloted IM&P for 1 year now and is looking to take it to the next level. They purchased Expressway Core & Edge and they are looking to enable Mobile Remote Access, B2B Video and XMPP Federation. One issue is that the Jabber domain that was selected 1 year ago for the pilot was a local domain. The reason for this is because the multidomain support was not available at the time. Internally there are 3 domains. example.ca, examplesales.ca, and examplebanannas.com. Their Jabber ID they use today is example.root.local. I am reading through the guides and it seems as though IM&P allows you to map a JABBER ID to an email address or a directory URI. This will allow multiple presence domains within one Presence cluster. The problem is that it appears as though federation will not work through expressway core / edge if you use this method. Can this be confirmed?
    I am providing you these URL's only for guidance, to show you how I arrived at my situation where I’m asking for help on a configuration change to my customers IM&P settings.
    note the section on page 41 of the following guide http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/Mobile-Remote-Access-via-VCS-Deployment-Guide-X8-5-1.pdf
    One would presume that Multi-domain support is now supported with expressway core & edge. The caveat I found on page 4 of the following guide in relation to xmpp federation.
    http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/XMPP-Federation-with-Cisco-VCS-and-IM-and-Presence-Service.pdf
    and page 10 of the following guide
    http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/XMPP-Federation-with-Cisco-VCS-and-IM-and-Presence-Service.pdf
    and this section
    http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/interdomain_federation/10_5_1/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105_chapter_01010.html#CUP0_RF_CAF8AEDD_00
    Expressway-E does not support XMPP address translation (of email addresses, for example). If you are using Expressway-E for XMPP federation, you must use native presence Jabber IDs from IM and Presence Service.
    This being said
    Based on my findings, I believe Cisco now supports multi-domain setup for IM&P with the "caveat" federation still doesn't work. My customer is not happy with this but still would like to proceed with the rest of the benefits that MRA brings to the table for their Jabber deployment. 
    To support the above scenario it is my understanding I need to make an adjustment to the configuration of IM&P. As I stated when I opened the case my customer’s current IM&P domain is “example.root.local” their JID is made up of [email protected]. It’s my understanding we cannot use this domain and activate MRA so we need to adjust everyone’s JID to be a Publicly routable DNS name. Since everyone that has a JABBER account also has an email account I was thinking we map the JID to the email. I’m trying to understand how to get from where we are to where we need to be. I found this guide but it doesn’t talk about the effects of doing this on a live system setup the way my customer is setup.
    http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/interdomain_federation/10_5_1/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105_chapter_01100.html
    I am also not certain this is the setting I’m looking for. I believe what I need to change is actually on the Presence server under the domains section I found this
    Domains Configuration
    Use the controls on this window to view and edit domains managed by the IM and Presence Service. Previously, the IM and Presence Service supported a single domain. With this release, you can specify multiple domains.
    Before You Begin
    To take advantage of multiple IM and Presence Service domains, you must choose Directory URI as the IM address scheme on the Advanced Presence Settings window. If the IM address scheme is set to UserID@domain, the default domain is used for the IM and Presence Service. The status of the IM Address Scheme setting is displayed at the top of the window in the Status box. The Status box contains a link to the Advanced Presence Settings window.
    Is this what I need to do?

    Hello everyone. This is long winded but the context is needed to explain what I'm looking for. Any help is appreciated.
    My customer has piloted IM&P for 1 year now and is looking to take it to the next level. They purchased Expressway Core & Edge and they are looking to enable Mobile Remote Access, B2B Video and XMPP Federation. One issue is that the Jabber domain that was selected 1 year ago for the pilot was a local domain. The reason for this is because the multidomain support was not available at the time. Internally there are 3 domains. example.ca, examplesales.ca, and examplebanannas.com. Their Jabber ID they use today is example.root.local. I am reading through the guides and it seems as though IM&P allows you to map a JABBER ID to an email address or a directory URI. This will allow multiple presence domains within one Presence cluster. The problem is that it appears as though federation will not work through expressway core / edge if you use this method. Can this be confirmed?
    I am providing you these URL's only for guidance, to show you how I arrived at my situation where I’m asking for help on a configuration change to my customers IM&P settings.
    note the section on page 41 of the following guide http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/Mobile-Remote-Access-via-VCS-Deployment-Guide-X8-5-1.pdf
    One would presume that Multi-domain support is now supported with expressway core & edge. The caveat I found on page 4 of the following guide in relation to xmpp federation.
    http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/XMPP-Federation-with-Cisco-VCS-and-IM-and-Presence-Service.pdf
    and page 10 of the following guide
    http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/XMPP-Federation-with-Cisco-VCS-and-IM-and-Presence-Service.pdf
    and this section
    http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/interdomain_federation/10_5_1/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105_chapter_01010.html#CUP0_RF_CAF8AEDD_00
    Expressway-E does not support XMPP address translation (of email addresses, for example). If you are using Expressway-E for XMPP federation, you must use native presence Jabber IDs from IM and Presence Service.
    This being said
    Based on my findings, I believe Cisco now supports multi-domain setup for IM&P with the "caveat" federation still doesn't work. My customer is not happy with this but still would like to proceed with the rest of the benefits that MRA brings to the table for their Jabber deployment. 
    To support the above scenario it is my understanding I need to make an adjustment to the configuration of IM&P. As I stated when I opened the case my customer’s current IM&P domain is “example.root.local” their JID is made up of [email protected]. It’s my understanding we cannot use this domain and activate MRA so we need to adjust everyone’s JID to be a Publicly routable DNS name. Since everyone that has a JABBER account also has an email account I was thinking we map the JID to the email. I’m trying to understand how to get from where we are to where we need to be. I found this guide but it doesn’t talk about the effects of doing this on a live system setup the way my customer is setup.
    http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/interdomain_federation/10_5_1/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105_chapter_01100.html
    I am also not certain this is the setting I’m looking for. I believe what I need to change is actually on the Presence server under the domains section I found this
    Domains Configuration
    Use the controls on this window to view and edit domains managed by the IM and Presence Service. Previously, the IM and Presence Service supported a single domain. With this release, you can specify multiple domains.
    Before You Begin
    To take advantage of multiple IM and Presence Service domains, you must choose Directory URI as the IM address scheme on the Advanced Presence Settings window. If the IM address scheme is set to UserID@domain, the default domain is used for the IM and Presence Service. The status of the IM Address Scheme setting is displayed at the top of the window in the Status box. The Status box contains a link to the Advanced Presence Settings window.
    Is this what I need to do?

  • LDAP External Authentication Multiple Search Base DNs question

    hi,
    im trying two add two LDAP search DNs to a portal 6.2 organisation.
    with one search base dn it works fine.
    when i add another, all ldap auth for that org stops working.
    the docs confusingly state that if you have multiple search dns (not talking about multiple ldap servers here - just the search base dns) that you should prefix each entry with the local server name. the docs however provide no examples of the syntax.
    can anyone provide an example for multiple search dns? e.g. is it <server:port>:o=<etc> (doesn't seem to work).
    thanks

    hi,
    yes i have.. but when you enter more than one it stop working... with only one entry in the gui it will work for that entry but when you add another it stops working...
    i had to use a manual workaround like this to get the second going... :(
    External ldap authentication
    register the LDAP authentication service in the gui and setup the first DN as normal.
    create the first set of entries for the ldap host and the base dn in the gui as normal etc.
    the gui in the admin console is not working (depending on your point of view), so you need to add the second ldap config manually -
    All commands are run from the /apps/jes/SUNWam/bin directory
    1. Get an encrypted value for the bind dns (cn=Directory Manager) password you want to bind to the ldap directory as by using the ampassword utility shipped with Identity Server.
    ./ampassword -e directory_manager password
    More information on this utility can be found in the Sun ONE Identity Server Administration Guide.
    2. Copy the encrypted password as the value for the iplanet-am-auth-ldap-bind-passwd in the XML file (serviceAddMultipleLDAPConfigurationRequests.xml) created in Step 1. The XML file contains a template for creating the second LDAP DN.
    3. Modify the data XML file accordingly so that the relevant details are provided for the 2nd ldap server (bind dn search base etc) and load this into the portal directory using the amadmin command line tool as follows from the /opt/SUNWam/bin directory
    ./amadmin -u amadmin -w administrator_password -v -t serviceAddMultipleLDAPConfigurationRequests.xml
    If the imported xml values are incorrect delete and reload the imported xml data using amadmin command tool. Alternatively you can modify the ldap data directly on the primary identity server (ldap server) using a client browser though this method is not supported .
    You should be able to see new imported values for the second ldap server at dn:ou=subconfig1,ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthLDAP
    Service,ou=services,ou=ORG,o=lgaq.qld.gov.au on the primary ldap server (where ORG is the organisation you wanted to add the second DN).

  • LDAP Authentication Scheme - Multiple LDAP Servers?

    How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

    How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

  • Strip multiple @domain used in username on AD Integration with Cisco ISE?

    Hi there ,
    How to strip multiple domain suffixes from username through ISE with AD being used as external Identity Source. Username is being used in username@domain format.
    Cisco ISE 1.2 patch 4 introduced strip prefix or suffix @domain realm from username through ISE with AD being used as external Identity Source. But the documentation is not updated for this feature. I am able to strip 1 domain suffix successfully but subsequent ones listed in the suffix list fails to get stripped.
    Any thoughts on the same.
    Thanks Kumar

    In the ISE Under Administration > Identity Management > External Identity Sources
    Choose Active Directory on the Left, Select your AD Server and select Advanced Settings
    Under Identity Suffix Strip, Make sure Strip prefixes listed below: is selected (I know, it says prefix).
    In the List of Suffixes box, enter your list of domain suffixes to strip.  The separating character is a comma (,). 
    If this doesn't fix your issue, then I am afraid that a call to TAC may be in order.
    *****UPDATE*****
    Spaces are significant characters.  When listing domains, do so as such:
    @domain.com,@domain.local,@testdomain.com
    *****END UPDATE*****
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton
    Message was edited by: Charles Moreton

Maybe you are looking for