Contextless Login LDAP Servers
Don't know if this has been posted previously, sorry if it has. I want to push out the LDAP server requirement for the Novell Client. I put in the Configured option 95 and listed the ip address, but the client doesn't register them and if I do an ipconfig /all in windows it doesn't show up. Did I miss something, or it can't be done for LDAP contextless logins.
I would take a LAN trace from the workstation or server side, and see if the dhcp response from the server includes the options (view easily with wireshark). That would tell you if the server is sending out the options as configured at least.
Similar Messages
-
Is it possible to configure and use two or more LDAP servers to authenticate OBIEE users? We have users with logins in two different domains that need to log in to our OBI servers.
Yes, It is.
Just list out all the LDAP servers with domain identifiers.
then In your authentication initialization block add all the LDAP servers. So the BI Server will authenticate against each server until it finds a match. or based on domain identifier it will go to the correspondent LDAP server.
- Madan -
Authentication - same account name on 2 LDAP servers
We have our mac clients set up to authenticate against 2 LDAP servers, one Open Directory, one eDirectory - to keep things easy for our users I want to use the same login username for both OD and eDirecotry users - we basically have users logging into both Windows and Macs, I want a specific set of users to have home directories on our Mac server (only when logging into the the Macs), and to pick up their Windows home directories when logging onto Windows machines. I have the Mac server set above the eDirectory server in the Directory Utility search policy (client machines), but when I log in with a network account I am prompted to choose which account to use (eDir or OD similar screen to having managed users in different groups where you are prompted to choose your profile at login). I thought that by specifying the order in the search policy the client machine would authenticate the first account found rather than prompting for which account to use. Any one know of a way to make this happen - ie set up identical accounts on both LDAP servers and have the macs authenticate the first account found on the server specified in the Directory search policy instead of offering a choice? I hope this makes sense. I know it would be easier to mount a network share on the mac server for certain users and have all the accounts authenticate via eDirectory, but I have to do it this way. Anyone have any advice??
I am having exactly the same problem, also with an iMac and a MBP. My iMac is about 6 weeks old, and I migrated via Time Machine. I can read the files from the connected machine, but cannot write, regardless of which is the host. Permissions are all fine.
I did notice one thing: the UUID number for the accounts is the same (accounts have same name as with darrylh). You can find this under System Preferenes>Accounts and right click or control-click on the account name after unlocking it. I am working with Apple support on this, but no resolution yet. I suspect that the UUID (Universally Unique ID) should not be the same on two machines, but I don't know the consequences of changing it or which one to change.
Thanks. -
Multiple LDAP Servers in Fusion Middleware (OBIEE 11g)
Hello,
I have a question, regarding integration of multiple LDAP servers with single Weblogic Server of Fusion Middleware (OBIEE 11g). We are currently using OBIEE 10g. We are on verge of migrating to 11g. However, I have a question regarding the LDAP server.
Our two applications run on two distinct LDAP servers. The plan is to provide a single sign on link for OBIEE 11g reports to the end users and depending on what application they are using, they must be authenticated against the respective LDAP server.
So, my question, is it possible to Integrate two different LDAP servers in the Weblogic of Fusion Middleware (OBIEE 11g). If so, what would be the steps. Any helpful document will also be appreciated.
Thank you,
Chandu.Yes, you can configure multiple authentication providers one by one as you generally do.
When you configure multiple Authentication providers, use the JAAS Control Flag for each provider to control how the Authentication providers are used in the login sequence. You can set the JAAS Control Flag in the WebLogic Administration Console.
REQUIRED—The Authentication provider is always called, and the user must always pass its authentication test. If authentication succeeds or fails, authentication still continues down the list of providers.
REQUISITE—The user is required to pass the authentication test of the Authentication provider. If the user passes the authentication test of this Authentication provider, subsequent providers are executed but can fail (except for Authentication providers with the JAAS Control Flag set to REQUIRED).
SUFFICIENT—The user is not required to pass the authentication test of the Authentication provider. If authentication succeeds, no subsequent Authentication providers are executed. If authentication fails, authentication continues down the list of providers.
OPTIONAL—The user is allowed to pass or fail the authentication test of this Authentication provider. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.
refer - http://docs.oracle.com/cd/E13222_01/wls/docs92/secmanage/atn.html
Regards
Mukesh Negi
http://weblogicserveradministration.blogspot.in/ -
Troubles with DHCP-supplied LDAP servers
Hello,
this feature does'nt work at all in my environment....
I've a openldap server (RFC 2307) and a couple of macs (newest leopard) which are working quite nice together for a while now.
It's a closed Network and want to get rid of the following commands, which I have to enter on each new mac:
sudo dsconfigldap -x -e -v -s -a ldap.mydomain.de -n "MYLDAP"
sudo dscl -q localhost -create /Search SearchPolicy dsAttrTypeStandard:CSPSearchPath
sudo dscl -q localhost -merge /Search CSPSearchPath /LDAPv3/ldap.mydomain.de
Instead i want to use the possibility to transmit the needed ldap-data using DHCP.
Therefore I've added the following lines to my dhcpd.conf-Server
option ldap-server code 95 = text;
option ldap-server “ldaps://ldap.mydomain.de:636/dc=mydomain,dc=de”;
Booting a mac I've got the following results:
bo-dhcp-228:~ sysadm$ ipconfig getpacket en1
op = BOOTREPLY
htype = 1
flags = 0
hlen = 6
hops = 0
xid = 276885973
secs = 0
ciaddr = 10.0.0.228
yiaddr = 10.0.0.228
siaddr = 10.0.0.78
giaddr = 0.0.0.0
chaddr = 0:1c:b3:b0:e2:d5
sname =
file =
options:
Options count is 9
dhcpmessagetype (uint8): ACK 0x5
server_identifier (ip): 10.0.0.78
lease_time (uint32): 0x5a0
subnet_mask (ip): 255.255.255.0
router (ip_mult): {10.0.0.1}
domainnameserver (ip_mult): {10.0.0.9}
domain_name (string): mydomain.de
ldap_url (string): ldaps://ldap.mydomain.de:636/dc=mydomain,dc=de
end (none):
So far so good.
But the ldap-server never got used.
dscl localhost list /LDAPv3 on the mac-client shows emtpy results, and
on the wire there is absolutely no traffic to ldap.mydomain.de.
In fact the mac-client completely
ignores the dhcp-provided settings. Of course I've enabled the
Setting "Add DHCP-supplied LDAP servers to automatic search policies" on
the client.
I've tried to trace the problem on the client-side by doing
sudo ipconfig setverbose 1
touch /Library/Preferences/DirectoryService/.DSLogAtStart
and looking into /Library/Logs/DirectoryService/DirectoryService.debug.log , /var/log/system.log
and /var/log/com.apple.IPConfiguration.bootp but there is no hint why the client is not using the published ldap-settings.
It must be some problem on the mac-side.
Can anybody give a hint howto solve this problem?
Thanks
ChristianI have not tried to set this up using the command line (as you described), but have in the past done it using "Server Manager" (on the server) and "Directory Access" on a Mac OS X 10.4.x client.
When I did this I found that Macs after booting would not show a list of network login acocunts (as they should have) and typically trying to login using 'other' would fail. Also typically after a minute or two (and several attempts) it usually did work. AppleCare's suggested workaround at the time was to not use DHCP to advertise the OpenDirectory but to instead manually define it on the clients (using Directory Access).
My belief as to why it did not work is that when a Mac boots, it enables its network interface, asks the DHCP server for an address (and the LDAP details) and then in theory should continue to boot and connect to the LDAP server. However I believe that the timing of these events is such that the Mac goes past the LDAP stage before it has finished the DHCP stage and as a result does not have the LDAP information in time. By manually defining the LDAP (OpenDirectory) server in Directory Access it is already known in advance and you avoid this problem.
I have seen nothing to suggest that Leopard is any different in this area (although my recollection is that Panther - Mac OS X 10.3) did not have this problem.
So I use a manually defined entry on all our computers, and I have incorporated this in to the standard disk image I use to build all the new computers. -
Terminal server application and contextless login
Hi,
Using zen6.5sp2 here
terminal server application, to a win2k3 with client 4.91sp2 (french +
patch kit c for test)
the credentials are passed correctly from the client to the server, and
the "single-sign-on" works ok only if I specify the context into the client.
I can't get the LDAP contextlogin login to work, neither the old
LgnCLW32.dll
If I do a local authentification, or throught mstsc as usual, it works
it's only via the zenworks apps.
The client 4.91sp1 or sp2 (don't remember) had a bug that it wasn't able
to pass credentials at all, and that's not what I'm looking for...
Any clue ?
MarcI beleive this is true, but I'm talking about Novell login... What the
SAM has todo with this ???
I do not bother avec Windows login, I have ZEnworks that creates an
account for me...
Steps to replicate the problem:
1) create user1 under context1 into edir
2) create user2 under context2 into edir
3) create zen dlu policies, for loging into a regular winxp, and win2003
terminal server
4) install novell client (configure the location profile with the
treename, and the CONTEXT of CONTEXT1 & configure ldap contextless
login) & zfd on the TS
5) at this point, if anyone uses mstsc.exe to connect to the TS server,
he should be able to login to the TS, with a DLU, and get a desktop
6) create a TS application into ZENworks, which points to the TS, and
start any app (notepad.exe)
7) login into a winxp workstation, with user1, start NAl, click the app,
it should so an "SSO" login to the TS, and start notepad without asking
a password
8) login will FAIL with user2, because he's under context2, and zen
doesn't try todo contextless login
Yeah, I can create alias, but to me, it's not elegant... and a waste of time
Yeah, I can use IDM to create another tree, sync all my accounts into 1
context...
Yeah, I can live with that for the rest of my users under context2....
Marc, just trying to help...
craig wilson wrote:
> All I can tell you is that it is not going to happen.
> Contextless Login is done via the client login utilities.
> These utilities are not involved in the pass-through authentication
> process. It may not even be possible to do.
>
> Through the use of IDM or Lynx this can be completely automated.
> ------------------------------------------------------------------
>
> Create a local account on a workstation and a matching account on a
> Domain with a matching password.
>
> Login locally to the PC and try to access the DC.
> It works.
>
> Try to access a member server to which the domain account has rights.
> It fails and prompts you to enter your user ID. Specify the ID in
> domain/id format and you get in.
>
> Basically a failure of Passthrough authentication because the "Default"
> security container is the local SAM for both systems. One holds the ID
> one does not.
>
> This is really the same basic issue Novell is having via passthrough
> authentication.
>
>
>
>
>
> Marc-Andre Vallee wrote:
>> come on..........
>> RFE....
> -
Contextless Login Troubleshooting
Hey, people; it's another one of those Contextless Login problems again.
Actually, I think the guys over in Directory Services have the [Public] object set up wrong, but unfortunately they differ. Perhaps someone can give all of us a clue?
Here's what I have: The latest client is installed (install.txt attached), and attempts to use Contextless Login (CL) result in an Error Code 0xFFFFDA7. If I fill in everything manually, login proceeds fine. Wireshark tells me that a LDAP query is going to the right place and the server reports success, but with zero results. I've attached an anonymous browse via Apache Directory Studio. Can't think of anything else to add at the moment.
Sorry about this; but as I don't have access to iManager on this project, I can't just go look.Hi,
Looking at your unattend.txt you are missing some entries.
Mine includes this:
!LDAP_Contextless_Login_Tree_List_1=gw-tree
!LDAP_Contextless_Login_Tree_List__Distribute=Repl ace
!LDAP_Contextless_Login_Server_List_1=10.11.41.102
!LDAP_Contextless_Login_Server_List__Distribute=Re place
!LDAP_Contextless_Login_Context_List_0_1=o=ds
!LDAP_Contextless_Login_Context_List_0__Distribute =Replace
!LDAP_Contextless_Login_Enabled=YES
!LDAP_Contextless_Login_Enabled_Distribute=Always
!LDAP_Contextless_Login_Context_Search_Scope_Enabl ed=YES
!LDAP_Contextless_Login_Context_Search_Scope_Enabl ed_Distribute=Always
!LDAP_Contextless_Login_Display_Unique_ID=ON
!LDAP_Contextless_Login_Display_Unique_ID_Distribu te=Always
!LDAP_Contextless_Login_User_Search_Failure=Contin ue
!LDAP_Contextless_Login_User_Search_Failure_Distri bute=Always
What I suggest you do is manually setup a PC with the Contextless Login options and save them so that they are written to the registry. Then using NCIMAN do a registry import and save that file. Open it up and you should have all the correct LDAP Contextless Login information that you require for your network.
Let us know how it goes.
Cheers, -
How to configure sendmail to use multiple LDAP servers ?
Hi everybody!
I have a sendmail running on Solaris 10 and a LDAP server(192.168.1.9) also running Solaris 10 OS. I have configured the sendmail the following way:
bash-3.00# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=email,dc=reso,dc=ru
NS_LDAP_BINDPASSWD= {NS1}*********************
NS_LDAP_SERVERS= 192.168.1.9
NS_LDAP_SEARCH_BASEDN= dc=email,dc=domain,dc=ru
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
I also have another LDAP server (IP 192.168.1.10). It is configured as a replicant of the 192.168.1.9 LDAP server.
The question is how can i configure sendmail to use both LDAP servers ?
The man pages explain how to configure ldapclient to use ONE server and what if want to use two or more? All the settings and the profiles the same.
Thanks in advance =))Hi!
To add LDAP servers to the Solaris ldapclient, you might use the ldapclient command:
ldapclient manual -v -a defaultServerList="servera.yourdomain.com serverb.yourdomain.com"
But this is only failover, AFAIK the Solaris ldapclient does not perform loadbalancing by itself.
But I am not sure about your sendmail programm. Normally, sendmail has its own configuration
and can be configured to use LDAP e.g. for aliases etc.
Regards!
Rainer -
Multiple LDAP servers on single System
hi,
Would like to know if its a good idea to have multiple LDAP servers running on a single System (Hardware) ..
100,000 user base
We would like to run the old and new LDAP databases on the same server till we phase out the old LDAP database after migrating all applications..
System:
2 x V880 4CPU 8GB RAM --multi-master configuration
4 x V420R 4CPU 8GB RAM -- read only replicasShouldnt be an issue - thats not a particularly large user base and thats some heft y HW. Keep in mind though that they will be on different ports so any software you migrate may eventually need tweaking to the default port when the new takes over.
-
LDAP Authentication Scheme - Multiple LDAP Servers?
How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.
How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.
-
How to find the ldap servers in a domain
we have oce domain controller(win2003) and four additional dc. how to find ldap servers in our domain. ??? Any information is available in dns server???
G:\Users\joseph>nltest /dclist:gcm.com
Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
jed-dc.mcg.muhaidibco.com [PDC] [DS] Site: Default-First-Site-Name
dam-adc.mcg.muhaidibco.com [DS] Site: Default-First-Site-Name
JED-ADC.mcg.muhaidibco.com [DS] Site: Default-First-Site-Name
infra-adc.mcg.muhaidibco.com [DS] Site: Default-First-Site-Name
kaau-adc.mcg.muhaidibco.com [DS] Site: Default-First-Site-Name
The command completed successfully
I have got the above result.From above, a server is DC and others are Additional DC. My question is, additional domain controll is also a ldap server?????? -
Multiple LDAP Servers and Attribute-Based Data Partitioning
Hello
We currently want to implement following szenario on Netweaver 2004s. From the
following SAP Help documentation we want attribute based data partitioning:
http://help.sap.com/saphelp_nw70/helpdata/EN/4e/4d0d40c04af72ee10000000a1550b0/frameset.htm
The difference to the SAP document is that we want a distribution of attributes over
multiple LDAP servers. So we tried to fit that concept into xml. see attached xml source.
The Portal finds both LDAP Systems but it is NOT that the useres are beeing merged
but they appear as two distict users in the portal UME. If you do a lookup in the portal
usernamagent system you get and see two users.
User1: unique ID = USER.Datasource1.uid
User2: unique ID = USER.Datasource2.uid
Obviously the UME system was not able to merge that information of the two distict
LDAP Systems. MSADS and Lotus Notes.
Hence my questions:
1) is it possible to distribute attributes over multiple ldap data sources
2) any ideas why UME constructs two different users based in Datasource ID's specified in XML
Thanks for any contributions or ideas,
Ulrich Scherb
<?xml version="1.0" encoding="UTF-8"?>
<dataSources>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</responsibleFor>
<privateSection>
</privateSection>
</dataSource>
<dataSource id="NOTES_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="true"
isPrimary="true">
<homeFor/>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user"/>
<attribute name="logonalias"/>
<attribute name="j_password"/>
<attribute name="userid"/>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal"/>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname" populateInitially="true"/>
<attribute name="lastname" populateInitially="true"/>
<attribute name="email"/>
<attribute name="uniquename" populateInitially="true"/>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER"/>
</nameSpace>
</principal>
</responsibleFor>
<attributeMapping>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user">
<physicalAttribute name="uid"/>
</attribute>
<attribute name="logonalias">
<physicalAttribute name="uid"/>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"/>
</attribute>
<attribute name="userid">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal">
<physicalAttribute name="uid"/>
</attribute>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname">
<physicalAttribute name="givenname"/>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"/>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="uid"/>
</attribute>
<attribute name="loginid">
<physicalAttribute name="*null*"/>
</attribute>
<attribute name="email">
<physicalAttribute name="mail"/>
</attribute>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"/>
</attribute>
</nameSpace>
</principal>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.server_name>ldap1</ume.ldap.access.server_name>
<ume.ldap.access.server_port>389</ume.ldap.access.server_port>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.user>xxxxx</ume.ldap.access.user>
<ume.ldap.access.password>xxxxx</ume.ldap.access.password>
<ume.ldap.access.base_path.user>O=SMT_TEST</ume.ldap.access.base_path.user>
<ume.ldap.record_access>TRUE</ume.ldap.record_access>
<ume.ldap.unique_uacc_attribute>uid</ume.ldap.unique_uacc_attribute>
<ume.ldap.unique_user_attribute>uid</ume.ldap.unique_user_attribute>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>person</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>person</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>uid</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>uid</ume.ldap.access.auxiliary_naming_attribute.uacc>
</privateSection>
</dataSource>
<dataSource id="CORP_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="true"
isPrimary="true">
<homeFor/>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user"/>
<attribute name="logonalias"/>
<attribute name="j_password"/>
<attribute name="userid"/>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal"/>
<attribute name="realm"/>
<attribute name="domain"/>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname" populateInitially="true"/>
<attribute name="displayname" populateInitially="true"/>
<attribute name="lastname" populateInitially="true"/>
<attribute name="fax"/>
<attribute name="title"/>
<attribute name="department"/>
<attribute name="description"/>
<attribute name="mobile"/>
<attribute name="telephone"/>
<attribute name="streetaddress"/>
<attribute name="uniquename" populateInitially="true"/>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER"/>
</nameSpace>
</principal>
<principal type="group">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="displayname" populateInitially="true"/>
<attribute name="description" populateInitially="true"/>
<attribute name="uniquename"/>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"/>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attribute name="dn"/>
</nameSpace>
</principal>
</responsibleFor>
<attributeMapping>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="logonalias">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"/>
</attribute>
<attribute name="userid">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="realm">
<physicalAttribute name="*null*"/>
</attribute>
<attribute name="domain">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname">
<physicalAttribute name="givenname"/>
</attribute>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"/>
</attribute>
<attribute name="fax">
<physicalAttribute name="facsimiletelephonenumber"/>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="loginid">
<physicalAttribute name="*null*"/>
</attribute>
<attribute name="mobile">
<physicalAttribute name="mobile"/>
</attribute>
<attribute name="telephone">
<physicalAttribute name="telephonenumber"/>
</attribute>
<attribute name="department">
<physicalAttribute name="ou"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="streetaddress">
<physicalAttribute name="postaladdress"/>
</attribute>
<attribute name="pobox">
<physicalAttribute name="postofficebox"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="memberof"/>
</attribute>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"/>
</attribute>
</nameSpace>
</principal>
<principal type="group">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="uniquename" populateInitially="true">
<physicalAttribute name="cn"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
<physicalAttribute name="member"/>
</attribute>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="memberof"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attribute name="dn">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
</principal>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.server_name>ldap2</ume.ldap.access.server_name>
<ume.ldap.access.server_port>389</ume.ldap.access.server_port>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.user>yyyyy</ume.ldap.access.user>
<ume.ldap.access.password>yyyyy</ume.ldap.access.password>
<ume.ldap.access.base_path.user>O=SMT_TEST</ume.ldap.access.base_path.user>
<ume.ldap.access.base_path.grup>O=SMT_TEST</ume.ldap.access.base_path.grup>
<ume.ldap.record_access>TRUE</ume.ldap.record_access>
<ume.ldap.unique_uacc_attribute>samaccountname</ume.ldap.unique_uacc_attribute>
<ume.ldap.unique_user_attribute>samaccountname</ume.ldap.unique_user_attribute>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>Group</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>cn</ume.ldap.access.naming_attribute.grup>
</privateSection>
</dataSource>
</dataSources>Hi Ulrich,
Hope your problem is resolved. We are using EP7 and SP18. We are doing some study on your first issue. i.e. Distributing a user attribute into multiple LDAPs. Can you please let me know the feasibility? If yes, what are all step do I have to follow? Expecting your valuable answer. Thanks in advance!
Regards,
Kabali -
Cisco ACS 5.2 authentication against multiple LDAP servers
Hi Folks,
I have a wireless network that uses ACS 5.2 to handle authentication. The ACS is integrated with an Active Directory LDAP server (my_ldap) and is working correctly at the moment. The authentication flow looks like this:
- User tries to associate to WLAN
- Authentication request is sent to ACS
- Service selection rule chooses an access-policy (wireless_access_policy)
- wireless_access_policy is configured to use my_ldap as identity source.
A sister company is about to move into our offices, and will need access to the same WLAN. Users in the sister company are members of a separate AD domain (sister_company_ldap). I would like to modify the wireless_access_policy so that when it receives an authentication request it will query both my_ldap and sister_company_ldap, and return a passed authentication if either attempt is successful. Is this possible?Assuming you're already authenticating using your AD binding and AD1 as your identity source, you can add a further LDAP server as another identity source and add this to your identity store sequence in your access policy to authenticate against both.
You can also add multiple LDAP servers and add them both to the identity store sequence (if you're not using AD1). -
Hi
Load balancing to be achieved on two LDAP Servers.
In CSS, round robin configuration is carried out between the LDAP Servers.
My query is when the client initiates the tcp connection to CSS VIP Address and which in turn redirected the request to server A termed as LDAP binding. During that and any activities like LDAP modify comunication from the client will the CSS sees that as different request and redirect it to the Server B( as Round robin configuration carried out) ?
Any help on this higly appreciated.
Thanks & regards
R.Sundara RajanIf I am reading your question correctly, it sounds like you are asking if, once a TCP session is established to the VIP, if subsequent LDAP transactions from that connecting client will be load balanced.
The answer is no, once the TCP session is established, you will continue to use the same backend server until the TCP session ends(fin or rst or whatever).
Simply described in a healthy system, from TCP SYN to FIN everything will be directed to the same server. -
Workflow support for Non OID LDAP servers
Can workflow 2.6.2 be integrated with other vendors LDAP servers??
OID supports integrating with other LDAP directories, and Workflow supports synchronizing with those other external user directories through OID. So you can use a third-party LDAP directory, but it is a requirement to go through OID to do so.
Maybe you are looking for
-
'BAPI_GOODSMVT_CREATE' takes more time for creating material document for the 1st time
Hi Experts, I am doing goods movement using BAPI_GOODSMVT_CREATE in my custom code. Then there is some functional configuration such that, material documents and TR and TO are getting created. Now I need to get TO and TR numbers from LTAK table passi
-
Aperture 3 trial version hangs and quits
I downloaded a trial version of Aperture 3 to try it out since I liked the added features. I currently use iPhoto. Everything went fine until I did the iPhoto import. Now, every time I start Aperture, it either hangs and becomes unresponsive, or quit
-
Resume from sleep causes total Interent connectivity loss
This just started happening about a week ago. I used to be able to close the lid on my iBook, open it later and resume working online normally. Now when I open the lid or resume from sleep mode, the airport shows that it is connected, but I have no I
-
FF WON'T OPEN. SAYS IT'S "NOT SUPPORTED ON THIS SYSTEM" USED TO WORK JUST FINE.
Icon has disappeared from dock, notice says "Firefox is not supported on this system", icon in Applications folder now has a circle and slant line through it. What happened? I tried to re-install it and got the same result. Am running OS 10.4.11
-
Greetings, I have a text file with text formatted similarly to this in a variable V1... I do not want this part,I want this part, I do not want this part. I am trying to find a way to extract the segment between the two commas and am unable to figure