DAP problem with LDAP

Similar Messages

• Problem with LDAP in BEA Portal

  Problem with LDAP in BEA Portal
  I have a list of 50 user which should be cerated in portal staging(devlopment) machine and should be transfered to
  production machine using LDAP
  Steps which i followed to create Users
  1.Create User Profile with 2 parameters branch and Role
  2.I have list user in the Xls file with Username,password ,branch and Role
  3.Write a java File which will read the Xls File
  4.The users are created in the staging machine for the portal
  Steps which i followed in LDAP to tranfer the created User form Devlopment to Production
  1.Export the created user from Devlopment (which was moved as .DAT in my local directory)
  2.import the user from local direcory to production machine
  The Users are imported in the production machine with username and password but the role and branch values are empty
  We need a solution for importing the user with role and branch corresponding to each user.
  Thanks in Adv
  Suresh

  In Portal 8.1, user name and password in stored in LDAP where as user profile values are stored in database. That is the reason you are not able to see the user profile values.
  Check once again whether you can see these values through admin tool. In case,it is not(after confirmation again),you might have to use APIs to do this for you incase you dont want to manage through Admin Tool.
  Thanks,
  Prashanth Bhat.

• EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility

  Hello everyone,
  Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
  Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
  I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
  Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
  However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
  This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
  Here's what happens:
  1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
  2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
  3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
  4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
  5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
  Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
  http://discussions.apple.com/thread.jspa?messageID=5967023
  http://discussions.apple.com/message.jspa?messageID=5982070
  these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
  If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
  Thanks,
  Andrew

  Hard to tell what is happening without looking at the application
  source, knowing what OS & hardware you're using etc. You might want to
  try running with different JVM versions to see if it's actually the VM
  that is the problem. If you have a support contract with BEA you could
  ask support to help you diagnose this.
  Regards,
  /Helena
  Ayub Khan wrote:
  I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
  application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
  seems to happen on loading the machine..the performance progressively gets worse
  and after a couple of seconds, all the threads stop responding. I checked the
  heap, cpu and the idle threads in the execute queue and there is nothing there
  to trigger alarms...there are quite a few idle threads still and the heap and
  the cpu utilization seem OK. On doing a thread dump, Is see that all the other
  threads seem to be in a state where they are waiting for data from LDAP and it
  is basically read only data that they are waiting on.
  Does anyone know what it is going on and help point me in the right direction.
  -Ayub

• BO XI R2 problems with LDAP plugin talking to OID

  Hi all,
  We have a customer with OID 10g (Oracle Internet Directory, exact version 10.1.0.4), and BO 6.5, and we are in the process of upgrading to BO XI R2 (sp3).
  In our BO XI R2 (sp3) server, we are facing problems configuring the LDAP plugin. When we map a LDAP group (a dynamic group created in OID), BO retrieves the users that belog to the group but when we go to the Users list and try to see which groups this users belongs to, the CCM does not list our LDAP group.
  Moreover, when we try to login with LDAP authentication in infoview, the following error:
  "Account Information Not Recognized: An error occurred at the server : LDAP Authorization failed. Please make sure your entry belongs to a mapped LDAP group."
  Has anybody faced similar issues? Any idea how can we solve this?
  This issue is very important for our customer and could block the migration progress....
  Thank you very much in advance.
  Regards

  In that case a support engineer will likely need to scan the CMS and possibly packet scan the LDAP queries. When going to a group and viewing users a live query is sent to LDAP, is this info correct (do groups contain the right users)?
  But when viewing users (groups) this information is based on a cached graph that should be updated approximately every 15 minutes by default. Your issue seems to indicate this process is either slow or failing all together. Tracing with an engineer is the best rout to take. Let me know if I can offer anymore help from this end.
  Regards,
  Tim

• Problems with LDAP and umlaut in Password

  HI,
  in my application I have a ldap authentification. I'm using netscape.ldap.LDAPConnection for the Ldap Connection.
  Everything works fine except when the user has a umlaut in his password.
  How can I solve this problem?
  Best regards,
  Peter

  This was a known issue with Nautilus. It was fixed but it was a later version that 2.6.1. Looks like Solaris 10 includes a very old version of Nautilus. I would suggest opening a case with Oracle...

• Problems with LDAP Server fail-over

  Our Xsan installed with 12 FCP, 2 MDC Xserve and 2 LDAP Xserver for fail-over.
  The 2 MDC fail-over runs well but the 2 LDAP fail-over got problems.
  The first time we up-plug the powercode of 1 xserve and the other LDAP takes over successfully but FCP users re-login takes 15 minutes. That's unacceptable.
  The fail-over never succeed after that.
  That means once the LDAP down and the backup LDAP will not take the job, we will lose everything related to user login.
  Anybody can help? Thanks a lot.

  I believe you can enter both LDAP servers in the client configuration for LDAP access. (Even though you shouldn't have to)
  IP failover is not the issue, your LDAP configuration is.
  Start at page 90 and work throught this document to make sure you have the clients setup properly.
  http://manuals.info.apple.com/en/MacOSXSrvr10.3_OpenDirectoryAdmin.pdf

• Problem with LDAP configuration in Enterprise Manager

  Hi all,
  I'm new at Java CAPS. After install some pieces of Java CAPS now I'm trying to install and configure a Sun Java System Directory Server 5.2 in our environment.
  I've already configured the Repository and the Logical Host to work with the ldap, but I have some troubles to do it with the Enterprise Manager.
  I followed the instructions of the Administrator guide about the changes to do in web.xml and ldap.properties of the sentinel app but when I do login the Enterprise Manager I can't see the options of the tree to manage servers or users.
  It seems that the app don't recover the user roles. I think so becouse I tried to create one user without roles (in normal authentication, without ldap configured) and when I did login in the result was the same.
  At the beginning of the process I created the roles 'all', 'administration' and 'management'. However I tried to copy de roles of the Tomcat authentication from 'tomcat-users.xml' to ldap roles, but it doesn't work.
  Anyone could help me?
  Thanks in advance, and sorry for my rudimentary English

  Check that you have the correct Preferred Credentials with Logon as batch job if this is windows. Also check the correct configuration with regards LDAP integration for you platform.

• Connection problem with LDAP

  Hi,
  Is it possble to connect 10g version of database using LADAP from forms 6i ?
  Thanks
  Bcj

  Hi Wilfred,
  I would like to describe the tests and results which i have tried regarding the connection problem between forms 6i and Oracle 10.2 through OID(LDAP),
  Test 1.
  Installed forms 6i + patch 17 and Oracle 10.1.0.2 separately, and assigned the forms home to oracle 10 .1.0.2
  Received ,the message as, ORA -12154: TNS: could not resolve service name
  Test 2.
  Installed forms 6i + patch 17 and tried to install Oracle 10.1.0.2 in to the forms home then received an error message as "Oracle 10g database cannot be installed into an existing 7.x or 8.0.x ORACLE_HOME "
  Test 3.
  Installed Oracle 10.1.0.2 and installed forms 6i + patch 17 in to the Oracle 10.1.0.2 home, here I was able to connect through tnsnames.ora, but not through LDAP.
  When tried through LDAP , received the error message as , ORA -12154: TNS: could not resolve service name
  Here, forms created NET80 folder and it was trying to connect the database from this folder.
  Test 4
  Forms installed in test 1 and test 2 were able to connect through the oracle home which created at the time of test 3.
  Test 5
  Also tried to install the Oracle 10.1.0.2 into the oracle home which created at the time of third test, here again I received the error message as same as the second test.
  So, i agreed that it cannot, when this form version is tightly integrated to its oracle net libraries.
  After test 3, i have checked the oracle home in the registry all the variables pointing to the 10g database, here i was thinking is it possible to configure the oracle net libraries or any other to get connected.
  Thanks for your help
  Bcj

• Essbase 9.3.1 and problem with LDAP users

  Essbase 9.3.1 users externalized to Shared Services. Windows boxes. LDAP users set in Shared users. Provisioned with Essbase rights (administration and speciific cube access). Then in EAS have refreshed security from Shared Services. LDAP users show up now in EAS.
  However when attempting to connect through excel add-in or through EAS or through Financial reports to any Essbase app receving and error message that "login fails due to invalid credentials".
  Users setup in Shared services as Native Users are able to access Essbase apps.
  any ideas?

  It came down to a Novell E Directory LDAP setting. ID Attribute. We had it set to CN (based on a recommendation by a LDAP resource, although the default is GUID and GUID is recommended by the documentation).
  Turns out that Essbase when authenticating the LDAP user was forcing it back to GUID and causing some sort of mismatch.
  Setting the ID Attribute in the LDAP Configuration back to GUID resolved the issue.

• Problems with LDAP: "LDAP server prefix is not of the correct format"

  Hello!
  We use a Mac OS X Server (10.4.9) with Open Directory for authentication of the clients in our network. Furthermore, that machine serves home directories and mobile accounts.
  Every now and then a client hangs during login: After submitting login information, the system does not respond anymore (shows 'hourglass'). A few minutes later, the login process continues.
  The system log on the client contains the following lines:
  Apr 12 08:31:16 hostname kernel[0]: System Sleep
  Apr 12 08:31:16 hostname kernel[0]: Enabling XMM register save/restore and SSE/SSE2 opcodes
  Apr 12 08:31:16 hostname kernel[0]: Started CPU 01
  Apr 12 08:31:16 hostname kernel[0]: IOBluetoothHCIController::restartShutdownWL this is a wake from sleep
  Apr 12 08:31:16 hostname kernel[0]: System Wake
  Apr 12 08:31:17 hostname kernel[0]: AppleYukon - en0 link active, 100-Mbit, full duplex, symmetric flow control enabled
  Apr 12 08:31:18 hostname DirectoryService[53]: Search connection failure: During an attempt to bind to [X.Y.235.104] LDAP server.
  Apr 12 08:31:18 hostname DirectoryService[53]: Search connection failure: Disabled future attempts to bind to [X.Y.235.104] LDAP server for next 120 seconds.
  Apr 12 08:31:24 hostname kernel[0]: AFPSleepWakeHandler: waking up
  Apr 12 08:31:43 hostname DirectoryService[53]: DSLDAPv3PlugIn: DHCP option 95 error since obtained [X.Y.235.32] LDAP server prefix is not of the correct format.
  Apr 12 08:31:44 hostname /System/Library/CoreServices/MirrorAgent.app/Contents/MacOS/MirrorAgent: LWNotifyWithData: CFMessagePortSendRequest returned error -2.
  Apr 12 08:35:33 hostname DirectoryService[53]: Search connection failure: During an attempt to bind to [X.Y.235.104] LDAP server.
  Apr 12 08:35:33 hostname DirectoryService[53]: Search connection failure: Disabled future attempts to bind to [X.Y.235.104] LDAP server for next 120 seconds.
  Apr 12 08:36:04 hostname kernel[0]: AFP_VFS afpfs_mount: /Volumes/Users, pid 256
  What is the cause for that failure?
  Regards, Martin Burger
  iMac 20" (2 GHz Intel Core Duo) Mac OS X (10.4.9) Server: Dual 2.5 GHz PowerPC G5 with Mac OS X Server (10.4.9)

  Don't do DHCP based binding, configure it manually.
  -Ralph

• Problem with LDAP authentication for users in a group

  I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
  I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
  [6707]  memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
  [6707]          mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
  [6707]          mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
  [6707]  msNPAllowDialin: value = TRUE
  I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
  ldap attribute-map AuthUsers
    map-name  memberOf IETF-Radius-Class
    map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
  aaa-server LDAP protocol ldap
  aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
   ldap-base-dn DC=COMPANY,DC=com
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
   server-type microsoft
   ldap-attribute-map AuthUsers
  group-policy NOACCESS internal
  group-policy NOACCESS attributes
   vpn-simultaneous-logins 0
   vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
   webvpn
    anyconnect ask none default anyconnect
  group-policy GroupPolicy_COMPANY_SSL_VPN internal
  group-policy GroupPolicy_COMPANY_SSL_VPN attributes
   wins-server none
   dns-server value 10.10.100.102
   vpn-tunnel-protocol ikev1 ikev2 ssl-client
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value SPLIT-TUNNEL
   default-domain value net.COMPANY.com
   webvpn
    anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
  tunnel-group COMPANY_SSL_VPN type remote-access
  tunnel-group COMPANY_SSL_VPN general-attributes
   address-pool COMPANY-SSL-VPN-POOL
   authentication-server-group LDAP
   authorization-server-group LDAP
   authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
   default-group-policy NOACCESS
   authorization-required
  tunnel-group COMPANY_SSL_VPN webvpn-attributes
   group-alias COMPANY_SSL_VPN enable
  tunnel-group COMPANY_SSL_VPN ipsec-attributes
   ikev1 pre-shared-key *****

  I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.

• Problem with Afaria and LDAP user authentication in Android device

  Hi all,
  I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
  I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
  I follow the next steps:
  1-Create a new tenant
  2- Configure LDAP integration
  3-Create a inventory policy with authentication required
  4-Create a static group associated to the inventory policy
  5-Create a enrolment policy associated to the static group.
  When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
  I have seen the log and seem the problem is that Afaria can't authenticate this user.
  I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
  The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
  Could you please help to solve this problem?
  Thanks in advance.  

  Hi all,
  I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
  I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
  I follow the next steps:
  1-Create a new tenant
  2- Configure LDAP integration
  3-Create a inventory policy with authentication required
  4-Create a static group associated to the inventory policy
  5-Create a enrolment policy associated to the static group.
  When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
  I have seen the log and seem the problem is that Afaria can't authenticate this user.
  I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
  The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
  Could you please help to solve this problem?
  Thanks in advance.  

• Problem with ADS and LDAP

  Problem with ADS and LDAP
  I have installed Win2000 + sp1 and ADS on a computer. This computer is PDC.
  After connection via LDAP I cann't get any object ( users or goups etc. ).
  I try connect to ADS by java ( JNDI ).
  When I use another clients of LDAP ( eg. Maxware Directory Explorer) I have
  the same problem - no objects.
  Can anybody help me?
  Grzegorz Pszona
  my e-mail: [email protected]

  Thanks a lot.
  Softerra's browser is really good.
  Thanks
  Rashmi
  "Anant Kadiyala" <[email protected]> wrote:
  >
  I used Softerra's LDAP browser. The browser is free. There is also a
  java baded
  LDAP browser from Univ of Michigan. I found the Softerra browser to be
  more easier
  to use.
  -anant
  "rashmi" <[email protected]> wrote:
  Hi,
  Can you please let me know which exact ADS tool that you used to examine
  the
  DN. I have Active Directory Users and Computers, Sites and Servicesand
  Domain
  and Trusts installed on my machine but I am not able to figure out how
  to get
  the DN?
  Thanks
  Rashmi
  for Stephen Davies <[email protected]> wrote:
  Grzegorz,
  I have had WLS6.1 & ADS working ok using LDAP V2. Mind you it did take
  a
  fair bit of messing around to get it going. MS does have a few oddities,
  for example the Administrators DN might look something like this:
  cn=Administrator,cn=Users,dc=eglobal,dc=net
  One tool that I found invaluable came with the additional support tools
  for Windows 2000. The 'Active Directory Administration Tool' made it
  easy to list the directory contents and examine the DNs.
  Regards,
  Steve
  Stephen Davies
  Principal Consultant
  eGlobal Services Pty. Ltd.
  Sydney, Australia
  Ph. +61 2 9283 1033
  http://www.eglobal.net/

• Problem with users in portal - login conflict with LDAP.

  Hi.
  Let me describe our problem:
  We've a EP5 portal with LDAP conected to a central LDAP server, users access with the same user and password to all the different systems.
  The problem happens to users who have theyr passwords expired. We already set to 0 the password expiration days to avoid future problems but that didn't applied to the already expired ones.
  This affected users cannot change the password due to problems with the connection rights to LDAP server.
  We're trying to find the place there it's set that the user is in some kind of "password expired" status, directly in a database table if neccesary, to change the status manually, as system does not allow os to set it by user administration in portal.
  Any suggestions would be appreciated.

  Restoring expired Portal passwords
  Solved

• Problem with syncing AD users (LDAP)

  I am running into a 'problem' with syncing users from ad. I'm pretty sure i'm doing something wrong but i can't figure it out.
  When i sync manually the 'pop up' shows that it's synchronizing and after a few seconds it tells me "OK". But there are 0 users imported.
  http://www.dualdude.net/bm/run_ldap_sync.jpg
  The connection and credentials to access the AD work since they are also used for Zarafa and Samba AD synchronization. The AD is running on an Windows Server 2008 Enterprise x64 machine.
  This is a screenshot of the configuration used:
  http://www.dualdude.net/bm/ldap_config.jpg
  Any thoughts on what i'm doing wrong?

  I got the same problem when using groupfilter:
  User Filter: (&(|(objectClass=Person)(objectClass=orgPerson)(ob jectClass=inetOrgPerson))(groupMembership=cn=users ,ou=org,o=firma))
  Group Filter: (&(|(objectClass=group)(objectClass=groupOfNames)( objectClass=groupOfUniqueNames))(|(cn=G4)(cn=TC*)) )
  Do you use groups for the allowed users in teaming?
  >>> lnijhuis<[email protected]> 14.01.2010 16:36 >>>
  Thank you for your reply. I guess the comma's should be right. When i
  change the first "ou=" in the Base DN to "cn=" the error message states
  that the best it can do is reach
  ou=OrganizationalUnit,dn=domain,dn=local. So i guess that shouldn't be
  the problem?
  By default there is a container "Users" in AD, which we don't use. The
  person that configured the server created an OU on the same level as the
  default container. THe name of this OU has a space in the name, like
  "Organi Zation". This OU contains another OU called Users. This is where
  the users are located. When i run the ldap query i don't get any errors
  about the base DN. It does when i change it.
  The full filter is:
  (|(objectClass=Person)(objectClass=orgPerson)(obje ctClass=inetOrgPerson))
  lnijhuis
  lnijhuis's Profile: http://forums.novell.com/member.php?userid=63756
  View this thread: http://forums.novell.com/showthread.php?t=397993