DAP using LDAP and Cisco Attributes

Similar Messages

• Difference between using Binding and Value Attribute

  what is the deference between using binding and value attribute, when I use binding attribute at the time of Value change listener is behaving like action listener,
  Ex:
  If I use value attribute, at the time of value change listener the component is not showing the result in the component but when I use Binding attribute it is happening automatically. So I want to know how the binding attribute is working.
  I know, at the time of binding attribute the component is creating an instance at the bean side, So even also how it is following the life cycle of the JSF Frame work, and also Please suggest me weather which one is better to use either Binding or Value?

  JNaveen wrote:
  If I use value attribute, at the time of value change listener the component is not showing the result in the component but when I use Binding attribute it is happening automatically. So I want to know how the binding attribute is working.You need to learn about the JSF lifecycle. The ValueChangeEvent is invoked after conversion and validation in the 3rd phase, while the model values are updated in the 4th phase. In the valueChangeListener method you normally use ValueChangeEvent#getNewValue() to get the new value after the change.
  I know, at the time of binding attribute the component is creating an instance at the bean side, So even also how it is following the life cycle of the JSF Frame work, and also Please suggest me weather which one is better to use either Binding or Value?Use the 'value' attribute to bind the value to the bean. Use the 'binding' attribute to bind the component to the bean. If you don't need to precreate the component or do other things than getting/setting its value, then there is no need for the 'binding' attribute.
  Read on those links if you want to know something more about the JSF lifecycle:
  [http://balusc.blogspot.com/2006/09/debug-jsf-lifecycle.html].
  [http://jcp.org/aboutJava/communityprocess/final/jsr252/index.html] (pick 1st download).

• "Cannot connect to the iTunes Store" when using WiFi and Cisco VPN

  hi
  I'm on iPhone software 2.0 and have a connection to the internet via WiFi and VPN (using the integrated Cisco client). Everything works fine (Safari, Mail, mobileme push of contacts and calendars) but the iTunes Store and the App Store won't. While the App Store keeps spinning the iTunes Store says "Cannot connect to the iTunes Store". Has anyone else experienced a similar phenomenon?
  thanks
  Message was edited by: samaki

  We're having the same issue. App Store and iTunes do not work when all traffic is tunneled over VPN. Yet, other applications like Safari, New York Times reader, Telnet, etc... work perfectly fine over VPN. If we have the iPhone switch over to using split tunneling VPN mode, then the App Store and iTunes work since they do not appear to be sending traffic over the VPN tunnel. I can say for certain that no outgoing traffic is being blocked on the VPN servers since I administer those servers. I also did a packet capture on the iPhone wireless session and it appears that the App Store sends traffic over the regular HTTP port. So it really doesn't make any sense from a VPN perspective why Safari would work but not the App Store or iTunes when you're tunneling all traffic over VPN. Our iPhones are using the latest firmware (5F136). If anyone has any update, please do share.

• Modify Transition element in work flow using for and not attributes to restrict access

  Hi,
  I have TFS 2013 for my premises and I am working on changing the work flow for TFS work item. I have created a work item as per requirement and it has 3 states
  Active, In Review and Closed in work flow. When developer creates a work item it is in Active state and later it is sent to In Review and then to close after successful review.
  My question is I want development team to be restricted to move the work item to Close state. At present when developer creates a new work item they see Active state. At this point they can not see any other states in the work item. Later they
  fill the details and after checkin they will put that work item to In Review state. At this point they can see Active and In Review states. When they save this work item and modify it again they see Close state as well. I want to design the Transition element
  in work flow in such a way then developers should not be able to see the Close state at all in a work item assigned to them. Only reviewer should be able to transit the work item from In Review to Close.
  I checked the for and not attributes in the transition element but I have no idea about correct syntax I should use to enforce the restriction. I would also like to mention here that I have no separate groups defined in my TFS server. Every
  one is a part of contributor's group. There is no specific group of reviewers and one developer reviews the code of another. I want to design the work flow in such a way that the developer who creates (or gets assigned) the work item should
  not be able to put their own work item in Close state but they should be able to close another developer's work item if that work item has his name in the reviewer's box.
  I have tried to simplify my question by elaborating it hope it is not complex to understand. Let me know if you want further clarification on this.
  Regards, Premal Acharya

  Hi Premal,
  For your scenario, seems the "for" and "not" attributes not are unavailable to make it happens. Because of the developers not in groups, and the same type of work items can be assigned to all the developers hence the attributes cannot
  be allow and deny users in the groups concurrently. Please check the
  page for more information about transition xml element.
  Based on your situation, you can separate the development group and test group. Then you can only allow test group to change the state.
  Best regards,
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Using LDAP and Single Sign On

  Hello
  I have many applications that log into a single directory using LDAP. I want to be able to use single sign on in Portal to this applications. Because the portal users and the applications users are the same is there a way to pass this information from portal to the applications directly without asking it to the user?.
  Thanks for any help

  How do the applications currently authenticate?
  What you really want is to have all the applications participate in Single Sign-On.
  There are 3 ways to do it...
  1. make the application an SSO partner application
  2. configure the application as an SSO external application
  3. incorporate the application into a 3rd party SSO solution with Oracle Single Sign-On as a participating app.

• Using LDAP to search attribute bit flags using attribute OID values

  Hello everyone,
  My question stems from trying to understand the OID and syntax behind this classic LDAP search to find disabled users:
  "(useraccountcontrol:1.2.840.113556.1.4.803:=2)"
  What I am interested in is the value 1.2.840.113556.1.4.803, specifically how it differentiates from the value 1.2.840.113556.1.4.8, which is the OID of the useraccountcontrol attribute:
  http://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx
  Now, this website below says that the 03 and 04 are designators of the AND and OR operations, respectively, and are added on to the end of the OID:
  https://www.appliedtrust.com/blog/2011/04/keeping-your-active-directory-pantry-order
  However, using this logic, I can't get these 03 and 04 operators to work with other attribute OID's that use flags as values, such as the "searchflags" attribute, e.g. a LDAP search of "(searchflags:=1.2.840.113556.1.2.33404:=0)
  returns nothing, using the OR (04) operation at the end of the "searchflags" OID of 1.2.840.113556.1.2.334.
  So back to my original question, for the useraccountcontrol OID of 1.2.840.113556.1.4.8, is this OID at all related to the bitwise AND extensible match of 1.2.840.113556.1.4.803 (like just adding a 03 to designate an AND operation), or is this
  extensible match
  value of 1.2.840.113556.1.4.803 completely separate from the useraccountcontrol OID of 1.2.840.113556.1.4.8?
  If I have my terms mixed up, please feel free to correct me on what the proper terms are.
  Thanks!

  Hmm yeah I posted that link above in my OP as well, and I was hoping that the OID values of these bitwise filters were somehow related to the shorter OID of the "useraccountcontrol" attribute, but it looks like it's just a coincidence.
  So I wonder if the "useraccountcontrol" section of
  this article from my OP is a little misleading when it says:
  To make a comparison, we either need to use the LDAP_MATCHING_RULE_BIT_AND rule (1.2.840.113556.1.4.803), or the LDAP_MATCHING_RULE_BIT_OR rule (1.2.840.113556.1.4.804) for our attribute OID (the AND rule adds a 03 suffix to denote the AND operation,
  and the OR rule adds a 04 suffix).
  Following this logic, I should be able to use the "03" and "04" in other bitwise operations with different OID's to search "AND" or "OR", but as I pointed out in my OP above, I can't seem to make this work with adding the 
  "03" and "04" onto the end of other OID's. So I will go with Christoffer that these bitwise OID's (1.2.840.113556.1.4.803 and 1.2.840.113556.1.4.804) are unique in themselves, and the fact that they are 2 characters away from the OID of the "useraccountcontrol"
  attribute (1.2.840.113556.1.4.8) is just coincidence.
  This does seem strange however, and it seems like there should be some correlation here....
  If anyone has any more info, I would love to hear it!

• Timeouts while using LDAP and TNSNAMES for names resolving

  I use an OID for Oracle Names resolving at the client-side.
  I tested some errorcases because there are no HA-features implemented for the OID.
  So i have an LDAP.ORA with the adress and the ports of the OID.
  My SQLNET.ORA has this content:
  NAMES.DEFAULT_DOMAIN = <my_company_domian>
  SQLNET.AUTHENTICATION_SERVICES= (NTS)
  NAMES.DIRECTORY_PATH= (LDAP, TNSNAMES)So actually there is no problem. But when i turn off the OID-Server there iss a timeout of about 20 second to resolve the name.
  So my problem is not the resolving. I only want to know if there is a possibility to minimize the timeout to switch between LDAP-name-resolving to tnsnames.ora-name-resolving?

  thanks Oviwan but i think this problem couldn't be solved with a parameter.
  @rgoogld:
  I already feared that i have to live with that timeout.
  But your options are interesting. In the future i will have 2 OIDs and in the first time the TNSNAMES.ORA-names-resolving as backup.
  I already can test this because i have a productive OID and one for test-purposes. So at the moment i have two OIDs listet in my LDAP.ORA.
  example:
  DIRECTORY_SERVERS = (<server_name_oid1>:<Port1>:<Port2>, <server_name_oid2>:<Port1>:<Port2>)
  DEFAULT_ADMIN_CONTEXT = ""
  DIRECTORY_SERVER_TYPE = OIDThere is already a (about 20 seconds) timeout, when the OID1 is powered down or the services are stopped. The client honestly ask the second OID after the "timeout" and resolve the name.
  2 OIDs+TNSNAMS or 1 OID+TNSNAMES in both cases your options could perhaps prevent the timeout. I'm not really a system administrator, but i can discuss it with my colleagues here.
  Do you know a smart way to remove or repoint an DNS-entry in a windows enviroment. For such actions i have also to monitor the status of the OID-services or the servers and make the dns-changes if something is crashed.
  At this moment i have no idea how to do this but perhaps you or someone else here have some tips for me.

• Receiving Mail - Using attachement and adapter attributes

  Hi all,
  I'm trying to solve the following problem:
  - I receive a file via mail adapter as attachment
  - The content of the file is plain text, no csv or XML
  - For mapping, I need a) the content of the file b) metadata like sender of the mail, date/time of mail etc.
  I tried to use mail package and PayloadSwapBean. Now I have the situation, that not everytime the <content>-Tag contains the content of the attachement:
  -If the message text of the mail is empty, <content>-Tag contains the content of the attachment (perfect!)
  -If the message text of the mail is empty, mapping throws exception. I suppose, that pure attachement (not in the mail package format) is input for mapping
  If I try to use adapter-specific attributes, Mail adapter throws error (so message does not reach integration engine). I already updated the mail adapter metadata in the IR (cf. SAP note 936552), as we are on SP16. It seems as if still some tags can not be deserialised by the SOAP-Entry of the integration engine.
  Has someone an idea how to solve the situation?
  Kind regards,
  Torsten
  Message was edited by: Torsten Engel

  Well, the problem seems to be with the IMAP server
  (not postfix).
  I simply don't have an INBOX file were my IMAP server
  seems to deliver the e-mail.
  This seems to be part of our problem communicating. An IMAP server doesn't deliver email. It's what your mailreader contacts to view or deliver mail. You must be using OSX Server, I don't think there's an IMAP server for OSX.
  When mail arrives at your Mac, two basic things happen. We lump them under the label postfix. The first thing is that the SMTP server accepts the mail. The second is that the local process "delivers" the mail. This can be difficult to set up, but the main thing is to put the local delivery path in the alias map file you set in /etc/postfix/main.cf. This is /etc/aliases by default.
  To read mail, your mailreader can simply open the mailbox where the file was delivered. /usr/bin/mail will work fine. Fancier mailreaders like Apple Mail use protocols like POP3 and IMAP4 to retrieve mail from remote servers. But this case is different. IMAP seems like overkill since everything is local. I would try putting the alias to the directory that Mail uses. But then, you never said what your mailreader was, so I don't know.
  I think we can solve this, but we need to get over some confusion first.
  -Phil

• Macbook wireless and Cisco base station causes kernel panics

  So my company uses Macbooks and Cisco wireless base stations. For some reason, when they use bother ethernet, and the wireless, the Macbook will kernel panic for no apparent reason. So since we have a fast wired network, I have been advising those Macbook users to turn off wireless and use the wired network. Wouldn't you know, the kernel panics go away. Is anyone aware of an issue with the wireless chipset in the Macbooks and the wireless chipsets in the Ciscos not liking to play with one another? I know it's the wireless in the Macbooks as if I use any other wireless base station from Apple or Linksys, the issue is not there. I should also mention that when people use those Macbooks on the wireless every once in a while, they get an access control list error. We do not have ACLs for our wireless. Our PowerBooks and iBooks do not exhibit any of these issues on the same network, so we know it is an issue with Intel based Macs. Any ideas?

  I'm having a similar problem at college (they use Cisco equipment). On most of the campus everything is fine, but in the area near my classes (typically), wireless causes the mac to panic.
  I asked at IT, and came back more confused (apparently, they use the same model WAPs throughout the college, so they couldn't see why one particular WAP would cause this. They guessed it was to do with the huge amount of traffic that particular WAP gets, with it being in the Computing department and all).

• LDAP and NFS mounts/setup OSX Lion iMac with Mac Mini Lion Server

  Hello all,
  I have a local account on my iMac (Lion), and I also have a Mac Mini (Lion Server) and I want to use LDAP and NFS to mount the /Users directory, but am having trouble.
  We have a comination of Linux (Ubuntu), Windows 7 and Macs on this network using LDAP and NFS, except the windows computers.
  We have created users in workgroup management on the server, and we have it working on a few Macs already, but I wasnt there to see that process. 
  Is there a way to keep my local account separate, and still have NFS access to /Users on the server and LDAP for authentification?
  Thanks,
  -Matt

  It would make a great server. Bonus over Apple TV for example is that you have access via both wired ethernet and wireless. Plus if you load tools from XBMC, Firecore and others you have a significant media server. Cost is right too.
  Many people are doing this - google mac mini media server or other for more info.
  Total downside to any windows based system - dealing with constant anti-virus, major security hassels, lack of true media integration and PITA to update, etc.
  You should be aware that Lion Server is not ready for prime time - it stil has significant issues if you are migrating from SNL 10.6.8. If you buy an apple fresh Lion Server mac mini you should have no problems.
  You'll probably be pleased.

• Called-Station-ID attribute and Cisco WLC code 7.4

  Hello
  I have 2 WLCs configured with 2 SSIDs (one is [WPA2][Auth(802.1X)] and the other is Web-Auth). One of the WLCs is remote and its WLANs are configured with mobility anchors pointing to the other WLC. Both WLCs are configured with Called-Station-ID set to AP Mac Address:SSID. I use this attribute on ACS to authenticate/authorize users based on what SSID they connect to.
  This worked fine on WLC code 7.0 but on upgrading to 7.4 I started having some issues:
  clients on the remote WLC can still authenticate on the [WPA2][Auth(802.1X)] SSID as the Called-Station-ID attribute is still AP Mac Address:SSID
  clients on the remote WLC cannot authenticate on the Web-Auth SSID as the Called-Station-ID attribute now appears to be the Mac Address of the WLC anchor controller
  WLC models are 5508 and current code is 7.4.110.0 (APs are AIR-LAP1142N-E-K9). Can anyone tell me why I'm seeing this behaviour on the Web-Auth SSID on the remote WLC?
  Thanks
  Andy

  Since you have two AAA devices that's sending info, you can have your policy for the guest specifying the guest WLC. The SSID policy for the foreign WLC is only really needed if you have multiple 802.1x authentication from the foreign WLC and that's when you can use the regex to defiance the SSID per AD Group.
  Look at a successful authentication from one of the guest users. Look at the detailed log and then in that log, you will see all the attributes being sent that the radius can send back to the WLC. You can use any of those attributes in your policies.
  Called-Station-ID might not be sent like what your use to, because the foreign WLC has the access point the guest user associates to and tunnels it back to the anchor WLC. So this attribute might not be available. Things do change with code versions so you might just have to adjust your policies. I haven't played around with 7.0.x code with guest anchor and radius in a while, but I have in the past upgraded radius or the WLC and had to tweak my radius policies.
  Sent from Cisco Technical Support iPhone App

• How can i extended attribute of user and add attribute to ldap

  how can i extended attribute of user and add attribute to ldap
  1.
  i use spe to modified "Default User Library":add Field like
  title:nation name:accounts[Lighthouse].nation
  2.
  modified "IDM Schema Configuration"
  add <IDMAttributeConfiguration name='nation' description='default attribute from UserExtendedAttributes/UserUIConfig' syntax='STRING'/>
  in <IDMAttributeConfigurations>
  and
  add <IDMObjectClassAttributeConfiguration name='nation' queryable='true' summary='true'/> in<IDMObjectClassConfiguration>
  there is extended attribute when i create new user
  3.
  i create new resource to ldap,and i add nation in "Account Attributes" tab
  but the new attribute not add to ldap
  i am beginner,how to extended attirbute add add to ldap attribute?

  So, if I want to fill in blanks on a form where I need to add more pages to fill history, what program do I need? In Adobe Reader, I can edit and fill in blanks, but I cannot duplicate more blank pages.

• Linux and Solaris Clients with password policy using LDAP

  Anybody managed to get Linux (RHEL) and Solaris 9 Client authenticate against Sun Directory Server 5.2p4 using the same password policy?
  For me it looks like Linux needs attribute shadowlastchanged set to display proper Warnings, that the password will expire/needs to be changed now. On the other hand Solaris (using pam_ldap) never writes this attribute, because it's using the password policy attribute pwdchangedtime.
  Hints very wellcome!
  Can anybody confirm Solaris9 pam_unix still sets this shadow* attributes correct on any password change executed by a user?

  Hi Jeremy,
  here the answers to your questions:
  >My question is which system takes precedence over the password policy?
  Unfortunately there is no policy verification between the portal and your Sun One LDAP. So if you reset the password from the portal then only the portal password policies can be checked.
  >  If I wanted to do password resets from the Portal, does the portal then store only the password in its database?
  No, the password will be stored in the LDAP, but only if it also corresponds with the LDAP policies. If not, then you will get an error, but you will not see the real LDAP exception.
  > Also what would then happen if you tried to reset the password from the LDAP?
  The password in the LDAP does not have to fit to the Portal password policies. When you log in, the portal will only check if the password you tipped in is the new one in LDAP and will not check any policies.
  Hope this brings some light in,
  Robert

• How to force simple tags and null attributes to appear when using SQL/XML?

  Hello everybody:
  I'm developing a non-schema based XMLType view.
  When the XML document is generated, i noticed two things I need to manage in order to achieve the desired result:
  1. Oracle generates a <tag></tag> pair for each XMLELEMENT defined; in my case, some tags need to appear as <tag/>... how do I do? Is it possible when using schema based XMLType views? Is it possible while using a non-schema approach?
  2. When using XMLATTRIBUTE('' AS "attribute") or XMLATTRIBUTE(NULL AS "attribute"), no one attribute with label "attribute" and null value appears at the output; how do I force to Oracle DB to render those attributes which are with no values (needed to render those attributes as another parsing code will await for all the items)?
  3. Some tip about how to route the output to an XML text disk file will be appreciated.
  Thanks in advance.
  Edited by: Enyix on 26/02/2012 11:21 PM
  Edited by: Enyix on 26/02/2012 11:22 PM

  Hello odie_63, thanks for your reply:
  Reasons why needed single tags are these two next: Needed to generate a single XML file from 50,000,000 rows, where the XML ouput matches not only row data but another default values for another elements and attributes (not from database but using strings and types with default values); by using start and end tag, the generated file is as much twice bigger than using single tags; second, needed a very precise presentation for all the document.
  For generating that document, currently focus is based on using a batch process relying on Spring Batch with using a single JDBC query where a join happens between two tables. From my point of view, that approach uses: database resources, network resources, disk resources, and processing resources, including the price of making the join, sending to network, creating objects, validating, and making the file (Expending too much time generating that XML file). That processs currently is in development.
  I think possibly another approach is delegating the complete generation of that file to the database using its XML capabilities. My current approach following your recomendations is to generate a clob where I will put all the XML and putting it into a table. It leads me to another issues: Considering limitations on memory, processing and disk space, needed to append a single row-as-xml into the clob as soon as possible, and putting the clob inside the field as soon as possible, or putting the clob inside the field, and appending into it as the data is generated; so How do I manage the process in order to achieve that goals?. Seen these issues aren't related to my original question, so I'll open a new post. Any help will be apreciated.
  Thanks again in advance.

• How to create a user using XML and specifying addional attributes that are objects

  I'm trying to create a user using XML and specifying some attributes that are objects and not sure how to do it. How would I set the DirectoryUserAcl to Public?
  Here's the xml file:
  <?xml version = '1.0' standalone = 'yes'?>
  <SimpleUser>
  <UserName>mike2</UserName>
  <Password>abc123</Password>
  <AdminEnabled>false</AdminEnabled>
  <HomeFolderRoot>/home</HomeFolderRoot>
  <HasContentQuota>false</HasContentQuota>
  <DirectoryUserAcl> ??? </DirectoryUserAcl>
  <DefaultAclBundleAcl> ??? </DefaultAclBundleAcl>
  <HomeFolderPolicyBundleAcl> ??? </HomeFolderPolicyBundleAcl>
  </SimpleUser>

  I figured out the answer:
  <?xml version = '1.0' standalone = 'yes'?>
  <SimpleUser>
  <UserName>mike2</UserName>
  <Password>abc123</Password>
  <AdminEnabled>false</AdminEnabled>
  <HomeFolderRoot>/home</HomeFolderRoot>
  <HasContentQuota>false</HasContentQuota>
  <DirectoryUserAcl classname="SystemAccessControlList" refType="name">Public</DirectoryUserAcl>
  </SimpleUser>
  null