Evolution, ldap and tls

Similar Messages

• DSEE 6.3 - LDAP and netgroup problem

  All
  I need your assistance or guidance with regards to my current situation with ldap and netgroups
  Let me explain
  I have configure ldap user authentication and need to group the user with netgroup
  The problem I'm having is that when netgroup is disabled (client /etc/passwd and /etc/nsswitch.conf change back to normal) I can login with the ldap user but as soon as I enable netgroup restart the nscd I cannot login
  The weird thing is I have gone through all the docs that was suggested in this forum with regards to ldap and netgroup but I'm still having a problem
  The netgroup behavior is, I can do a # getent passwd username with success, # id username successful and I can even # su to that user with success but when I want to login as that user I get permission denied BTW I cannot do # passwd -r ldap username - Permission denied
  See below My config
  Hope this wil help as I,m sure that I have missed something small
  Regards
  *# /etc/nsswitch.ldap*
  # An example file that could be copied over to /etc/nsswitch.conf; it
  # uses LDAP in conjunction with files.
  # "hosts:" and "services:" in this file are used only if the
  # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
  # LDAP service requires that svc:/network/ldap/client:default be enabled
  # and online.
  # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
  #passwd: ldap files
  #group: ldap files
  passwd: compat
  passwd_compat: ldap
  group: compat
  group_compat: ldap
  more /etc/pam.conf
  # Authentication management
  # login service (explicit because of pam_dial_auth)
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth required pam_unix_cred.so.1
  login auth required pam_dial_auth.so.1
  login auth binding pam_unix_auth.so.1 server_policy
  login auth required pam_ldap.so.1
  tail -1 /etc/passwd
  +@nidgroup:x:::::
  more /var/ldap/ldap_client_cred
  # Do not edit this file manually; your changes will be lost.Please use ldapclien
  t (1M) instead.
  NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=nid,dc=domain,dc=co,dc=za
  NS_LDAP_BINDPASSWD= {NS1}a10952b9857c6016
  more /var/ldap/ldap_client_file
  # Do not edit this file manually; your changes will be lost.Please use ldapclien
  t (1M) instead.
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_SERVERS= nisldap01.domain.co.za
  NS_LDAP_SEARCH_BASEDN= dc=nid,dc=domain,dc=co,dc=za
  NS_LDAP_AUTH= simple
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SEARCH_SCOPE= one
  NS_LDAP_SEARCH_TIME= 30
  NS_LDAP_SERVER_PREF= nisldap01.domain.co.za
  NS_LDAP_CACHETTL= 43200
  NS_LDAP_PROFILE= kobus
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,dc=nid,dc=domain,dc=co,dc=za?one
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=people,dc=nid,dc=domain,dc=co,dc=za?one
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=nid,dc=domain,dc=co,dc=za?one
  NS_LDAP_SERVICE_SEARCH_DESC= netgroup:ou=netgroup,dc=nid,dc=domain,dc=co,dc=za?one
  NS_LDAP_BIND_TIME= 10
  NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:tls:simple
  NS_LDAP_SERVICE_AUTH_METHOD= keyserv:tls:simple
  NS_LDAP_SERVICE_AUTH_METHOD= passwd-cmd:tls:simpl
  ldaplist -l netgroup
  dn: cn=linuxgroup,ou=netgroup,dc=nid,dc=domain,dc=co,dc=za
  nisNetgroupTriple: (,kobusj,)
  objectClass: nisNetgroup
  objectClass: top
  cn: linuxgroup
  dn: cn=nidgroup,ou=netgroup,dc=nid,dc=domain,dc=co,dc=za
  nisNetgroupTriple: (,kobusj,)
  objectClass: nisNetgroup
  objectClass: top
  cn: nidgroup
  ldaplist -l passwd kobusj
  dn: uid=kobusj,ou=People,dc=nid,dc=domain,dc=co,dc=za
  givenName: kobus
  sn: kobusj
  loginShell: /usr/bin/bash
  uidNumber: 130
  gidNumber: 100
  objectClass: top
  objectClass: person
  objectClass: organizationalPerson
  objectClass: inetOrgPerson
  objectClass: posixAccount
  objectClass: shadowAccount
  uid: kobusj
  cn: kobusj
  homeDirectory: /home/kobusj
  userPassword: {crypt}rnR9/Cv1oV1l6
  *# getent passwd kobusj*
  kobusj:x:130:100::/home/kobusj:/usr/bin/bash
  *# id kobusj*
  uid=130(kobusj) gid=100(nis)
  *# passwd -r ldap kobusj*
  Enter kobusj's password:
  New Password:
  Re-enter new Password:
  Permission denied

  Hi,
  can anybody show whole /etc/pam.conf with working pam_list?
  The configuration below doesn't work:
  cat /etc/pam.conf
  +#+
  +# Authentication management+
  +#+
  +# login service (explicit because of pam_dial_auth)+
  +#+
  login   auth requisite        pam_authtok_get.so.1
  login   auth required         pam_dhkeys.so.1
  login   auth required         pam_unix_cred.so.1
  login   auth required         pam_dial_auth.so.1
  login   auth binding          pam_unix_auth.so.1 server_policy
  login   auth required         pam_ldap.so.1
  login   auth requisite       pam_list.so.1 allow=/etc/user.allow debug
  +#+
  +# rlogin service (explicit because of pam_rhost_auth)+
  +#+
  +# rlogin auth sufficient pam_rhosts_auth.so.1+
  rlogin  auth requisite        pam_authtok_get.so.1
  rlogin  auth required         pam_dhkeys.so.1
  rlogin  auth required         pam_unix_cred.so.1
  rlogin  auth binding          pam_unix_auth.so.1 server_policy
  rlogin  auth required         pam_ldap.so.1
  +#+
  +# rsh service (explicit because of pam_rhost_auth,+
  +# and pam_unix_auth for meaningful pam_setcred)+
  +#+
  +# rsh auth sufficient pam_rhosts_auth.so.1+
  rsh     auth required         pam_unix_cred.so.1
  rsh     auth binding          pam_unix_auth.so.1 server_policy
  rsh     auth required         pam_ldap.so.1
  +#+
  +# PPP service (explicit because of pam_dial_auth)+
  +#+
  ppp     auth requisite        pam_authtok_get.so.1
  ppp     auth required         pam_dhkeys.so.1
  ppp     auth required         pam_dial_auth.so.1
  ppp     auth binding          pam_unix_auth.so.1 server_policy
  ppp     auth required         pam_ldap.so.1
  +#+
  +# Default definitions for Authentication management+
  +# Used when service name is not explicitly mentioned for authentication+
  +#+
  other   auth requisite        pam_authtok_get.so.1
  other   auth required         pam_dhkeys.so.1
  other   auth required         pam_unix_cred.so.1
  other   auth binding          pam_unix_auth.so.1 server_policy
  other   auth required         pam_ldap.so.1
  +#+
  +# passwd command (explicit because of a different authentication module)+
  +#+
  passwd  auth binding          pam_passwd_auth.so.1 server_policy
  passwd  auth required         pam_ldap.so.1
  +#+
  +# cron service (explicit because of non-usage of pam_roles.so.1)+
  +#+
  cron    account required      pam_unix_account.so.1
  +#+
  +# Default definition for Account management+
  +# Used when service name is not explicitly mentioned for account management+
  +#+
  other   account requisite     pam_roles.so.1
  other   account binding       pam_unix_account.so.1
  other   account required      pam_ldap.so.1
  other   account requisite   pam_list.so.1 allow=/etc/user.allow debug
  +#+
  +# Default definition for Session management+
  +# Used when service name is not explicitly mentioned for session management+
  +#+
  other   session required      pam_unix_session.so.1
  +#+
  +# Default definition for Password management+
  +# Used when service name is not explicitly mentioned for password management+
  +#+
  other   password required     pam_dhkeys.so.1
  other   password requisite    pam_authtok_get.so.1
  other   password requisite    pam_authtok_check.so.1
  other   password required     pam_authtok_store.so.1 server_policy
  +#+
  +# Support for Kerberos V5 authentication and example configurations can+
  +# be found in the pam_krb5(5) man page under the "EXAMPLES" section.+
  +#+
  Thanks!
  Edited by: ffffffffff356dfd on 14 ??? 2009 16:25
  Edited by: ffffffffff356dfd on 14 ??? 2009 16:30

• Solaris 10 - ldap client - tls/ssl - password change

  we have configured solaris 10 as a ldap client to sun directory server 6.3.1, on enabling tls:simple, password change operation is just failing with following error message.
  passwd -r user1
  passwd: Changing password for user1
  passwd: Sorry, wrong passwd
  Permission denied
  where user1 is just in ldap and not in unix local. this function works if the authentication mechanism is just simple, but on enabling tls:simple, we get the error message.
  any ideas will be highly appreciated.

  Not that it helps any but I am getting his same error. I am also using 6.3.1

• LDAP and Security Communications

  Hello everybody !
  we're using SunOne DirSer 5.2 and we're thinking to restrict security policies. Our LDAP accept bind connections and uid/pwd are transmitted clearly on the net. We would like to code this info.
  Sorry for question but I'm a novice...
  Is there a simple way to enable LDAP SSL communication WITHOUT certificates installation ( server+clients ) ??
  If I choose to install certificate on server only, must I store clear password inside ldap tree ( DIGEST-MD5 force to store clear pwd in ldap tree ) ??
  Thank you very much,
  Silvio

  Hello everybody !
  we're using SunOne DirSer 5.2 and we're thinking to
  restrict security policies. Our LDAP accept bind
  connections and uid/pwd are transmitted clearly on
  the net. We would like to code this info.
  orry for question but I'm a novice...
  Is there a simple way to enable LDAP SSL
  communication WITHOUT certificates installation (
  server+clients ) ??No there is no way - you need to have a server certificate installed!!
  There are dozens of free tools (openSSL, ...) which can be used to generate such certificate. Of course, you may also obtain/buy one from an official CA.
  There is an excellent and extensive documentation about that topic available online @
  http://docs.sun.com/source/816-6698-10/ssl.html (Sun Dir Server Admin Guide Implementing Security)
  and
  http://docs.sun.com/source/816-6704-10/ssl.html (Using SSL and TLS with Sun ONE Servers)
  So if you have some spare time - go read it!
  If I choose to install certificate on server only,
  must I store clear password inside ldap tree (
  DIGEST-MD5 force to store clear pwd in ldap tree )
  ??Which password do you mean???
  By default, user (BIND) passwords are stored according to your passwordStorageScheme setting of the global password policy (dn: cn=Password Policy,cn=config), which is SSHA. So they are stored hashed by default!
  >
  Thank you very much,
  Silvio

• OD, LDAP and DNS

  I am new to LDAP and I believe I have everything setup correctly on the server (everything under Open Directory in SA says "Running", logs don't show any errors). However, I can not access the LDAP server from a client machine using Directory Access. I suspect that client machines still can not "see" my LDAP server.
  I believe the issue may be with DNS and I am trying to understand the interaction between DNS and OD, etc. First off, I do not have DNS turned on for my Mac OS X Server since my ISP has always hosted our DNS. Is this a problem? Do I need DNS activated on the same server that I am running this LDAP server? I have tried entering the IP and DNS name on the client server using Directory Access and neither worked.

  The requirement is that references using your server's Fully Qualified Domain Name look up to its IP Address and its IP Address looks up to its Fully Qualified Domain Name. If your ISP does that for you, and does it correctly, Merry Christmas!
  All others must set up their own tiny DNS service to do the lookups. If you are behind an NAT firewall, you can Make Up whatever names you like and look them up locally, because they are invisible from the Internet.
  Remember that each workstation must have the address of the DNS available to it. It needs to be configured in the TCP/IP setup or dispensed via DHCP. If you use your own DNS (highly recommended) you must also dispense or configure the next upstream DNS (your ISP's DNS Address).
  "An Open Directory master requires properly configured DNS so it can provide single sign-on Kerberos authentication.
  Make sure DNS service is configured to resolve fully qualified DNS names and provide corresponding reverse lookups.
  DNS must resolve the fully qualified DNS name and provide reverse lookups for the Open Directory master server, all replica servers, and other servers that are members of the Kerberos realm.
  You can use the Lookup pane of Network Utility (in /Applications/Utilities/) to do a DNS lookup of a server's DNS name and a reverse lookup of the server's IP address.
  For instructions on setting up DNS service, browse Network Services Overview."
  -- from Server Admin 10.4 Help: Kerberos is Stopped on an Open Directory Master or Replica
  Message was edited by: Grant Bennet-Alder

• 10.6.6 Server Combo Update Crashes LDAP and Kerberos Services

  Just updated apple server from 10.6.4 to 10.6.6 with combo server overnight.
  Everything was working fine under 10.6.4
  All users can no longer authenticate to server via mail or ldap logins
  LDAP and Kerberos Services stopped.
  Will downgrade from an open directory master to standalone then back to master again and post status...

  I think there is something with LDAP on 10.6.6
  I was forced to make clean install in combo from 10.6.0 to 10.6.6 and today LDAP crashed.
  It seems to be an issue on ldap ACL.
  Message was edited by: Xalio

• This page can't be displayed - Turn on TLS 1.0, TLS 1.1, and TLS 1.2 ** But TLS is already turned on.

  I have a user that when they try to log into Duke Progress Energy's website at https://www.progress-energy.com/app/loginregistration/login.aspx it will redirect them to a "one time authentication" page which requires them to use a one-time key
  to log in on a new computer.  When going to this one-time website (secure8.i-doxs.net) it will get an error message that says...
  This page can't be displayed
  Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in the Advanced settings and try connecting to https://secure8.i-doxs.net again.  If this error persists, contact your site administrator.
  Well, I'm the site administrator and I can confirm that TLS 1.0, 1.1, and 1.2 are all enabled and forced by GPO.  Restarting IE and rebooting did not help.  Chrome and Firefox both work flawlessly.
  Edit: This is IE 11 on Windows 8.1 Enterprise.

  Well, I'm the site administrator and I can confirm that TLS 1.0, 1.1, and 1.2 are all enabled and forced by GPO.
  Often such messages are just a default best guess of how to explain a problem symptom.  Have you checked that the message is properly reflecting the condition that was detected?  FWIW first I would use the Developer Tools to see
  what the transaction (request and response) really is.  E.g. it may be that the host is sending an HTTP response code which might be interpreted the way that the message is showing.  Then the problem would be on the host to ask: why is it sending
  that code.  Often the answer is that the host is just getting mixed up about the capabilities it assumes a browser has without having actually tested them.
  FYI
  Robert Aldwinckle

• MAC OS and LDAP and Samba Server

  How can I make my Mac OS authenticate against LDAP and automatically map shared by a Samba server folders? (samba domain)? The idea is that any person who is registered in the database of LDAP can log into any Mac machine and automatically access the folders stored on the Samba server.

  Are you using TopLink 11g or TopLink Essentials?
  You seem to be wanting to use TopLink 11g, but you have the provider set to Essentials in your persistence.xml.
  <provider>oracle.toplink.essentials.PersistenceProvider</provider>
  Change this to,
  <provider>oracle.toplink.PersistenceProvider</provider>
  The sessions-xml properties are only supported with TopLink 11g.
  Note that currently in 11g when using a sessions-xml it must contain a project xml that completely defines the mappings. It will not merge with annotations nor defaults.

• LDAP and OID

  FYI: I am new to Oracle (<1 month), and new to APEX (<3 weeks) so forgive me if I am asking the obvious.
  I would like to have APEX authenticate against LDAP (active directory), and went about trying to set that up. Got all AD settings from our sys admin, and then tried them in the LDAP test tool. I kept getting " Authentication failed!" no matter what I did. Due to the detailed nature of that error message, I started trying to track down every possible avenue so I talked to one of our DBA's about DBMS_LDAP.SIMPLE_BIND_S. The answer I got back was that we don't have access to it because it is part of OIN which we would have to pay outrageous amounts of money for if we wanted to use it. Not likely to happen, so I was hoping that there was another way to authenticate APEX via LDAP.
  Any suggestions would be most helpful.

  John - DBMS_LDAP is not part of OID so you can use it as part of your existing database product installation. Search this forum for LDAP and AD and you'll find lots of discussions about what you are trying to do.
  Also, just to clarify, you're not trying to authenticate Application Express using AD, you'll be authenticating users to your application (essentially a PL/SQL application in the database) using account information stored in AD. The authentication code that gets executed will belong to your application.
  Scott

• LDAP and SAP integration

  Hi,
  As a part of a project requirement, we are trying to integrate Solution manager with LDAP (Lightweight Directory Access Protocol).
  Using the directory service, we are trying to synchronize the CUA (Central user administration within Solution manager) with Active directory of LDAP so that we can maintain the User data centrally from a single point in LDAP.
  Problem description:
  Currently, Client has implemented the LDAP and CUA integration and when a new user is added in LDAP, it is automatically getting copied in all SAP systems and at real time, when the useru2019s u201CLASTNAMEu201D field is updated in LDAP, it is automatically getting synchronized in all SAP systems.
  But, If any attribute other than u201CLASTNAMEu201D is changed (i.e. The expiry /validity date of the User in LDAP, GLTGB in SAP), then the field value is not getting synchronized in the SAP Central User Adm.
  Our Findings:
  We have checked the configurations and imported mappings in SAP Solution Manager and everything looks fine. We have debugged the standard program RSLDAPSYNC_USER extensively and found out that an RFC call to function module LDAPRFC_SEARCH is not returning the expected values.
  Thanks
  Deb

  Hi Deb,
  It would be really nice if you can elaborate on the configurations that need to be done as part of this integration. I hope, you have been successfull by now.
  Actually, I too need to perform the same as part of a project.
  Thanks in advance.

• Hello, Identity manager fail to add entries in the LDAP and database table

  Hello,
  Well I installed identity manager 7 in a windows 2003 advanced server.
  I I appended an NT server resource, a Mysql table, a solaris server resource and an ldap server resource.
  I created the roles for these resources and then I assigned them to an account that I created for testing purposes.
  After the aprooval, in the solaris machine, the user has been added in the user database but no home directory has been created as I didn't set the apropriate flag to true.
  I the windows resource everything worked very smooth and with no problem.
  In the ldap and mysql table resources I recieved a failure having error message null. and from a sniffing that I did for investigation I never saw a sigle packed arrive to the mysql server or to the directory server from the idm server.
  Any ideas or suggestions on what to do ?

  Well the problem with the directory server just solved.
  But the problem with mysql remains.
  The first thing that I do when I add a resource is to test the connection.
  The problem with the LDAP is that the dn was not present in the directory server. They gave me an ou that didn't exist.

• Domino ldap and weblogic server 6.1

  Hi,
  I am trying to use domino ldap for authentication in weblogic server 6.1
  I configured a custom ldap realm.
  But the users were not listed from domino ldap and authentication also failed.
  Can anybody help me?
  Thanx in advance.
  - prabha.

  at the moment it is possible for me to work, though. i worked around the
  problem and i set web.xml as a read only file. i still can't use wizards to
  create servlets and i can't edit web.xml with jbuilder.

• Authentication against both LDAP and BI repository

  I have a lot of user who are authenticated against LDAP. I need add few users who aren't exist in LDAP. I can create user in BI repository and if this user is in an Administrator group he is able to log in. But if this user isn't in an Administrator group he get error "Succesfull execution of intitializtion block LDAP is required". Is there any way how to authenticate users agains both LDAP and BI repository?

  Hi,
  why dont you create a group in ldap and add the correspondng users to that group.
  You can configure the LDAP server with that group and try...
  Hope it works...
  Regards
  Venkat

• LDAP and everyone group

  I am using wls version 5.1 with service pack 7. I still need to add all
  users the the "everyone" group in order to be able to authenticate. I
  thought this issue was resolved in the latest service pack. But I still
  get an exception thrown if my user is not in "everyone" group. Does
  anyone know what the status of this bug is? Is it resolved or not?
  Here is the exception:
  java.rmi.RemoteException: Security violation: insufficient permission to
  access method
  at
  weblogic.ejb.internal.BaseEJBObject.preInvoke(BaseEJBObject.java:431)
  at
  com.itginc.webtrade.ejb.LoginBeanEOImpl.loginUser(LoginBeanEOImpl.java:143)
  at
  com.itginc.webtrade.ejb.LoginBeanEOImpl_ServiceStub.loginUser(LoginBeanEOImpl_ServiceStub.java:112)
  at
  com.itginc.webtrade.servlets.LoginServlet.service(LoginServlet.java:190)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:865)
  at
  weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:106)
  at
  weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContextImpl.java:907)
  at
  weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContextImpl.java:851)
  at
  weblogic.servlet.internal.ServletContextManager.invokeServlet(ServletContextManager.java:252)
  at
  weblogic.socket.MuxableSocketHTTP.invokeServlet(MuxableSocketHTTP.java:364)
  at
  weblogic.socket.MuxableSocketHTTP.execute(MuxableSocketHTTP.java:252)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:129)

  Glen wrote:
  >
  I just encountered this error and deleted the 'everyone' group as a workaround.We authenticate with LDAP and WL always complained about not finding the group 'everyone'. The app worked fine but I thought I'd be a good guy and add the group to LDAP. Once I did, I got your error.Could the issue be that the 'everyone' group is OK but the permissions on the group deny access? I'm searching BEA to find out the expected permissions when I found your posting.I still need the expected permissions for the 'everyone' group.According to http://www.weblogic.com/docs51/admindocs/ldap.html#changes
  .. you don't need to define the everyone group in any version after WLS 5.0
  because of the introduction of the CachingRealm.

• WLC 5508 support of Secure LDAP using TLS

  Hi,
  I have seen that the current WLC software release, 7.0.116.0, does not support secure LDAP using TLS. Are there any plans to incorporate this feature? (I've read that it was supported in previous releases to version 4.2). Is it in the roadmap of the product?
  Thank you very much for your help.
  Kind regards,

  I too am desiring this functionality.,,