Failed to use LDAP over SSL MUTUAL AUTHENTICATION with some Directory enable SSL.

Similar Messages

• SSL mutual authentication with Tomcat and IE

  Hi,
  I am trying to set up mutual ssl with Tomcat.
  Everything works fine on the server but I cannot authenticate the client.
  The client is my internet explorer browser. This is what I have tried.
  -Generated an ssl server certificate using keytool.
  -Generated a certificate for the client
  -exported it to a .cer file
  -imported it to a truststore and moved it into the cacerts file
  I have verified this because tomcat lists my client certificate as a trusted
  one at start up.
  After this I installed the .cer file into IE and tried accessing the server.
  Handshake fails: "bad_certificate"
  I have searched all around the net trying to find someone who had done something like this, could not find anything. Can anyone please help me through this setup.
  -thanks

  Oh I find that there is different code base of WLS 7.0.0!!
  - WLS 7.0.0 of Mai 2002 is propagating the principal correctly with SSL
  mutual authentication.
  - WLS 7.0.0 of Juli 2002 is NOT propagating anymore! (the patch is appliable
  to this)
  Obviously BEA published different nightly builds of the same WLS 7.0.0 on
  the web.
  Is this normal?
  Regards
  Alain Hsiung
  "Alain Hsiung" <[email protected]> wrote in message
  news:[email protected]..
  I think that SP1 has a bug: it cannot propagate the principal when SSL
  mutual
  authentication is used. I fixed it with a small patch. Now the principalis
  propagated
  correctly with SSL mutual authentication on WLS 7.0.1 (WLS 7.0.0 isworking
  without patch).
  Alain Hsiung
  "Alain Hsiung" <[email protected]> wrote in message
  news:[email protected]..
  Hi all
  I make SSL mutual authentication work between 2 WLS 7.0 servers.
  As I upgrade to WLS 7.0 SP1 the principal propagation doesn't workanymore:
  the principal on the target WLS is always "anonymous"!
  Is this a bug or is there something new to parametrize?
  Regards
  Alain Hsiung

• HTTPService SSL mutual authentication

  I can use HTTPService to access a secure web server via.
  HTTPS. The SSL is configured to do a mutual authentication: both
  server and client needs to send their certificate to each other.
  Where should I put client certificate so that HTTPService can fint
  it?
  Is Flex3 using browser's certificate management system? or
  has its own?

  Oh I find that there is different code base of WLS 7.0.0!!
  - WLS 7.0.0 of Mai 2002 is propagating the principal correctly with SSL
  mutual authentication.
  - WLS 7.0.0 of Juli 2002 is NOT propagating anymore! (the patch is appliable
  to this)
  Obviously BEA published different nightly builds of the same WLS 7.0.0 on
  the web.
  Is this normal?
  Regards
  Alain Hsiung
  "Alain Hsiung" <[email protected]> wrote in message
  news:[email protected]..
  I think that SP1 has a bug: it cannot propagate the principal when SSL
  mutual
  authentication is used. I fixed it with a small patch. Now the principalis
  propagated
  correctly with SSL mutual authentication on WLS 7.0.1 (WLS 7.0.0 isworking
  without patch).
  Alain Hsiung
  "Alain Hsiung" <[email protected]> wrote in message
  news:[email protected]..
  Hi all
  I make SSL mutual authentication work between 2 WLS 7.0 servers.
  As I upgrade to WLS 7.0 SP1 the principal propagation doesn't workanymore:
  the principal on the target WLS is always "anonymous"!
  Is this a bug or is there something new to parametrize?
  Regards
  Alain Hsiung

• Fail to use Jeditorpane to display a text with big5 encoding

  Hi All,
  I fail to use Jeditorpane to display a text with big5 encoding correctly.
  It only show machine code.
  I am using jre1.6.0_17. Yet it works well with earlier version of jre like jre 1.6.0_15, and jre 1.6.0_16
  bcpscsin

  bcpscsin wrote:
  ..I can find it in javax.swing
  FFS! It is JEditorPane, not Jeditorpane. Count the freaking upper case letters in both of those!
  Convince yourself by following these two URLs
  [http://java.sun.com/javase/6/docs/api/javax/swing/JEditorPane.html] -> produces a web page.
  [http://java.sun.com/javase/6/docs/api/javax/swing/Jeditorpane.html] -> "Page Not Found"
  My point is - do not type 'something like' the class name - get it right so we can be sure. Programming is a technical business and programmers need to be very accurate. It is even more important to be very accurate when asking for help on an forum. People have very little time to 'hold your hand' about the correct spelling and capitalisation of class names - or anything else for that matter.
  You still have not answered my question about the bug database.

• Autheticating useing Cisco ACS 4.2 integrated with Active Directory 2003

  How do i check that users are Autheticated useing Cisco ACS 4.2 integrated with Active Directory 2003, any one help me in this thanks

  You can't actually see the user's membership from ACS. All you can do, create group-mapping under external database >> group mapping section. This would give you an option to map external (AD) group with an Internal group.The group memberrship need to be modified under Active Directory.
  Once user is succussfully authenticated and learned as a dynamic user in ACS user setup database, it would be mapped with an ACS internal group based on group mapping we did.
  Let me know if you have any doubts.
  Regards,
  Jatin

• Fail to use LDAP

  Hi,
  I would like to use LDAP for login validation. Therefore, the coding is:
  <cfldap
         ACTION="QUERY"
         SERVER="LDAP://int.abc.com"
         PORT="389"
         START="OU=Users,DC=int,DC=abc,DC=com"
         USERNAME="ABC\\#arguments.userid#"
         PASSWORD="#arguments.passwd#"
         NAME="checkPassword"
         filter="SAMAccountName=#arguments.userid#"
         ATTRIBUTES="*"
         SCOPE="SubTree"
         MAXROWS="1">
  However, it shows me the following error message:
  Detail
  One or more of the required attributes may be missing or incorrect or you do not have permissions to execute this operation on the server. 
  Message
  An error has occured while trying to execute query :Invalid name: /int.abc.com:389. 
  Operation
  query :Invalid name: /int.abc.com:389
  How can I solve the problem?

  the error message tells you the server name is incorrect. try instead (make sure is a valid dns name)
  SERVER="int.abc.com"

• Using LDAP from 10.5 Server with Joomla

  Has anybody successfully used the LDAP from 10.5 server with Joomla?
  Here is another post in Joomla's forums asking the same thing
  http://forum.joomla.org/viewtopic.php?f=473&t=260357

  I've had some success with the LDAP integrated into Joomla 1.5. Although, Joomla currently appears to require an email address during validation. So, if you don't have email addresses in the OSX LDAP database, a user can not fully login even if the username and password is correct).
  Here are my sanitized settings
  Host: hostname.domain.tld , e.g. [email protected]
  Port: 389
  LDAPV3: yes
  Negotiate TLS: no
  Follow Referrals: no
  Authorization Method : "Bind and Search"
  BaseDN: cn=users,dc=hostname,dc=domain,dc=tld , e.g. dc=myserver,dc=mydomain,tld=com or whatever OD LDAP is set for.
  Search String : uid=[search] // I do not know if this is valid.
  UserDN: uid=[username],dc=hostname,dc=domain,dc=tld
  Connect username:
  Connect password:
  Map full name: cn
  Map email : email
  Map userid : uidnumber
  When you enable the module, you should see an OD LDAP log entry
  Something like
  May 29 2008 19:04:33 USER: {0x4230826a3fffffff0000000f0000000a, username} is the current user.
  May 29 2008 19:04:33 AUTH2: {0x4135826cffffffff0000000a0000000a, username} CRAM-MD5 authentication succeeded.
  May 29 2008 19:24:11 RSAVALIDATE: success.
  If you don't get any log messages, LDAP has rejected the query outright.
  Regards,
  Jay Vicory

• Integrating OEDQ with Active Directory - Disabling SSL

  Hi fellows,
  I've just installed OEDQ (latest release) on a Unix machine (deployed on WebLogic Server 10.3.6) but I've a couple of concerns:
  SSL Communication --> is it mandatory? I mean, I've tried to expose the dndirector admin page through an OHS Apache Web server. I'm able to access the admin page in plain mode but whenever I try to access a specific functionality (dashboard, user management, server configuration, etc) I'm being redirected to https://<web-server-hostname>:<wls-server-ssl-port>/dndirector, so this is not what I'm expecting. What's wrong? By the way, If SSL is mandatory, is there a way to expose the console via apache (avoiding any redirection)?
  OEDQ with Active Directory --> the following documentation -- Integrating OEDQ with Active Directory -- covers just the Single Sign-on configuration (on both Windows/Unix os). What about a simple configuration pointing to an external ldap? The documentation reports the following statement:
            It is also possible to configure OEDQ to work with different directory servers for user authentication and user identification. For information on alternative configurations, "see "Contact Us"
  So, how can I achieve that?
  Any pointers?
  Thanks in advance,
  Marco

  Hi Marco
  Was out of the office a bit - apologies for the delay.
  It looks like you removed these lines from the configuration:
  cdpad.auth  
  = ldap
  cdpad.auth.bindmethod
  = digest-md5
  cdpad.auth.binddn
  = search: sAMAccountName
  If these are not present, the user name is combined with @cdpsede.cassaddpp.it and used to login into AD.  Depending on how user names are setup, this may or may not work.
  If you replace the lines above, then the user account is searched for against the AD UserPrincipalName or the sAMAccountName attributes.  The value of the latter attributre is then used as the login attempt.
  So for example, if you enter the user name if marco.bonadonna, EDQ would search for an AD entry with userPrincipalName = [email protected] or with sAMAccountName = marco.bonadonna and then it would use the value of the sAMAccountName attribute to connect to AD (using digest-md5 for encryption) along with the password.
  If you use
  cdpad.auth.binddn = search: dn
  then EDQ will use the full distiinguished name (DN) of the entry in the bind attempt.
  It is sometimes easier to test connections using a LDAP browser - Apache Directory Studio (see http://directory.apache.org/studio/) is one I use.  You can then check user name and password combination outside EDQ.
  You can also get additional server logging on LDAP interactions in EDQ by adding the line:
  userauth.level = all
  to the logging.properties file in the EDQ config directory.  Then where will be lots of diagnostics in the EDQ main0,log file.
  By the way, there is some documentation for this in the on-line help for EDQ.
  Richard

• Kerberos authentication with Active Directory

  I have tried using JAAS to authenticate to MS Active Directory and keep getting "javax.security.auth.login.LoginException: Pre-Authentication Information was invalid"
  I have tried authenticating with multiple user accounts and on three different realms (Active Directory domains).
  How do I need to format the username? I know that when using JNDI to access Active Directory I have to use the format "[email protected]" or the RDN. I have tried it both ways with JAAS kerberos authentication as well as with just the username by itself. I don't think that the username format is the problem though because if I set the account lockout policy to 5 failed attempts, sure enough my account will be locked out after running my code 5 times. If I give a username that doesn't exist in Active Directory I get the error "javax.security.auth.login.loginexception: Client not found in Kerberos database" Is there something special that I have to do to the password?
  I know that there is just something stupid that I'm missing. Here is the simplest example of code that I'm working with:
  import java.io.*;
  import javax.security.auth.callback.*;
  import javax.security.auth.login.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  public class krb5ADLogin1 {
  public static void main(String[] args){
  LoginContext lc = null;
  try {
  lc=new LoginContext("krb5ADLogin1", new TextCallbackHandler());
  lc.login();
  catch(Exception e){
  e.printStackTrace();
  Here is my config file:
  krb5ADLogin1 {
  com.sun.security.auth.module.Krb5LoginModule required;
  The command I use to start the program is:
  java -Djava.security.krb5.realm=mydomain.com
  -Djava.security.krb5.kdc=DomainController.mydomain.com
  -Djava.security.auth.login.config=sample.conf krb5ADLogin1

  Hi there ... the Sun web site has the following snippet:
  http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/Troubleshooting.html
  + javax.security.auth.login.LoginException: KrbException::
  Pre-authentication information was invalid (24) - Preauthentication failed
  Cause 1: The password entered is incorrect.
  Solution 1: Verify the password.
  Cause 2: If you are using the keytab to get the key (e.g., by
  setting the useKeyTab option to true in the Krb5LoginModule entry
  in the JAAS login configuration file), then the key might have
  changed since you updated the keytab.
  Solution 2: Consult your Kerberos documentation to generate a new
  keytab and use that keytab.
  Cause 3: Clock skew - If the time on the KDC and on the client
  differ significanlty (typically 5 minutes), this error can be
  returned.
  Solution 3: Synchronize the clocks (or have a system administrator
  do so).
  Good luck,
  -Derek

• Using xorg 1.5 in testing with some problem with keyboard and mplayer

  I have the following lines in my xorg's log file:
  (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
  (WW) RADEON(0): R500 support is under development. Please report any issues to [email protected]
  (WW) RADEON(0): LVDS Info:
  (WW) RADEON(0): Unknown vendor-specific block f
  (WW) RADEON(0): Unknown vendor-specific block f
  (WW) RADEON(0): DRI init changed memory map, adjusting ...
  (WW) RADEON(0): MC_FB_LOCATION was: 0xdbffd800 is: 0xdbffd800
  (WW) RADEON(0): MC_AGP_LOCATION was: 0x003f0000 is: 0xffffffc0
  (WW) Warning, couldn't open module evdev
  (EE) Failed to load module "evdev" (module does not exist, 0)
  (EE) No input driver matching `evdev'
  (EE) config/hal: NewInputDeviceRequest failed
  (WW) Warning, couldn't open module evdev
  (EE) Failed to load module "evdev" (module does not exist, 0)
  (EE) No input driver matching `evdev'
  (EE) config/hal: NewInputDeviceRequest failed
  (WW) Warning, couldn't open module evdev
  (EE) Failed to load module "evdev" (module does not exist, 0)
  (EE) No input driver matching `evdev'
  (EE) config/hal: NewInputDeviceRequest failed
  (WW) Warning, couldn't open module evdev
  (EE) Failed to load module "evdev" (module does not exist, 0)
  (EE) No input driver matching `evdev'
  (EE) config/hal: NewInputDeviceRequest failed
  (WW) Warning, couldn't open module evdev
  (EE) Failed to load module "evdev" (module does not exist, 0)
  (EE) No input driver matching `evdev'
  (EE) config/hal: NewInputDeviceRequest failed
  (WW) Warning, couldn't open module evdev
  (EE) Failed to load module "evdev" (module does not exist, 0)
  (EE) No input driver matching `evdev'
  (EE) config/hal: NewInputDeviceRequest failed
  (WW) Warning, couldn't open module evdev
  (EE) Failed to load module "evdev" (module does not exist, 0)
  (EE) No input driver matching `evdev'
  (EE) config/hal: NewInputDeviceRequest failed
  (WW) Warning, couldn't open module evdev
  (EE) Failed to load module "evdev" (module does not exist, 0)
  (EE) No input driver matching `evdev'
  (EE) config/hal: NewInputDeviceRequest failed
  (WW) RADEON(0): Unknown vendor-specific block f
  (WW) RADEON(0): Unknown vendor-specific block f
  1. my notebook's keyboard works well now, but when I see above error, I installed xf86-input-evdev package, then strange thing happened: when I press the up arrow key, gnome-screenshot was opened, so I cannot use the "Up" key,:( then I have to uninstall the xf86-input-evdev, but I donot know why there are error messages as shown above.
  2. The radeon driver works fine for me ---- at least I think so ----, but I cannot use mplayer -vo gl:yuv=4:lscale=1 somemediafile to play, cause it is too slow
  it says:
  do_wait: drmWaitVBlank returned -1, IRQs don't seem to be working correctly.
  Try adjusting the vblank_mode configuration parameter.
  my video card is x1300 on Lenovo T60.
  here is my xorg.conf:
  Section "ServerLayout"
  Identifier "X.org Configured"
  Screen 0 "Screen0" 0 0
  InputDevice "Mouse0" "CorePointer"
  InputDevice "Synaptics Touchpad" "SendCoreEvents"
  InputDevice "Keyboard0" "CoreKeyboard"
  EndSection
  Section "Files"
  ModulePath "/usr/lib/xorg/modules"
  FontPath "/usr/share/fonts/misc"
  FontPath "/usr/share/fonts/100dpi:unscaled"
  FontPath "/usr/share/fonts/75dpi:unscaled"
  FontPath "/usr/share/fonts/TTF"
  FontPath "/usr/share/fonts/Type1"
  EndSection
  Section "Module"
  Load "extmod"
  Load "dbe"
  Load "xtrap"
  Load "dri"
  Load "glx"
  Load "drm"
  Load "freetype"
  EndSection
  Section "InputDevice"
  Identifier "Keyboard0"
  Driver "kbd"
  EndSection
  Section "InputDevice"
  Identifier "Mouse0"
  Driver "mouse"
  # Option "Protocol" "auto"
  Option "Protocol" "ExplorerPS/2"
  Option "Device" "/dev/input/mice"
  Option "Emulate3Buttons"
  Option "Emulate3Timeout" "50"
  Option "EmulateWheel" "on"
  Option "EmulateWheelButton" "2"
  Option "EmulateWheelTimeOut" "200"
  Option "YAxisMapping" "4 5"
  Option "XAxisMapping" "6 7"
  Option "ZAxisMapping" "4 5"
  EndSection
  Section "InputDevice"
  Identifier "Synaptics Touchpad"
  Driver "synaptics"
  # Option "Device" "/dev/input/mouse2"
  Option "Device" "/dev/psaux"
  Option "Protocol" "auto-dev"
  Option "TouchpadOff" "1"
  Option "SHMConfig" "true"
  EndSection
  Section "Monitor"
  #DisplaySize 290 210 # mm
  Identifier "Monitor0"
  VendorName "LEN"
  ModelName "4020"
  Option "DPMS"
  # 1024x768 96dpi
  DisplaySize 270 203
  EndSection
  Section "Device"
  Identifier "Card0"
  Driver "radeon"
  VendorName "ATI Technologies Inc"
  BoardName "M52 [Mobility Radeon X1300]"
  BusID "PCI:1:0:0"
  Option "DRI" "true"
  Option "AGPMode" "4"
  Option "EnablePageFlip" "on"
  Option "ColorTiling" "on"
  Option "DynamicClocks" "on"
  Option "AccelMethod" "EXA"
  EndSection
  Section "DRI"
  Mode 0666
  EndSection
  Section "Extensions"
  # Option "Composite" "0"
  Option "XVideo" "Enable"
  EndSection
  Section "Screen"
  Identifier "Screen0"
  Device "Card0"
  Monitor "Monitor0"
  DefaultDepth 24
  SubSection "Display"
  Viewport 0 0
  Depth 1
  EndSubSection
  SubSection "Display"
  Viewport 0 0
  Depth 4
  EndSubSection
  SubSection "Display"
  Viewport 0 0
  Depth 8
  EndSubSection
  SubSection "Display"
  Viewport 0 0
  Depth 15
  EndSubSection
  SubSection "Display"
  Viewport 0 0
  Depth 16
  EndSubSection
  SubSection "Display"
  Viewport 0 0
  Depth 24
  Modes "1024x768"
  EndSubSection
  EndSection

  sm4tik wrote:Have a look at http://bbs.archlinux.org/viewtopic.php?id=54568
  I decided to keep the old drivers and just ignore the error. I read a dozen mail list entries etc before reverting back, and it seems laptop keyboards are often quite tricky to get working correctly. Also using a non english layout will cause some extra effort.. My suggestion is to uninstall evdev and stick to the old drivers until there's a real reason to switch to evdev.
  Well, after follow the post you gave.
  I think that evdev now is really sucks!
  I agree with you, as long as my whole computer works, I donot care such errors.

• Solaris authentication with Active Directory

  Our shop is a mixed environment of Unix and Windows users. Many use both environments daily and there has been a desire to have a common authentication scheme. We have been able to successfully configure our RH Linux clients to authenticate against our Windows or NIS environment using pam and krb5, but have not been able to successfully adapt this to our Solaris (9/10) environment. Our Unix/Linux client environment is in a common NIS domain. We want to continue to use NIS for account management and add AD for authentication only i.e. if the username/password authenticates against AD or NIS, then the user login proceeds.
  On Solaris I have been able to successfully configure the /etc/krb5/krb5.conf file so that a kinit can be done successfully. klist list out the info and kdestroy removes it. However, figuring out how to properly configure the /etc/pam.conf file to use this login/rlogin/ssh authentication is not making any progress. Various attempts to add the pam_krb5.so.1 plugin in various sections of the file have not worked. Can you advise me on the proper configuration for this to work and or the means to get it working?

  Read up on Enterprise User Security (EUS), a feature of Oracle Enterprise Database.
  Mark Wilcox also has several posts related to OVD/AD/EUS integration on his blog:
  http://blogs.oracle.com/mwilcox/2008/09/clarifying_eus_and_kerberos.html
  A simple google search for oracle eus will also turn up a lot of useful info.
  And then there is Oracle's identity website, where there are white papers like this one:
  Manage Oracle Database Users and Roles Centrally in Active Directory or Sun Directory
  http://www.oracle.com/us/products/middleware/identity-management/059380.pdf

• SOLVED: How To Use LDAP over SSL (no certs) from java program

  Trying to connect to OID from Java program (using Grocery Store demo as a test). Want to use SSL with no server certificate. OID is configured, and ldapsearch -U 1 works.
  Tried using URL with ldaps, or adding SECURITY_PROTOCOL,"ssl". In both case the error is 'simple bind failed'.
  Samples on OTN say this should be possible, but then only have code for the non-ssl connection.
  Posting from others with this same question don't seem to have been answered.
  Message was edited by:
  user590350
  I have found that using ConnectionUtil.getSSLDirCtx() from Oracle will make a no-authentication SSL connection. An example in the sample code would be useful.

  Even with Java APIs, There is a way to talk through SSL without bothering about certificates. It's just that you will have to write some code and make some changes in settings.
  Read following to get further information on the same.
  http://kiranthakkar.blogspot.com/2007/04/dummny-certificate-authentication.html
  I don't know or I won't comment whether it's the right approach or not but it's definitely a work around.
  Thanking You
  Kiran Thakkar

• Apache SSL Client Authentication with Windows Mobile

  The biggest question I have here is if anyone has actually made this work. I would think this would be pretty standard...
  On our HTTP server I have protected folders setup with Certificate Based Client Authentication. Each folder requires a unique client certificate.
  This works perfectly with IE & Firefox running on PCs.
  The problem I have is trying to authenticate a Windows Mobile Device.
  I can authenticate the CA certificate but nothing in the client certificate.
  In ssl.conf I have the following parameters for each folder:
  SSLRequire %{SSL_CLIENT_S_DN_O} eq "Our Organization"
  SSLRequire %{SSL_CLIENT_S_DN_CN} eq "User Division Level"
  SSLRequire %{SSL_CLIENT_S_DN_OU} eq "User Level"
  The only parameter that Apache is able to validate from the device is DN_O and that is coming from the CA certificate.
  DN_CN & DN_OU are contained in the user certificate but it is not able to validate those.
  Anyone have any ideas on this?
  Edited by: Alan3 on Nov 20, 2008 2:15 PM

  Bump.
  Is anyone out there using Win Mobile devices with Oracle HTTP server?

• Are there any known issues concerning using DIGEST-MD5 SASL authentication with iPlanet Directory Server 5.0 on Windows NT 4.0?

  I am developing support for the DIGEST-MD5 sasl mechnism on a c-ldap client. I am using the evaluation version of the iPlanet Directory Server 5.0 which lists DIGEST-MD5 as a supported SASL mechanism. The server is running on NT 4.0 After installing the Directory Server with the test database, a changed the passwordStorageScheme from the default of SSHA to clear text. I then added my test user. When I run my test I always get back a resultCode of 49 (invalidCredentials). The digest-challenge I receive from the server and my digest-response are shown below. I have satisfied myself that the calculation of the response directive in the digest response is correct. Does anyone see any problems in the digest response or have any other suggestions? Is there a known problem with the iPlanet Directory Server 5.0?
  digest-challenge:
  realm="BGB2.ndp.provo.novell.com",nonce="Ed8UPLXsWaC6CN",qop="auth",algorithm=md5-sess,charset=utf-8
  digest-response:
  username="uid=bgbrown,ou=people,dc=siroe,dc=com",realm="BGB2.ndp.provo.novell.com",cnonce="A9IuPJKr30RiwL",nc=00000001,qop=auth,digest-uri="ldap/BGB2.ndp.provo.novell.com",response=97061205298e5ebaf206c8ac3598fdce,charset=utf-8,nonce="Ed8UPLXsWaC6CN"

  Found the answer. When the username is an LDAP DN it needs to be proceeded by "dn:".
  example: username="dn:uid=bgbrown,ou=people,dc=siroe,dc=com"
  The server also accepts a simple uid value.
  example: username="bgbrown"

• How can use row_number() over partition by plz provide some doc.

  row_number() over (partition by)
  what is this and how can use it in sql query.
  if ur have any documentation of it. plz give...me..
  thanx sir
  thanx in advance.

  http://download-uk.oracle.com/docs/cd/B10501_01/server.920/a96540/functions105a.htm
  SELECT empno, deptno,
  row_number() over (partition by deptno order by empno) rn
  from scott.emp
       EMPNO     DEPTNO RN                                    
        7782             10     1
        7839             10     2
        7934             10     3
        7369             20     1
        7566             20     2
        7788             20     3
        7876             20     4
        7902             20     5
        7499             30     1
        7521             30     2
        7654             30     3
        7698             30     4
        7844             30     5
        7900             30     6Regards
  Dmytro