Freeradius & edirectory
Hi,
We want to create a wireless network. W'd like to authenticate the
accounts against a radius server, so we thought setting up a freeradius
server running on open enterprise server (linux).
I installed an open enterprise server and deselected all Novell products.
So NO edirectory, eguide, ifolder, etc.... Also I choose to skip CA
creation. We already have multiple edirectory 8.7.3.7 servers, where one
of these servers is the Master CA.
I assume we can also use this CA server? Anyone for proper documentation
about this?
I installed the radius npm on a netware server running Imanager 2.5 and
tried to extend the schema. This does not go well, because of a
conflicting class. I get the following error message :
Schema conflict detected. Conflict details: [ ObjectClass Name(OID):
rADIUSProfile(2.16.840.1.113719.1.39.42.2.0.10) Conflicts with Freeradius
Objectclass : radiusprofile(1.3.6.1.4.1.3317.4.3.2.1) ]
Would you like to continue extending the rest of the class(es) and
Attribute(s) ?
I do not want to delete the current 'RADIUS:Profile' class, but I still
want to use freeradius & eDirectory to integrate. What can be done about
this? Why is Novell using both classes, knowing that the freeradius schema
extension always conflicts with a current edirectory/nmas combination?
I hope someone can help me out. I can not find anything about this,
besides deleting classes, which we can't in our setup.
regards,
Fred Radon
I could be daft but I'm in the process of setting up freeradius on an
OES Suse 9 server which I integrated into our tree after a lot of
research. My impression was that in order for freeradius to authenticate
into the edirectory tree it needed to be installed on a
Linux(SuSe/Redhat) server that had eDirectory, OpenSSL and OpenLDAP
installed.
http://www.novell.com/documentation/...y.html#btuadmy
I had previously attempted to find a way to just authenticate against
NLDAP or integrate a linux box as a BDC into my PDC on my Netware 6.5
box. However, each of these attempts ended when I found documentation
saying that neither was possible.
Novell's site has a lot of documentation on integrating edirectory with
freeradius. I've listed one main document above but there are TIDs that
cover other details. If you find that it is possible to set up a Linux
server without having it integrated into the edirectory tree and
authenticate users against eidirectory please let me know.
If you don't need edit authentication take a look at Zeroshell which is
a bootable radius server based on freeradius with a simple web interface
for administration.
Thanks,
-Nyle
[email protected] wrote:
> Hi,
>
> We want to create a wireless network. W'd like to authenticate the
> accounts against a radius server, so we thought setting up a freeradius
> server running on open enterprise server (linux).
>
> I installed an open enterprise server and deselected all Novell products.
> So NO edirectory, eguide, ifolder, etc.... Also I choose to skip CA
> creation. We already have multiple edirectory 8.7.3.7 servers, where one
> of these servers is the Master CA.
> I assume we can also use this CA server? Anyone for proper documentation
> about this?
>
>
> I installed the radius npm on a netware server running Imanager 2.5 and
> tried to extend the schema. This does not go well, because of a
> conflicting class. I get the following error message :
>
> Schema conflict detected. Conflict details: [ ObjectClass Name(OID):
> rADIUSProfile(2.16.840.1.113719.1.39.42.2.0.10) Conflicts with Freeradius
> Objectclass : radiusprofile(1.3.6.1.4.1.3317.4.3.2.1) ]
> Would you like to continue extending the rest of the class(es) and
> Attribute(s) ?
>
> I do not want to delete the current 'RADIUS:Profile' class, but I still
> want to use freeradius & eDirectory to integrate. What can be done about
> this? Why is Novell using both classes, knowing that the freeradius schema
> extension always conflicts with a current edirectory/nmas combination?
>
> I hope someone can help me out. I can not find anything about this,
> besides deleting classes, which we can't in our setup.
>
> regards,
> Fred Radon
>
>
>
Similar Messages
-
I need to provide a 802.1x PEAP solution for a Windows 2000 SP4, Novell 4.91 SP3 client environment.
Directory Service: Edirectory
RADIUS: FreeRADIUS
Wireless Supplicant: Cisco SecureServices Client 4.2
No Active Directory user or computer accounts.
We will be using a 4400 series WLC to controll the LWAPP devices.
Does anyone see any issues with using the above? Potentially we can install a MS IAS server to authenticate AD users instead of the FreeRADIUS/EDirectory solution.
Thanks,
PaulFunk Software (www.funk.com) has a solution that should work for you. Their
RADIUS server can do an EAP-TLS/PAP or EAP-TTLS/PAP authentication against
eDirectory. Both EAP-TLS and EAP-TTLS are similar to PEAP in that they set
up an encrypted tunnel between the 802.1x client and the RADIUS server. The
Funk solution will pass the PAP password to the RADIUS server inside the
tunnel, then use LDAP to verify the password against eDirectory. If I
remember correctly, they also have an 802.1x client that integrates with
Client32. The downside to the Funk solution is that you'll need to purchase
a Funk server to replace your Cisco RADIUS appliance.
>>> <[email protected]> 08/09/04 9:17 AM >>>
We are trying to implement wireless security for a new high school.
During the planning stages, the vendor contracted to set up wireless
recommended a Cisco ACS RADIUS appliance and MS-PEAP authentication. Since
then, we have run into several road blocks: the ACS appliance can only
authenticate to eDirectory (version 8.7.1) using clear text password -- to
get around that we configured the ACS to use Generic LDAP and SSL. Now
the vendor is indicating that it is not possible to run LDAP and MS-PEAP
together on the ACS, and that we will need to put up an Active Directory
tree, instead of using eDirectory. To top everything off they are now
saying that the Novell client (version 4.9 sp2)is not compatible with
PEAP. Long story short...we have spent a lot of money and gotten nowhere,
so we're looking for alternative solutions.
Anyone have a suggestion? We would like to have some sort of solution
that would use Novell/eDir user credentials to authenticate to RADIUS. It
doesn't necessarily have to be PEAP.
Thanks! -
Setting up FreeRADIUS and eDirectory for 802.1X Authentication
Not sure how many people know about this, but I sure didn't. Novell
actually has a TID on how to set all of this up. Just thought I share this
with you guys. Might just help someone out there.
http://www.novell.com/support/php/se...200%2083136239Hcyuan,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
Is This Even Possible? eDirectory syncing passwords with external RADIUS servers.
We are currently have a solution that allows us to use a campus RADIUS
server as the authentication mechanism for accessing the Internet. We want
to integrate this so users can authenticate with their campus IDs but gain
access to the Novell server (home directory and printing) using the same
information.
Is this even possible?
So, essentially, we would like the external RADIUS' user/password data to
be synced with the eDirectory data, but have the eDirectory receive updates
from the RADIUS (or LDAP, Kerberos or whatever system is necessary). Or is
an all-Novell solution the only possible way to use RADIUS authentication?
Any input would be greatly appreciated.
-=BryanHi Bryan,
As jim said, you can use idm to do this, but another option for you
might be to use somthing like freeradius and point it back to
edirectory as its authentication source.
Cheers,
Steve
On Thu, 23 Feb 2006 15:50:11 GMT, [email protected] wrote:
>Michael,
>
>Thanks for the info. I really wasn't sure where to post this question. I
>really wasn't sure if I needed to be using Novell's RADIUS server or not to
>do this. Reading the online docs didn't really help me to know which
>solution or solutions to choose.
>
>-=Bryan
>
>> [email protected] wrote:
>>
>> > Is this even possible?
>> >
>> > So, essentially, we would like the external RADIUS' user/password data to
>> > be synced with the eDirectory data, but have the eDirectory receive updates
>> > from the RADIUS (or LDAP, Kerberos or whatever system is necessary). Or is
>> > an all-Novell solution the only possible way to use RADIUS authentication?
>>
>> What you want should be possible with Novell Identity Manager (formerly
>> DirXML) product. This particular forum is for help with the NetWare
>> Radius server, which would not factor into what you are trying to
>> accomplish... you have a non-Novell Radius server that you want to sync
>> eDirectory information with, and that is the realm of identity manager.
>>
>> As to the "hows", you might as in the nsure-identity-manager group here.
>>
>> --
>> Jim
>> NSC SYsop -
Error Extending eDirectory Schema for Radius in iManager
I am working on integrating eDirectory with FreeRADIUS on our OES 11 SP2 servers. I have been following all the steps in the "Integrating Novell eDirectory with FreeRADIUS" guide located here: https://www.netiq.com/documentation/edir_radius/. I did not have any problems installing FreeRADIUS or modifying its config files for LDAP authentication.
I am now stuck trying to extend the eDirectory schema for radius. In iManager, I go to Roles and Tasks --> radius --> Extend Schema, and I keep getting the following error: "RADIUS plugin encountered an error. Click the Details button for more information." When I click "details" it shows the following:
java.lang.NullPointerException\n at java.util.StringTokenizer.(StringTokenizer.java:88 )\n at java.util.StringTokenizer.(StringTokenizer.java:66 )\n at com.novell.ldap.LDAPConnection.connect(Unknown Source)\n at com.novell.nps.radius.NovellLDAPAuthenticator.logi n(NovellLDAPAuthenticator.java:155)\n at com.novell.nps.radius.ExtendRadiusSchema.showIniti alForm(ExtendRadiusSchema.java:178)\n at com.novell.nps.radius.ExtendRadiusSchema.execute(E xtendRadiusSchema.java:96)\n at com.novell.emframe.dev.Task.execute(Task.java:505) \n at com.novell.nps.gadgetManager.BaseGadgetInstance.pr ocessRequest(BaseGadgetInstance.java:858)\n at com.novell.nps.gadgetManager.GadgetManager.delegat eToGadget(GadgetManager.java:4256)\n at com.novell.nps.gadgetManager.LaunchService.onDeleg ateAction(LaunchService.java:86)\n at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)\n at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:60)\n at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:37)\n at java.lang.reflect.Method.invoke(Method.java:611)\n at com.novell.nps.gadgetManager.BaseGadgetInstance.ha ndleAction(BaseGadgetInstance.java:2371)\n at com.novell.nps.gadgetManager.GadgetManager.process InstanceRequest(GadgetManager.java:1609)\n at com.novell.nps.gadgetManager.GadgetManager.process ServiceRequest(GadgetManager.java:1062)\n at com.novell.nps.PortalServlet.handleFrameService(Po rtalServlet.java:509)\n at com.novell.nps.PortalServlet.processRequest(Portal Servlet.java:373)\n at com.novell.nps.PortalServlet.doPost(PortalServlet. java:279)\n at com.novell.nps.PortalServlet.doGet(PortalServlet.j ava:262)\n at javax.servlet.http.HttpServlet.service(HttpServlet .java:617)\n at com.novell.emframe.fw.servlet.AuthenticatorServlet .service(AuthenticatorServlet.java:332)\n at javax.servlet.http.HttpServlet.service(HttpServlet .java:717)\n at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:290)\n at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:206)\n at com.novell.emframe.fw.filter.CrossScriptingFilter. doFilter(CrossScriptingFilter.java:25)\n at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:235)\n at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:206)\n at com.novell.emframe.fw.filter.AntiCsrfServletFilter .doFilter(AntiCsrfServletFilter.java:275)\n at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:235)\n at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:206)\n at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:233)\n at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:191)\n at org.apache.catalina.authenticator.AuthenticatorBas e.invoke(AuthenticatorBase.java:530)\n at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:128)\n at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:102)\n at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:109)\n at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:286)\n at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyo teHandler.java:190)\n at org.apache.jk.common.HandlerRequest.invoke(Handler Request.java:291)\n at org.apache.jk.common.ChannelSocket.invoke(ChannelS ocket.java:769)\n at org.apache.jk.common.ChannelSocket.processConnecti on(ChannelSocket.java:698)\n at org.apache.jk.common.ChannelSocket$SocketConnectio n.runIt(ChannelSocket.java:891)\n at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:690)\n at java.lang.Thread.run(Thread.java:761)\n
Can anyone give me an idea of what is going on here? Everything I've been able to dig up so far has dealt with schema conflict errors and ssl/tls connection issues. I don't think that is what's going on here. I am getting the same error on multiple servers with eDirectory and iManager installed. Any help is appreciated. Thank you.
ScotOriginally Posted by bjunker
I am working on integrating eDirectory with FreeRADIUS on our OES 11 SP2 servers. I have been following all the steps in the "Integrating Novell eDirectory with FreeRADIUS" guide located here: https://www.netiq.com/documentation/edir_radius/. I did not have any problems installing FreeRADIUS or modifying its config files for LDAP authentication.
I am now stuck trying to extend the eDirectory schema for radius. In iManager, I go to Roles and Tasks --> radius --> Extend Schema, and I keep getting the following error: "RADIUS plugin encountered an error. Click the Details button for more information." When I click "details" it shows the following:
Can anyone give me an idea of what is going on here? Everything I've been able to dig up so far has dealt with schema conflict errors and ssl/tls connection issues. I don't think that is what's going on here. I am getting the same error on multiple servers with eDirectory and iManager installed. Any help is appreciated. Thank you.
Scot
Seems like there is a know bug for this issue, I suggest you to open a SR if you can?
Thomas -
802.1x, eDirectory, and RADIUS
Hello all:
I hope that I am posting on the correct forum.
We currently have a Cisco ACS 3.3 which we have configured to use
eDirectory as an external LDAP directory. We are currently able to set
up access to our routers and switches via TACACs and successfully
authenticate via user names and passwords stored in eDirectory, so we
know that the LDAP access is working. eDirectory version is 8.7.3.4. OS
is Netware 6.5 sp 3.
We are now embarking on setting up wireless authentication utilizing
the AEGIS client from Meetinghouse as our supplicant. We have been
successful in authenticating to our test wireless AP (Cisco 1200) with
a user setup in an access group on the ACS using the ACS as a RADIUS
server. We are authenticating via LEAP. However, we have not been able
to authenticate using eDirectory usernames and passwords. Upon
reviewing various posts I have seen info about adding RADIUS attributes
to eDirectory to use the FreeRADIUS server. Is this necessary with the
ACS device? Do we need to change our protocol to EAP-TTLS as is
suggested in other posts or do we need to set up simple passwords? What
security considerations do we want to take into account?
If anyone has successfully implemented this configuration, please feel
free to contact me directly. We want to leverage eDirectory and our
client's experience with this platform to make wireless security as
seemless and secure as possible. This is a school district and we want
to be able to limit our user access via login names that they enter on
any machine in the district rather than via machine certificates. That
way if we want to deny a student access for disciplinary reasons, we
can implement it very easily.
I would greatly appreciate any assistance that can be provided!!!!!!
Donna MoyerHeiti
I sent you an email regarding our situation. Have you received it yet
and if so have you had a chance to respond to the wireless
authentication questions.
Thanks
heiti@boras_nospam_.se wrote:
> Nope....the easiest way to do it, is to use eDirectory for authentication
> only and let the acs server do the other stuff.
>
> I quess that the only time when you need to to so is when you are
> connecting to netware RADIUS via PAP over EAP-TTLS tunnel.
> You can do that with freeRadius but not with ciso ACS.
> And the only clients supporting that are Intel Proset, Aegis and Odyssey
> but not the Ciscos or Microsofts supplicators.
>
>
> Whitch metod to use depends on what environment you have;
> In a school environment(or a environment where computers are shared among
> many users) and Novell Client installed, you should use PEAP (PEAPv1;GTC)
> instead of EAP-FAST and use the pre-logon stuff on the supplicator.
> And use a static user in the profile configuration(and you event dont need
> to have the user credentials in edirectory), istead of prompting the
> password and username all the time.
> (Because you are needing the IP-address before the novell Client tries to
> logon.)
> That should give, in a user point of view, a Single Sing On functionality.
>
> In a opposite environment where there is a single profile(user) on each
> computer you can use EAP-FAST(with manual PAC provisioning) or PEAP with
> eDirectory (or LDAP) as the autehticator database, and prompt for Username
> and password eatch time.
>
>
> The ultimate method would be a Novell Client supporing EAP and a Novell
> RADIUS server supporting EAP-FAST/EAP-TTLS or PEAP.
> That should ease upp everyting a bit and give a clean environment and
> Single Sing On functionality =)
>
>
> PS. PEAP gives the advantage against EAP-TLS that PEAP doesnt need a
> client certificate only a server certificate.
>
>
> Method Database Certificate
> -------------------------------------------------
> EAP-FAST LDAP/NDS/Etc. No, only PAC
> PEAPv0(MSChap) AD Server
> PEAPv1(Gtc) LDAP/NDS/Etc. Server
> EAP-TLS LDAP/NDS/Etc. Client, Server
> EAP-TTLS NW RADIUS(PAP) No
> LEAP AD No
>
>
> feel free to ask more!
>
> best regards,
> Heiti Ernits
> Network Technician
> Adk-Data
> Bors Stad -
SharePoint 2010 with LDAP authentication, using NOVELL eDirectory
One of my customers needs a SharePoint application that allows people to authenticate with either an Active Directory account (internal staff) or a Novell eDirectory account (external customers).
Using the following article as a base guide (http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx)
I configured a claims-based test application that had Windows authentication enabled and Forms based authentication (FBA) enabled (this is on a Windows 2008 server and not a domain controller)
In the Membership provider name text box I entered "LdapMember"
In the Role provider name text box I entered "LdapRole"
In the web.config for the SharePoint Central Admin, I modified/added the following details right before </system.web>
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="((ObjectClass=group)"
userFilter="((ObjectClass=person)"
scope="Subtree" />
</providers>
</roleManager>
I modified the SecurityTokenServiceApplication web.config with these details
<system.web>
<membership>
<providers>
<add name="LdapMemebr"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
</system.web>
I modified the web.config of the test application I created with these details
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="cn"
dnAttribute="dn"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
useDNAttribute="true"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
With all of this configured, I can go to the new test site, I do see the form where I can choose either Windows authentication or Forms authentication. I can successfully login with Windows authentication, but forms authentication gives me me an error.
The server could not sign you in. Make sure your user name and password are correct, and then try again.
I can successfully login to a LDAP management tool, using the same credentials I entered on the form, so I know the username and password being submitted are correct. I get the following items in the event viewer
8306 - SharePoint Foundation - The security token username and password could not be validated.
in the SharePoint trace logs - Password check on 'testuser' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. and
then this:
Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
I monitored the LDAP server and did a packet-trace on the communication happening between the SharePoint server and the LDAP server and it is a bit odd. It goes like this:
The SharePoint server successfully connects to the LDAP server, binding the ldapserviceid+password
The LDAP server tells the SharePoint server it is ready to communicate
the SharePoint server sends an LDAP query to the LDAP server, asking if the name entered in the form authentication page can be found.
The LDAP server does the query, successfully finds the entered name and sends a success message back to SharePoint
The LDAP server sends notification that it is done and is closing the connection that was bound to theldapserviceid+password
The SharePoint server acknowledges the connection is closing
... and then nothing happens, except the error on SharePoint
What I understand is that the SharePoint server, once it gets confirmation that the submitted username exists in LDAP, should attempt to make a new LDAP connection, bound to the username and password submitted in the form (rather than the LDAP service account
specified in the web.config). That part does not seem to be happening.
I am at a standstill on this and any help would be greatly appreciated.OK, our problem was resolved by removing any information about the ASP.NET role manager. Initially, we had information about a role manager defined in three different web.config files, as well as in the SharePoint Central Administration site, where there
is the checkbox to Enable Forms Based Authentication (you see this when you first create the new SharePoint app, or afterwards by modifying the Authentication Provider for the app.) In either case, you will see two text boxes, underneath the checkbox item
for enabling Forms Based Authentication:
"ASP.NET Membership provider name"
"ASP.NET Role manager name"
We entered a name for Membership provider, and left Role manager blank.
In the web.config for the SharePoint Central Administration site, the SecurityTokenServiceApplication app, and the web app we created with FBA enabled, we entered the following:
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword="validpassword"
useDNAttribute="false"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager>
<providers>
</providers>
</roleManager>
useDNAttribute="false" turned out to be important as well.
So, for us to get LDAP authentication working between SharePoint 2010 and Novel eDirectory, we had to:
leave anything related to the role provider blank
configure the web.config in three different applications, with the proper connection information to reach our Novel eDir
Ensure that useDNAttribute="false" was used in all three on the modified web.config files.
Since our eDir is flat and used pretty much exclusively for external users, we had never done any sort of advanced role management configuration in eDir. So, by having role manager details in the web.config files, SharePoint was waiting for information from
a non-existent role manager. -
OSX 10.6.2 and Novell Netware eDirectory 8.8 SP5
Ok, forgive the long winded post - but I thought some background would be in order. Briefly, the problem we have is:
We create a new user in eDirectory, extended them with apple-user,
add apple-user-homeDirectory of:
/Network/Servers/<ip of server>/SERVER.VOLUME/HomeDirectory
and an apple-user-homeurl of:
afp://<ip of server>/SERVER.VOLUME/HomeDirectory
AFP works fine, I can manually mount this volume with login / password in OSX with Command-K
LDAP authentication works great.
After login, no home directory is mounted or exists, so we get an error (login still occurs).
Now, if I change the apple-user-homeurl to:
<home_dir><url>afp://<ip of server>/SERVER.VOL</url><path>HomeDirectory</path></home_dir> (this is how an X Serve stores this value in Open Directory) and attempt to login, login fails "because an 'error' occurred"
If I check the console / system logs on the OSX client, I see:
authorizationhost[455]: afp home directory mount failed in theEnumerator->Count in AFP_OpenSession: status = Unknown error: -5023
Now, for the weird part, if I change apple-user-homeurl on the user back to:
afp://<ip of server>/SERVER.VOLUME/HomeDirectory - login then works fine and their home directory is created and they are able to use the Mac normally.
Any ideas? I will post this to Apple forums as well. If I get any answers I will cross-post them.
Thanks,
Joe Jenkins
ps: Novell, please please please, we really need a working OSX client for Netware / OES!!!
Background:
New Netware 6.5SP8 server / eDirectory 8.8 SP5 / latest NMAS
Latest Novell AFP FTF patch from mid Sept 2009
Edirectory schema extended and LDAP mappings made with documentation I pieced together on the web. If I browse via ldap, I am seeing proper returns for all the objects I need to login.
Mount object created in Edirectory for the AFP mount corresponding to users home directories.
OSX test client is Snow Leopard 10.6.2 (patched this morning, clean install)
Authentication works fine, client works fine once I do the switcheroo with the apple-user-homeurl as indicated above, AFP mounts work fine in OSX, no weird errors in NMAS/LDAP dstrace, AFPTCP.log etc
By the way, if anyone else is trying to figure this out, my LDIF and my LDAP template may be of use:
http://www.nerdnet.com/edirldifandplist.zip
The LDIF is the Apple schema you apply to your eDirectory to support OS X computers. The template is used by the Directory Utility on OSX for mapping eDirectory values to their OSX values. It's taken me about two weeks of work off and on to get a working set of these, hope they save someone else some time!
Thanks to whoever wrote the "Integrating Mac OS X and Novell eDirectory" document - it was a great help, as is Randy Saek's posts here and his written document "Mac OS X and Novell eDirectory integration" - with these documents and numerous posts on Novell's forums, I've almost got this working well (these documents are available all over the web, but if you can't find them, let me know and I'll put them on my webserver)
Cheers,
Joe JenkinsA long winded post deserves a long winded reply! Are you serving the home directories from Novell's AFP file server? If not -- if you're serving them from a Mac server -- then nevermind all this.
If so, you may need to create a generic mount object in your eDirectory tree (not an AppleShare object -- I've never been able to get that working)
Get Properties of the mount object and, under the "Other" tab (I'm assuming you're using ConslowOne) add the following attributes: values (or whatever variations of them are appropriate for you)
apple-mountDirectory: /Network/Servers
apple-mountOption: net
apple-mountOption: url==afp://;AUTH=NO%20USER%[email protected]/staff-network-drive
(yes, apple-mountOption gets two values! i just wrote the attribute twice for clarity)
apple-mountType: url
Once I had this in place I still had to do some fiddling with how to specify the home directory for each user. I settled on
OSX Home: /Network/Servers/10.9.7.11/student-network-drive/Users/stevejobs
(you would put this in apple-user-homeDirectory, not OSX Home. We just mapped things a little differently.)
apple-user-homeurl: <homedir><url>afp://10.9.7.11/student-network-drive</url><path>Users/stevejobs</path> </homedir>
Note how we have Users/stevejobs in the path section. This is different than how Workgroup Manager will save it, even though it will appear to be the same path if you look at it in WGM (thanks, apple.) Unfortunately the way WGM saves it doesn't work (at least, I couldn't get it to) so you can't use WGM to assign this attribute. I ended up writing a shell script to do it.
Hope that helps. If you want the shell script, I can probably dig it up but make sure you know what you're doing with it. It is tailored to our system and I didn't bother writing any exception handling, so it could very well nuke your system, call you names and eat your dog. -
How to create a space on the volume for user in eDirectory ?
hello, can I create and associate a limit on the volume of data with a Java API ?. I would like to do at the time that the user is created in eDirectory. What would my options?. I need to create a space on the volume and create a folder with the user id. If I can help please.
Thank you.Jquinone wrote:
> hello, can I create and associate a limit on the volume of data with a
> Java API ?. I would like to do at the time that the user is created in
> eDirectory. What would my options?. I need to create a space on the
> volume and create a folder with the user id. If I can help please.
You can create a folder with ordinary Java methods. To add a quota, you
can use Virtual File Services API,
http://developer.novell.com/wiki/index.php/Vfs. In particular, you may
find addQuota,
http://developer.novell.com/document...a/btxm0ri.html,
and modifyVolumeInfo,
http://developer.novell.com/document...a/afqd95h.html,
useful.
Dmitry -
Error while adding eDirectory replica
Hi folks!
I want to add a replica of our whole eDirectory tree to a new server (OES11.2 SLES11.3).
So I wanted to do so via iManager. (Partitions and Replicas / Replica View / Add Replica)
Everthing looks normal. I see our other servers with added replicas and of course the server with the master image.
For addition information: I did that a lot of times without problems until now.
When I want to add a replica to the new server, i get the following error: (Error -636) The server is unreachable.
I checked the /etc/hosts file and the network settings on both servers.
Ndsrepair looks normal too. All servers are in sync and there are no connection errors. The replica depth of the new server is -1. I get that, because there is no replica on it yet.
But if i can connect from one server to another and there are no error messages, why does adding a replica not work?
Am I forgetting something here?
Every server in our environment runs OES11.2 except the master server which runs OES11.1
Thanks for your help!
DanielOriginally Posted by ab
Care to post it so we can see what you saw?
Here is the output of the dump:
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:12:45.005821 IP hoferfs.39168 > oes11nss.ncp: P 4052461235:4052461403(168) ack 2285588323 win 661 <nop,nop,timestamp 6502 41234363>
11:12:45.006898 IP oes11nss.ncp > hoferfs.39168: P 1:123(122) ack 168 win 501 <nop,nop,timestamp 41243005 6502>
11:12:45.006925 IP hoferfs.39168 > oes11nss.ncp: . ack 123 win 661 <nop,nop,timestamp 6502 41243005>
11:12:45.007342 IP hoferfs.39149 > oes11nss.ncp: P 1357352830:1357352966(136) ack 3110271178 win 661 <nop,nop,timestamp 6502 41233608>
11:12:45.008116 IP oes11nss.ncp > hoferfs.39149: P 1:169(168) ack 136 win 501 <nop,nop,timestamp 41243005 6502>
11:12:45.008131 IP hoferfs.39149 > oes11nss.ncp: . ack 169 win 661 <nop,nop,timestamp 6502 41243005>
11:12:45.008280 IP hoferfs.39149 > oes11nss.ncp: P 136:308(172) ack 169 win 661 <nop,nop,timestamp 6502 41243005>
11:12:45.010722 IP oes11nss.ncp > hoferfs.39149: P 169:275(106) ack 308 win 501 <nop,nop,timestamp 41243006 6502>
11:12:45.010829 IP hoferfs.39149 > oes11nss.ncp: P 308:572(264) ack 275 win 661 <nop,nop,timestamp 6503 41243006>
11:12:45.011654 IP oes11nss.ncp > hoferfs.39149: P 275:552(277) ack 572 win 501 <nop,nop,timestamp 41243006 6503>
11:12:45.011831 IP hoferfs.39149 > oes11nss.ncp: P 572:696(124) ack 552 win 661 <nop,nop,timestamp 6503 41243006>
11:12:45.012471 IP oes11nss.ncp > hoferfs.39149: P 552:584(32) ack 696 win 501 <nop,nop,timestamp 41243007 6503>
11:12:45.048112 IP hoferfs.39149 > oes11nss.ncp: . ack 584 win 661 <nop,nop,timestamp 6513 41243007>
^C
13 packets captured
13 packets received by filter
0 packets dropped by kernel
oes11nss is the master server and hoferfs would be the server with the replica on.
The dump started before i pressed OK and ended after the error occured.
Regards!
Daniel -
Issue during integrating OIM 9.1 with novell edirectory 8.8
Hi,
We are trying to integrate OIM 9.1 with Novell edirectory 8.8 using novell edirectory 9.0.4.2 connector.
while privisioning i m facing the following issue
DOBJ.THROWABLE_IN_SAVE Unhandled throwable java.lang.NoClassDefFoundError in com.thortech.xl.dataobj.tcScheduleItem's save.
User is getting created OID but not provisioned to edirectory.
Thanks in Advance
ManjuHi,
Thanks for responding.
I am trying to provision users to novell edirectory.
I create user in Oracle Idenity Manager 9.1 then select the Resource profile and provision new resource(to edirectory 8.8).
During the last step of provisioning when i click continue button Oracle Idenity Manager is throwing the below error in the next screen with message "Provisioning is been initiated". But user is not created in the edirectory.
DOBJ.THROWABLE_IN_SAVE Unhandled throwable java.lang.NoClassDefFoundError in com.thortech.xl.dataobj.tcScheduleItem's save.
In the open tasks, System Validation task is created with the status Pending.
Please help me to rectify this issue.
Also let me know whether anyone has tried to integrate Oracle Idenity Manger 9.1 with edirectory 8.8 using Novell edirectory 9.0.4.2 connector.
Thanks -
Restoring eDirectory info from Netware 5.1 to 6.5.
What are the chances of restoring eDirectory info from a Netware 5.1 server to a NetWare6.5SP8 server?
My network is a mixture of NW6.5SP8 and OES 11SP2 servers, with a single exception.
Due to organizational politics, we have a department that has kept an old NetWare 5.1 server running.
That server crashed yesterday (finally!), and has been removed from eDirectory.
Amidst my joy, however, there is a problem:
My server backup software had never had any ACL-related problems when I've used it to restore data to my NW6.5 or OES11 servers.
That includes restoring data to a different server.
I had no problems restoring the data from this 5.1 server to another location, but no ACL information was included in the restoration.
My only desire at this point is to find a way to discover the ACL information with regard to that data. There were a LOT of group-related access rights on this server.
Even though it wouldn't be my responsibility to recreate those rights, I'd like to see if I can recover it somehow.
What would be the expected result of attempting to restore both the data and the eDirectory info from tape backup of the NetWare 5.1 server to a newly created NW6.5SP8 server?
I don't care how much the server complains about not seeing the rest of the network, as long as I can log into it and look at the file rights information.
If I were to create a new server in its own tree, isolated from the production network, and attempt to restore both data and eDirectory to the server, would it be logical to expect the ACl information to be restored?
I may still have a NW5.1 server CD around somewhere, but if I can accomplish my goal with a NW6.5 server, it'd be faster.
Any thoughts are welcome.Thank you for your response, Anders
Yes, I'm referring to file rights.
I'm confused, then.
I have always thought that trustee rights involved both eDirectory and the file system; that without eDirectory the file system wouldn't be able to correlate the trustee rights to eDirectory objects (users, groups, etc...).
For instance, I have an OES 11 server that does not use the NSS file system.
I set it up as an NCP server and used the Migration utility to copy files from an NW6.5 server to its ext3 volume
The trustee rights were retained for those files.
I assumed that this was due to the eDirectory information.
If trustee rights are contained in the file system, this becomes even more mysterious to me.
I know for a fact that the data NSS volume on the crashed server had a LOT of trustee rights assignments; this group has a lot of programs that can't be allowed to see each others' data.
Their IT person also backs up the same data, although with a different backup program.
Restoration from his backup had the same result; no trustee rights.
The crashed server still exists, although its SYS volume is corrupted.
Both its SYS volume and it's data volume reside on the same drive, which is mirrored within NetWare.
My next thought was to mount those drives in another computer and see if the data volume remains un-corrupted. -
Show Stopper today with eDirectory (LDAP)
We are currently setting up Sun IDM 5.5 and are trying to do
reconciliation with an eDirectory 8.6.2 (10350.29) but are experiencing
severe performance issues. The directory contains groups with large scale
membership base, some groups 25.000+ members.
Same scenario occurs with Sun IDM 5.0 SP5.
When isolating to a single OU as baseDN with 10 accounts, a full clean
reconciliation takes 6-10 minutes. The network has thoroughly been
debugged, and no errors or issues have been found. Manual browsing in the
eDirectory with various ldap-tools without any issues. The total case
involves a total of more than 30.000+ accounts.
A test with identical user data in a Sun Directory Server 5.2 does the reconciliation take approx 2-3 seconds.
The eDirectory LDAP RA adapter can be viewed below. Any insight, or similar experiences are of great value and importance! Anything that can help me get this on track...
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Resource PUBLIC 'waveset.dtd' 'waveset.dtd'>
<!-- MemberObjectGroups="#ID#Top" hostname="130.243.85.109" id="#ID#F77594225BD088E0:775121:1065E88DBC9:-7FE5" name="NDS" startupType="Disabled" supportedObjectTypes="Group|Domain|Organization|Organizational Unit" supportsContainerObjectTypes="true" supportsScanning="false" syncEnabled="false" syncSource="true" type="LDAP"-->
<Resource id='#ID#F77594225BD088E0:775121:1065E88DBC9:-7FE5' name='NDS' creator='Configurator' createDate='1126879507899' lastModifier='Configurator' lastModDate='1126886340268' lastMod='19' class='com.waveset.adapter.LDAPResourceAdapter' typeString='LDAP' typeDisplayString='com.waveset.adapter.RAMessages:RESTYPE_LDAP' hasId='true' facets='provision' timeLastExamined='0' reconcileTime='0' syncSource='true' startupType='Disabled'>
<ResourceAttributes>
<ResourceAttribute name='host' displayName='com.waveset.adapter.RAMessages:RESATTR_HOST' description='RESATTR_HELP_240' value='130.243.85.109'>
</ResourceAttribute>
<ResourceAttribute name='port' displayName='com.waveset.adapter.RAMessages:RESATTR_PORT' description='RESATTR_HELP_264' value='389'>
</ResourceAttribute>
<ResourceAttribute name='ssl' displayName='com.waveset.adapter.RAMessages:RESATTR_SSL' description='RESATTR_HELP_281' value='0'>
</ResourceAttribute>
<ResourceAttribute name='principal' displayName='com.waveset.adapter.RAMessages:RESATTR_USERDN' description='RESATTR_HELP_271' value='cn=admin,ou=nds,ou=res,o=mdh'>
</ResourceAttribute>
<ResourceAttribute name='credentials' displayName='com.waveset.adapter.RAMessages:RESATTR_PASSWORD' type='encrypted' description='RESATTR_HELP_219' value='izkkkM1YJto='>
</ResourceAttribute>
<ResourceAttribute name='baseContext' displayName='com.waveset.adapter.RAMessages:RESATTR_BASE_CTXS' description='com.waveset.adapter.RAMessages:RESATTR_BASE_CTX_DESC' multi='true' value='ou=06,ou=STUDENT,ou=ANV,o=mdh'>
</ResourceAttribute>
<ResourceAttribute name='Object Class' displayName='com.waveset.adapter.RAMessages:RESATTR_OBJECT_CLASS' description='RESATTR_HELP_253' multi='true'>
<value>top</value>
<value>person</value>
<value>organizationalPerson</value>
<value>inetorgperson</value>
<value>ndsLoginProperties</value>
</ResourceAttribute>
<ResourceAttribute name='ldapSearchFilter' displayName='com.waveset.adapter.RAMessages:RESATTR_LDAP_SEARCH_FILTER' description='com.waveset.adapter.RAMessages:RESATTR_HELP_LDAP_SEARCH_FILTER'>
</ResourceAttribute>
<ResourceAttribute name='includeObjClassesInSearchFilter' displayName='com.waveset.adapter.RAMessages:RESATTR_INCL_OBJCLASSES_IN_SEARCH_FILTER' type='boolean' description='com.waveset.adapter.RAMessages:RESATTR_HELP_INCL_OBJCLASSES_IN_SEARCH_FILTER' value='true'>
</ResourceAttribute>
<ResourceAttribute name='wsname' displayName='com.waveset.adapter.RAMessages:RESATTR_WSNAME' description='RESATTR_HELP_292' value='cn'>
</ResourceAttribute>
<ResourceAttribute name='Display Name Attribute' displayName='com.waveset.adapter.RAMessages:RESATTR_DISPLAY_NAME_ATTR' description='RESATTR_HELP_41'>
</ResourceAttribute>
<ResourceAttribute name='Use blocks' displayName='com.waveset.adapter.RAMessages:RESATTR_USE_BLOCKS' description='RESATTR_HELP_192' value='1'>
</ResourceAttribute>
<ResourceAttribute name='blockCount' displayName='com.waveset.adapter.RAMessages:RESATTR_BLOCKCOUNT' description='RESATTR_HELP_34' value='100'>
</ResourceAttribute>
<ResourceAttribute name='groupMemberAttr' displayName='com.waveset.adapter.RAMessages:RESATTR_GRP_MBR_ATTR' description='RESATTR_HELP_233' value='groupMembership'>
</ResourceAttribute>
<ResourceAttribute name='Password Hash Algorithm' displayName='com.waveset.adapter.RAMessages:RESATTR_PASSWORD_HASH_ALG' description='RESATTR_HELP_49'>
</ResourceAttribute>
<ResourceAttribute name='changeNamingAttr' displayName='com.waveset.adapter.RAMessages:RESATTR_MOD_NAMING_ATTR' description='RESATTR_HELP_47' value='0'>
</ResourceAttribute>
<ResourceAttribute name='Object Classes to Synchronize' displayName='com.waveset.adapter.RAMessages:RESATTR_ACTIVE_SYNC_OBJECT_CLASSES' description='com.waveset.adapter.RAMessages:RESATTR_HELP_ACTIVE_SYNC_OBJECT_CLASSES' multi='true' facets='activesync'>
<value>person</value>
<value>organizationalPerson</value>
<value>inetorgperson</value>
</ResourceAttribute>
<ResourceAttribute name='LDAP Filter for Accounts to Synchronize' displayName='com.waveset.adapter.RAMessages:RESATTR_ACTIVE_SYNC_LDAP_FILTER' description='com.waveset.adapter.RAMessages:RESATTR_HELP_ACTIVE_SYNC_LDAP_FILTER' facets='activesync'>
</ResourceAttribute>
<ResourceAttribute name='Attributes to synchronize' displayName='com.waveset.adapter.RAMessages:RESATTR_ATTRIBUTE_FILTER' description='com.waveset.adapter.RAMessages:RESATTR_HELP_ATTRIBUTE_FILTER' multi='true' facets='activesync'>
</ResourceAttribute>
<ResourceAttribute name='When reset, ignore past changes' displayName='com.waveset.adapter.RAMessages:RESATTR_RESET_TO_TODAY' description='com.waveset.adapter.RAMessages:RESATTR_HELP_LDAPAS_RESET_TO_TODAY' facets='activesync' value='1'>
</ResourceAttribute>
<ResourceAttribute name='Change Log Blocksize' displayName='com.waveset.adapter.RAMessages:RESATTR_BLOCKSIZE' description='com.waveset.adapter.RAMessages:RESATTR_HELP_36' facets='activesync' value='100'>
</ResourceAttribute>
<ResourceAttribute name='Change Number Attribute Name' displayName='com.waveset.adapter.RAMessages:RESATTR_CHANGE_NUMBER_ATTRIBUTE_NAME' description='com.waveset.adapter.RAMessages:RESATTR_HELP_37' facets='activesync' value='changenumber'>
</ResourceAttribute>
<ResourceAttribute name='Filter Changes Made By' displayName='com.waveset.adapter.RAMessages:RESATTR_FILTER_CHANGES_BY' description='com.waveset.adapter.RAMessages:RESATTR_HELP_FILTER_CHANGES_BY' multi='true' facets='activesync'>
</ResourceAttribute>
<ResourceAttribute name='Proxy Administrator' displayName='com.waveset.adapter.RAMessages:RESATTR_PROXY_ADMINISTRATOR' description='com.waveset.adapter.RAMessages:RESATTR_HELP_30' value='Configurator'>
</ResourceAttribute>
<ResourceAttribute name='Input Form' displayName='com.waveset.adapter.RAMessages:RESATTR_FORM' description='com.waveset.adapter.RAMessages:RESATTR_HELP_26'>
</ResourceAttribute>
<ResourceAttribute name='Pre-Poll Workflow' displayName='com.waveset.adapter.RAMessages:RESATTR_PREPOLL_WORKFLOW' description='com.waveset.adapter.RAMessages:RESATTR_PREPOLL_WORKFLOW_HELP'>
</ResourceAttribute>
<ResourceAttribute name='Post-Poll Workflow' displayName='com.waveset.adapter.RAMessages:RESATTR_POSTPOLL_WORKFLOW' description='com.waveset.adapter.RAMessages:RESATTR_POSTPOLL_WORKFLOW_HELP'>
</ResourceAttribute>
<ResourceAttribute name='Maximum Archives' displayName='com.waveset.adapter.RAMessages:RESATTR_MAX_ARCHIVES' description='com.waveset.adapter.RAMessages:RESATTR_HELP_MAX_ARCHIVES' value='3'>
</ResourceAttribute>
<ResourceAttribute name='Maximum Age Length' displayName='com.waveset.adapter.RAMessages:RESATTR_MAX_LOG_AGE' description='com.waveset.adapter.RAMessages:RESATTR_HELP_MAX_LOG_AGE'>
</ResourceAttribute>
<ResourceAttribute name='Maximum Age Unit' displayName='com.waveset.adapter.RAMessages:RESATTR_MAX_LOG_AGE_UNIT' description='com.waveset.adapter.RAMessages:RESATTR_HELP_MAX_LOG_AGE_UNIT'>
</ResourceAttribute>
<ResourceAttribute name='Log Level' displayName='com.waveset.adapter.RAMessages:RESATTR_LOG_LEVEL' description='com.waveset.adapter.RAMessages:RESATTR_HELP_27' value='2'>
</ResourceAttribute>
<ResourceAttribute name='Log File Path' displayName='com.waveset.adapter.RAMessages:RESATTR_LOG_PATH' description='com.waveset.adapter.RAMessages:RESATTR_HELP_28'>
</ResourceAttribute>
<ResourceAttribute name='Maximum Log File Size' displayName='com.waveset.adapter.RAMessages:RESATTR_LOG_SIZE' description='com.waveset.adapter.RAMessages:RESATTR_HELP_29'>
</ResourceAttribute>
<ResourceAttribute name='Scheduling Interval' displayName='com.waveset.adapter.RAMessages:RESATTR_SCHEDULE_INTERVAL' description='com.waveset.adapter.RAMessages:RESATTR_HELP_51'>
</ResourceAttribute>
<ResourceAttribute name='Poll Every' displayName='com.waveset.adapter.RAMessages:RESATTR_SCHEDULE_INTERVAL_COUNT' description='com.waveset.adapter.RAMessages:RESATTR_HELP_52'>
</ResourceAttribute>
<ResourceAttribute name='Polling Start Time' displayName='com.waveset.adapter.RAMessages:RESATTR_SCHEDULE_START_TIME' description='com.waveset.adapter.RAMessages:RESATTR_HELP_56'>
</ResourceAttribute>
<ResourceAttribute name='Polling Start Date' displayName='com.waveset.adapter.RAMessages:RESATTR_SCHEDULE_START_DATE' description='com.waveset.adapter.RAMessages:RESATTR_HELP_54'>
</ResourceAttribute>
<ResourceAttribute name='useInputForm' displayName='com.waveset.adapter.RAMessages:RESATTR_USE_INPUT_FORM' type='boolean' description='com.waveset.adapter.RAMessages:RESATTR_USE_INPUT_FORM_HELP' facets='activesync' value='true'>
</ResourceAttribute>
<ResourceAttribute name='parameterizedInputForm' displayName='com.waveset.adapter.RAMessages:RESATTR_PARAMETERIZED_INPUT_FORM' description='com.waveset.adapter.RAMessages:RESATTR_PARAMETERIZED_INPUT_FORM_HELP' facets='activesync'>
</ResourceAttribute>
<ResourceAttribute name='activeSyncPostProcessForm' displayName='com.waveset.adapter.RAMessages:RESATTR_SYNC_POST_PROCESS_FORM' description='com.waveset.adapter.RAMessages:RESATTR_SYNC_POST_PROCESS_FORM_HELP' facets='activesync'>
</ResourceAttribute>
<ResourceAttribute name='activeSyncConfigMode' displayName='com.waveset.adapter.RAMessages:RESATTR_SYNC_CONFIG_MODE' description='com.waveset.adapter.RAMessages:RESATTR_SYNC_CONFIG_MODE_HELP' facets='activesync' value='basic'>
</ResourceAttribute>
<ResourceAttribute name='processRule' displayName='com.waveset.adapter.RAMessages:RESATTR_PROCESS_RULE' description='com.waveset.adapter.RAMessages:RESATTR_PROCESS_RULE_HELP' facets='activesync'>
</ResourceAttribute>
<ResourceAttribute name='correlationRule' displayName='com.waveset.adapter.RAMessages:RESATTR_CORRELATION_RULE' description='com.waveset.adapter.RAMessages:RESATTR_CORRELATION_RULE_HELP' facets='activesync' value='CORRELATION_RULE_NONE'>
</ResourceAttribute>
<ResourceAttribute name='confirmationRule' displayName='com.waveset.adapter.RAMessages:RESATTR_CONFIRMATION_RULE' description='com.waveset.adapter.RAMessages:RESATTR_CONFIRMATION_RULE_HELP' facets='activesync' value='CONFIRMATION_RULE_NONE'>
</ResourceAttribute>
<ResourceAttribute name='deleteRule' displayName='com.waveset.adapter.RAMessages:RESATTR_DELETE_RULE' description='com.waveset.adapter.RAMessages:RESATTR_DELETE_RULE_HELP' facets='activesync'>
</ResourceAttribute>
<ResourceAttribute name='createUnmatched' displayName='com.waveset.adapter.RAMessages:RESATTR_CREATE_UNMATCHED' description='com.waveset.adapter.RAMessages:RESATTR_CREATE_UNMATCHED_HELP' facets='activesync' value='true'>
</ResourceAttribute>
<ResourceAttribute name='resolveProcessRule' displayName='com.waveset.adapter.RAMessages:RESATTR_RESOLVE_PROCESS_RULE' description='com.waveset.adapter.RAMessages:RESATTR_RESOLVE_PROCESS_RULE_HELP' facets='activesync'>
</ResourceAttribute>
<ResourceAttribute name='populateGlobal' displayName='com.waveset.adapter.RAMessages:RESATTR_POPULATE_GLOBAL' description='com.waveset.adapter.RAMessages:RESATTR_POPULATE_GLOBAL_HELP' facets='activesync' value='false'>
</ResourceAttribute>
</ResourceAttributes>
<AccountAttributeTypes nextId='15'>
<AccountAttributeType id='2' name='accountId' syntax='string' mapName='cn' mapType='string' required='true'>
<AttributeDefinitionRef>
<ObjectRef type='AttributeDefinition' id='#ID#AttributeDefinition:accountId' name='accountId'/>
</AttributeDefinitionRef>
</AccountAttributeType>
<AccountAttributeType id='3' name='password' syntax='encrypted' mapName='userPassword' mapType='string'>
<AttributeDefinitionRef>
<ObjectRef type='AttributeDefinition' id='#ID#AttributeDefinition:password' name='password'/>
</AttributeDefinitionRef>
</AccountAttributeType>
<AccountAttributeType id='4' name='firstname' syntax='string' mapName='givenname' mapType='string'>
<AttributeDefinitionRef>
<ObjectRef type='AttributeDefinition' id='#ID#AttributeDefinition:firstname' name='firstname'/>
</AttributeDefinitionRef>
</AccountAttributeType>
<AccountAttributeType id='5' name='lastname' syntax='string' mapName='sn' mapType='string' required='true'>
<AttributeDefinitionRef>
<ObjectRef type='AttributeDefinition' id='#ID#AttributeDefinition:lastname' name='lastname'/>
</AttributeDefinitionRef>
</AccountAttributeType>
<AccountAttributeType id='8' name='loginDisabled' syntax='string' mapName='loginDisabled' mapType='string'>
</AccountAttributeType>
<AccountAttributeType id='9' name='fullname' syntax='string' mapName='fullname' mapType='string'>
</AccountAttributeType>
<AccountAttributeType id='10' name='email' syntax='string' mapName='mail' mapType='string'>
</AccountAttributeType>
<AccountAttributeType id='11' name='ssn' syntax='string' mapName='workforceId' mapType='string'>
</AccountAttributeType>
<AccountAttributeType id='12' name='description' syntax='string' mapName='description' mapType='string'>
</AccountAttributeType>
</AccountAttributeTypes>
<Template>
<text>cn=</text>
<ObjectRef type='AttributeDefinition' id='#ID#AttributeDefinition:accountId' name='accountId'/>
<text>,ou=06,ou=STUDENT,ou=ANV,o=mdh</text>
</Template>
<Retries max='0' delay='10' emailThreshold='5'/>
<ObjectTypes>
<ObjectType name='Group' nameKey='UI_RESOURCE_OBJECT_TYPE_GROUP' icon='group'>
<ObjectClasses primary='groupOfUniqueNames' operator='OR'>
<ObjectClass name='groupOfNames'/>
<ObjectClass name='groupOfUniqueNames'/>
</ObjectClasses>
<ObjectFeatures>
<ObjectFeature name='create'/>
<ObjectFeature name='update'/>
<ObjectFeature name='delete'/>
<ObjectFeature name='rename'/>
<ObjectFeature name='saveas'/>
</ObjectFeatures>
<ObjectAttributes idAttr='dn' displayNameAttr='cn' descriptionAttr='description' objectClassAttr='objectclass'>
<ObjectAttribute name='cn' type='string'/>
<ObjectAttribute name='description' type='string'/>
<ObjectAttribute name='owner' type='distinguishedname' namingAttr='cn'/>
<ObjectAttribute name='uniqueMember' type='distinguishedname' namingAttr='cn'/>
</ObjectAttributes>
</ObjectType>
<ObjectType name='Domain' nameKey='UI_RESOURCE_OBJECT_TYPE_DOMAIN' icon='folder' container='true'>
<ObjectClasses operator='AND'>
<ObjectClass name='domain'/>
</ObjectClasses>
<ObjectFeatures>
<ObjectFeature name='find'/>
</ObjectFeatures>
<ObjectAttributes idAttr='distinguishedName' displayNameAttr='dc' objectClassAttr='objectclass'>
<ObjectAttribute name='dc' type='string'/>
</ObjectAttributes>
</ObjectType>
<ObjectType name='Organization' nameKey='UI_RESOURCE_OBJECT_TYPE_ORGANIZATION' icon='folder_with_org' container='true'>
<ObjectClasses operator='AND'>
<ObjectClass name='organization'/>
</ObjectClasses>
<ObjectFeatures>
<ObjectFeature name='create'/>
<ObjectFeature name='delete'/>
<ObjectFeature name='rename'/>
<ObjectFeature name='saveas'/>
<ObjectFeature name='find'/>
</ObjectFeatures>
<ObjectAttributes idAttr='dn' displayNameAttr='o' objectClassAttr='objectclass'>
<ObjectAttribute name='o' type='string'/>
</ObjectAttributes>
</ObjectType>
<ObjectType name='Organizational Unit' nameKey='UI_RESOURCE_OBJECT_TYPE_ORGANIZATIONALUNIT' icon='folder_with_orgunit' container='true'>
<ObjectClasses operator='AND'>
<ObjectClass name='organizationalUnit'/>
</ObjectClasses>
<ObjectFeatures>
<ObjectFeature name='create'/>
<ObjectFeature name='delete'/>
<ObjectFeature name='rename'/>
<ObjectFeature name='saveas'/>
<ObjectFeature name='find'/>
</ObjectFeatures>
<ObjectAttributes idAttr='dn' displayNameAttr='ou' objectClassAttr='objectclass'>
<ObjectAttribute name='ou' type='string'/>
</ObjectAttributes>
</ObjectType>
</ObjectTypes>
<LoginConfigEntry name='com.waveset.security.authn.WSResourceLoginModule' type='LDAP' displayName='com.waveset.adapter.RAMessages:RES_LOGIN_MOD_LDAP'>
<AuthnProperties>
<AuthnProperty name='ldap_uid' displayName='com.waveset.adapter.RAMessages:UI_USERID_LABEL' isId='true' formFieldType='text' dataSource='user'/>
<AuthnProperty name='ldap_password' displayName='com.waveset.adapter.RAMessages:UI_PWD_LABEL' formFieldType='password' dataSource='user'/>
</AuthnProperties>
<SupportedApplications>
<SupportedApplication name='Administrator Interface'/>
<SupportedApplication name='User Interface'/>
</SupportedApplications>
</LoginConfigEntry>
<ResourceUserForm>
<ObjectRef type='UserForm' id='#ID#LDAP User Form'/>
</ResourceUserForm>
<MemberObjectGroups>
<ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
</MemberObjectGroups>
</resource>few questions....are you getting any errors on the ldap side? object class errors perhaps?
what app server are you using and what version of java?
--Dana Reed -
SG300-28 Firmware 1.1.2.0 and 1.2.7.76 - Dynamic VLAN+freeRADIUS - Client get rejected
Hello ladies and gentlemen,
I am using several SG300-28 Switches with firmware version 1.1.2.0.
I have dynamic VLAN enabled. As RADIUS server I am using freeradius 2.1.12.
Authentication is only based on the MAC address. (I configured that on the switches)
On the switches I created three VLANs. VLAN100 for the authenticated clients, VLAN200 for Management interface and VLAN300 as Guest VLAN. After a wrong authentication the clients should be put into this Guest VLAN immediately (I configured this on the switches).
I am using Windows XP and Windows 7 clients in my network. I did not configure any EAP settings because I just wnat to use the MAC address.
In most cases the dynamic VLAN assignment and authentication is working fine. The switch log says that the client is authenticated and the same I can see on freeradius log. But in some (rare) cases the client is rejected. The CISCO log says "MAC aa:bb:cc:dd:ee:ff was rejected on port ge17" but when I look at the freeradius log then this MAC address was successfully authorized.
The problem is that the client gets an IP address based on the Guest VLAN300 but after that the switch seems to "switch" the VLAN on the port and then the client is authenticated correctly on the right VLAN but the client does not request a new IP on the new VLAN.
If I unplug and re-plug the LAN cable in most cases the client get the correct VLAN and the correct IP.
This is happening randomly on nearly all my PCs.
I would really appreciate your help. Do I have to set some timers higher ? I don't think it is a problem between switch and RADIUS but a problem between communication of the host and the switch.
Thank you very much for your help!
Regrads
Alexander WilkeThis is from my CISCO log. The computer is always online but there are repeatingly rejects and then with a delay of some minutes an accept.
2147483395
2012-Aug-09 21:40:05
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483396
2012-Aug-09 21:38:23
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483397
2012-Aug-09 21:38:23
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483398
2012-Aug-09 21:16:05
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483399
2012-Aug-09 21:13:42
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483400
2012-Aug-09 21:13:42
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483401
2012-Aug-09 21:04:04
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483402
2012-Aug-09 21:03:50
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483403
2012-Aug-09 21:03:50
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483404
2012-Aug-09 20:52:02
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483405
2012-Aug-09 20:49:02
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483406
2012-Aug-09 20:49:02
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483407
2012-Aug-09 20:40:04
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483408
2012-Aug-09 20:39:10
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483409
2012-Aug-09 20:39:10
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483410
2012-Aug-09 20:16:06
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483411
2012-Aug-09 20:14:29
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483412
2012-Aug-09 20:14:29
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483413
2012-Aug-09 19:28:01
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483414
2012-Aug-09 19:25:08
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483415
2012-Aug-09 19:25:08
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483416
2012-Aug-09 19:15:59
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483417
2012-Aug-09 19:15:16
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483418
2012-Aug-09 19:15:16
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483419
2012-Aug-09 19:04:00
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483420
2012-Aug-09 19:00:27
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483421
2012-Aug-09 19:00:27
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483422
2012-Aug-09 18:27:59
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483423
2012-Aug-09 18:25:55
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483424
2012-Aug-09 18:25:55
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
Any ideas ? -
Exchange Server 2013 with a RADIUS server (freeRADIUS).
Hello,
I am a student and doing an internship. I have to test Microsoft Exchange Server 2013.
I am using Windows Server 2012, I already installed Exchange Server 2013 on it and everything works as intended.
But I couldn't find out how to configure my Windows Server 2012 in order to authenticate my mailbox users from Exchange Server 2013 with a RADIUS server which is not on my Windows Server 2012. I have to use their RADIUS server (freeRADIUS), the RADIUS server
from the company where I am doing my internship.
I already created a NPS and added the RADIUS Client + Remote
RADIUS Server Groups. I created a Connection Request Policies with the condition:
User Name *
I forwarded the Connection Request to the
Remote RADIUS server that I created in Remote RADIUS Server Groups and then I registered the NPS in th AD. But it's still not working.
Maybe I did something wrong or I misunderstood something or does this even work with Exchange Server 2013? To authenticate mailbox users with a RADIUS server before they can login into their mailbox and use their mailbox?
Thanks in advance.Hi,
I suggest we refer to the following article to double confirm the Network Policy Server is registered properly.
http://technet.microsoft.com/library/cc732912.aspx
Thanks,
Simon Wu
TechNet Community Support
Maybe you are looking for
-
Updating Flash from 12.0.0.77 to 13.0.0.182 on Windows Vista Stops on Step 2
Internet Explorer 9.0.8112.16421 Update version 9.0.21. Have tried may times but can't get past stap 2. Tried the Save and Run when downloading but still sticks at step 2. Other then deinstall and reinstall flash any solutions?
-
Safari 4.0.2 keeps on crashing
hey there, after some time, it can be minutes or hours safari crashes on me. not doing anything extra it can be the only program open. here's the report: Process: Safari [182] Path: /Applications/Safari.app/Contents/MacOS/Safari Identifier: com.apple
-
Oracle diagnostic Tools error in 11.5.10.2
Hi, Can somebody help on this issue, i am getting the error below ERROR ==== The Oracle Diagnostic Tool showed "No Groups have been registered for the Advance Test" The patches already applied are 7530017 and 7126196. I am unable to see IZE directory
-
Using Juno and Yahoo webmail (only on this computer, not my others) the attach file button loads but then disappears when creating a new email or replying. All other web browsers allow me to attach files using these two webmail sites. This does not a
-
Enable Personalize / Change Password LInk
Hi, I want to enable personalize / change password link on EP. Steps followed are: --> Masthead iview personalize property is made true --> UME action assigned to role & role is assigned to users. Link followed: http://help.sap.com/saphelp_nw70ehp1/h