GPO order in Active Directory
Hello,
I know the order in which the group policies get applied depends on their placing within the Active Directory structure, following
the LSDO order (Local, Site, Domain, Organisational Unit).
But for the GPOs which are at the same level what is the order? Same Active Directory settings, only the content changes:
e.g.: Antivirus exclusion in GPO1 contains Exclusion of File A only.
Antivirus exclusion in GPO2 contains Exclusion for File B only.
They are applied to the same set of of servers from FCS (Forefront Client Security), GPO1 was created in 2012, GPO2 in 2013... through a Group of Servers.
Thanks,
Dom
System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager
Thanks Chris,
Next how the Link Order Number are distributed?
I sent one GPO on October 2012 and another one on December 2013 which one will get the lower Link Order Number?
Is it possible to reorder them more appropriately against the target of what should be done?
Thanks,
Dom
System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager
Similar Messages
-
Active Directory logins from Windows to Final Cut Server
While I did manage to solve my main problem with Integrating AD with Final Cut Server at this one site.... It turns out that there a typo in the kerberos config file. Ooops. Now logins in from Mac OS using AD credentials works well. Unfortunately, I am still seeing some minor issues, like certain groups in AD not being able to login, and for some reason the Windows users can't login (only the Macs using AD credentials). Any seeing anything like this? Of course I enabled certain groups in Final Cut Server pref pane to match certain AD groups, but in the end only the BuiltIn groups worked, not the Domain Users, Domain Admin groups. Strange. And not sure why Windows users can't login. Same domain. Fun times.
It seems like I read the inital Kb article wrong. The Windows clients get the krb5.ini file, not the Domain Controller. LOL. Thanks to drew for pointing that out to me.
http://support.apple.com/kb/HT3688
In order for Active Directory bound Windows Final Cut Server client systems to successfully authenticate to Final Cut Server, you must create a custom Kerberos configuration file on the Windows client system. -
Active directory SYSVOL replication issues
Hello.
I have 2 domain controllers, both of them on the same site DC1 & DC2. I have added a new site with a DC3. When I have added DC3 to the domain, I have realized, SYSVOL was not initialized correctly. I went back to DC1 and found out, there's following
error in the event viewer:
Error: 4012 on DC1
The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter
(60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
Error: 2213 on DC2
The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication
WMI method to resume replication.
This indicates a DFS replication issue between DC1 & DC2 and probably this would be the reason, why the SYSVOL was not properly initialized on DC3.
How can I restore correct DFS replication between DC1 & DC2? I've read
this article, but it's not clear to me, which of the 2 domain controllers has a good version of SYSVOL + I can not find a decent step-by-step article for reconnecting Windows 2012 domain controller.
Any idea, how I can proceed further here?Here's a complete documentation with resolution of my issue. I have created this documentation for my own purposes in our WIKI, so I will paste it here (I hope, it will help somebody else in the future):
The Problem
We have bought a new server for our domain. This server (NEWDC01) was promoted to be a domain
controller in the DOMAIN. After the promotion, I have added a single computer to the domain. When I have logged on the client to the domain, I realized, this computer is not using the new domain controller (NEWDC01)
for authentication, but DC02 domain controller instead. This is not intended. Local clients should use local domain controllers for authentication (assuming, the Active directory sites & services are configured properly). Further investigation revealed,
there are some replication errors on OLDDC01 & OLDDC02 servers. First I need to solve these replication errors. Then I can
add the NEWDC01 server to domain properly.
Analysis
There are several errors related to DFSR replication on both domain controllers:
Error: 4012 on OLDDC01
The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain.
This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder
until this error is corrected.
Error: 2213 on OLDDC02
The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database
is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.
In order to have active directory in a healthy condition, one must ensure, there’s a successful
replication between existing domain controllers up and running. If the replication does not work correctly, you can expect bunch of issues.
group policies and logon scripts are not applied correctly, or as intended
when you want to add a new domain controller to the domain, it will not work as expected (although, you will not see any specific errors after the
server is promoted to be a domain controller)
Active directory backup
I have scheduled an AD backup on OLDDC01 server using the ‘Windows Backup’ solution to make sure,
I can restore the AD / SYSVOL, in case something goes wrong. The backup is scheduled to be executed every day.
Active directory restore
In this particular case, I will talk only about SYSVOL restore. As indicated above, we must get
rid of the DFSR event viewer errors which you can find in event viewer. One of them is indicating, that the JET database was not shut down cleanly and autorecovery was disabled. The other error indicates, the SYSVOL volume is no longer replicated. I am not
sure, what is the reason, why the AD’s in the domain stopped to replicate. Probably it was an unclean server shutdown. The DFSR service stopped to replicate the SYSVOL share and I was not aware about that. When the replication did not run for more than ~99
days, the SYSVOL share was excluded from the DFSR replications.
Find out the most accurate SYSVOL share in the domain
I have compared the content of the SYSVOL directories on both OLDDC01 and OLDDC02 servers: C:\Windows\SYSVOL\domain\Policies.
Both directories have 37 subdirectories. Each subdirectory corresponds to one group policy. This means, that the content is approximately the same, thus I can’t tell, which version is most recent. I do most of the GPO changes on OLDDC01, so I made a conclusion,
that this server contains the most recent version of the SYSVOL share.
There are 2 types of SYSVOL restores, you can do:
Authoritative restore
Non-authoritative restore
Non-authoritative restore
This is a more simple kind of a restore. You can perform this kind of restore, when you are sure,
that one of the domain controllers is authoritative (e.g. you presume, the SYSVOL share is intact and working properly). If you can identify such a working server, you can perform non-authoritative restore of the active directory on a broken domain controller.
Authoritative restore
In this case, you can designate a specific domain controller to be authoritative. You set a special
flag on this server, which will prohibit to overwrite it’s state from another domain controllers, when the replication is enabled on the server again. After you designate one server to be authoritative, you need to update all the another domain controllers
using the non-authoritative procedure.
In this article, you can find, how to perform authoritative vs. non authoritative AD resotre:
http://support.microsoft.com/kb/2218556.
In my case, I was not sure, which of the domain controllers had a more recent copy of AD, so I
have decided to make OLDDC01 authoritative (check the link above). Once this has been done, I have made a non-authoritative update on OLDDC02 server.
Everything was almost ready. The last step, I needed to execute was, I needed to fix the ‘JET’
event viewer error on SRVBK1. In the event log entry on the bottom, you can find following:
Recovery Steps
1. Back up the files in all replicated folders on the volume. Failure to do
so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.
2. To resume the replication for this volume, use the WMI method ResumeReplication
of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:
wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig
where volumeGuid="D37A9FC3-8B1D-11E2-93E8-806E6F6E6963" call ResumeReplication
For more information, see http://support.microsoft.com/kb/2663685.
Final words
After I have executed this command, the replication was again started between OLDDC01 and OLDDC02
servers. After I have started up the NEWDC01 server, I have realized, it has automatically replicated the contents of the SYSVOL share - almost immediately after the server was started up. I have again tried to login with the local client into DOMAIN domain
and now I see, that local client is using local Domain controller for authentication.
Everything seems to be OK now. -
Query Active Directory + Problem with thumbnailPhoto
Hi<o:p></o:p>
I have a problem and I don’t know if it is my SQL Query, so here goes
<o:p></o:p>
I have a view on my SQL server that Queries our Active Directory. I can see that there is data in the table.<o:p></o:p>
But when I try to use the Image in some C# code I get an error on 60% of the images with the exception header missing or corrupted.
My view is built with this Query:
select
* from
openquery
ADSI,'SELECT sAMAccountName, mail, title, displayName, telephoneNumber, mobile, sn, givenName, department, thumbnailPhoto
FROM ''LDAP:[REMOVED]''
WHERE objectCategory = ''Person''
Do you have any idea where the problem is? The photos shows up fine in Outlook, SharePoint, lync etc. I’m pretty sure that the C# code works correctly. Hope you can help.
Regards
If only I had time to learn everything I wanted ...Hi Latheesh
I've tried with this script:
SELECT ISNULL(ROW_NUMBER() OVER ( ORDER BY department ), -999) 'id' ,
CONVERT(NVARCHAR(25), givenName) AS Fornavn ,
CONVERT (NVARCHAR(50), sn) AS Efternavn ,
CONVERT(CHAR(5), UPPER(SUBSTRING(mail, CHARINDEX(mail, N'@'),
CHARINDEX(N'@', mail)))) AS 'initialer' ,
CONVERT(NVARCHAR(255), mail) AS Mail ,
CONVERT(NVARCHAR(75), title) AS Stilling ,
CONVERT(NVARCHAR(120), department) AS Afdeling ,
CONVERT(NVARCHAR(13), telephoneNumber) AS Fastnet ,
CONVERT(NVARCHAR(13), mobile) AS Mobil ,
CASE WHEN userAccountControl = 2 THEN 'Account is Disabled'
WHEN userAccountControl = 16 THEN 'Account Locked Out'
WHEN userAccountControl = 17
THEN CONVERT (VARCHAR(48), 'Entered Bad Password')
WHEN userAccountControl = 32
THEN CONVERT (VARCHAR(48), 'No Password is Required')
WHEN userAccountControl = 64
THEN CONVERT (VARCHAR(48), 'Password CANNOT Change')
WHEN userAccountControl = 512 THEN 'Normal'
WHEN userAccountControl = 514 THEN 'Disabled Account'
WHEN userAccountControl = 544
THEN 'Account Enabled - Require user to change password at first logon'
WHEN userAccountControl = 8192
THEN 'Server Trusted Account for Delegation'
WHEN userAccountControl = 524288
THEN 'Trusted Account for Delegation'
WHEN userAccountControl = 590336
THEN 'Enabled, User Cannot Change Password, Password Never Expires'
WHEN userAccountControl = 65536
THEN CONVERT (VARCHAR(48), 'Account will Never Expire')
WHEN userAccountControl = 66048
THEN 'Enabled and Does NOT expire Paswword'
WHEN userAccountControl = 66050
THEN 'Normal Account, Password will not expire and Currently Disabled'
WHEN userAccountControl = 66064
THEN 'Account Enabled, Password does not expire, currently Locked out'
WHEN userAccountControl = 8388608
THEN CONVERT (VARCHAR(48), 'Password has Expired')
ELSE CONVERT (VARCHAR(248), userAccountControl)
END AS 'Disabled' ,
CONVERT(NVARCHAR(75), givenName + ' ' + sn) AS 'DisplayName' ,
CONVERT (VARBINARY(MAX), thumbnailPhoto) AS 'Photo'
INTO ##adTemptable
FROM openquery
ADSI,'SELECT sAMAccountName, mail, title, displayName, telephoneNumber, mobile, sn, givenName, department, thumbnailPhoto,userAccountControl
FROM ''[REMOVED]''
WHERE objectCategory = ''Person''
WHERE department IS NOT NULL
But i still gets the same error on MANY rows
OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 6846 and truncated data length is 4000.
OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 7006 and truncated data length is 4000.
OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 6496 and truncated data length is 4000.
If only I had time to learn everything I wanted ... -
Sharepoint 2013 - Active Directory Import User Profile Property manager fields
Hi there,
I juste encountered actually a little issue regarding the Active Directory Import User Profil.
Importation seems to work well but I have a little problem regarding the Manager field.
When I verify a user profil through the sharepoint admin page ("Manage user profil") , I can see the manager field is correctly populated, but if I want to check my profil as a user (personal information), the manager field is not visible.
With Sharepoint Admin and Manage Profil Properties, I haven't the possibility to modify some settings for the manager.
For example, Policy parameters is greyed.
The only way I found to show this field in a user profil is to give the permission "allow users to Edit values ...".... setting I don't want to set.
Have you already this sort of issue ?
Thanks for your help/idea.Hi Michael,
I don't remember well what I did exactly regarding this issue because I played a lot with user profil.
I know I used this powershell script from Sheyia which in fact help me a lot to clean and create a good profil setting.
http://blogs.technet.com/b/sheyia/archive/2013/10/09/sharepoint-2013-another-way-to-change-order-for-user-profile-properties-via-powershell.aspx
For example, this script help me to resolve some double entries.
Let-me know if it help you (or not of course) -
Project Server 2010 - Active Directory Enterprise Resource Pool Synchronization limitations
Greetings again.
I have a quick question about the limitations of Active Directory Enterprise Resource Pool Synchronization. Specifically, what has your experience
been with extremely large numbers of users (10k plus). Is anyone aware of a
practical limit of users in your AD group you would recommend when using the
Schedule Synchronization feature on a nightly or weekly basis?
There is a caveat to this question however. The client has decided (perhaps for some misinformed reasons) to allow access for every user, to every
project site, within their PWA environment. They’ve selected the View Project Site option within the
Categories for the Team Members PWA Group for which 90% of their intended users reside. So when we ran a couple test syncs in DEV with a smaller AD group of about 8,000 users, the sync understandably
lasted upwards of 18 hours. Obviously unacceptable for a PROD environment on a nightly basis and not necessarily ideal for a weekly sync either.
Experience in addition to documents like these, “Best
practices for managing a large number of resources in Project Server 2010” tell me that we are way over the practical limit of a scheduled resource pool synchronization...IF
the client really desires that all users access all their sites. But before I submit my recommendations, I wanted to check with the community just in case others may have found a way to synchronize large numbers of users (10k plus) on a nightly or weekly
basis, within a reasonable time frame AND allowed all users to access all sites within PWA.
What do you think?
As always, thanks for your help.
Chris Addis - MCTSHello Hrishi.
My delayed response has been due to a large amount of testing we have been performing on this particular topic. Here is an update, please feel free to provide feedback.
We went back to testing and spent more time reviewing the documents:
Best practices for managing a large number of resources in Project Server 2010 and
SharePoint Server 2010 capacity management: Software boundaries and limits. Our team interpreted those documents as saying, 1,000 security
scopes per site is a recommended limit. It does not say it’s a hard limit, just a recommended limit. “When the recommended unique security scope boundaries are exceeded, performance issue can occur.”
So we decided to perform some tests (31 in total) to try and get a gage of what we are seeing.
We needed to establish a baseline first. So we performed a series of 23 Active Directory Resource Pool Synchronizations with various settings in a clean, Out of the Box, environment in order to see some consistent numbers. Here is it’s summary:
Our AD group of 8,000 users took about 32 minutes, on average, every time to sync. The difference between the first sync and last sync differed only by 1-3 minutes.
Adding 40 project sites increased the average sync time from 32 to 120 minutes.
Adding 100 users to each of those 40 project sites, did not increase the sync times.
One setting (identified at this time) reduced the synchronization time. It was the
Project Site Permissions check box found within the Project Web App > Server Settings > Project Site Provisioning Settings area. By deselecting this check box we reduced or synchronization time back to the 32 minute
average.
The View Project Site check box within the Project Web App > Server Settings > Manage Groups > Team Members group had no apparent effect on the sync times besides what we had gleaned from the Microsoft documentation.
Naturally, this left us with a problem. As I’m sure you know, by deselecting the check box (Project Site Permissions), our project sites are now (figuratively speaking) orphans with no connection to the parent site. This generates
a new set of issues. For example:
Newly created project sites cannot be accessed by the owner and team members. They will require someone like the farm admin to come in behind them and add the intended users to the project site along with their required permissions.
All current and futures sites will no longer have users added via the standard method of building a team and publishing the project, but will have to be added manually.
You can use the Synchronize option found within Project Web App > Server Settings > Project Sites page, but that kinda defeats the purpose. It would require constant updating on a per site basis to keep up with
PM changes. Not very sensible, but it does work.
With this baseline information, we moved our tests into our DEV environment which somewhat mimics our PROD environment. This environment has 352 project sites and we performed 8 tests. This is where we had some large sync time numbers.
Here is the DEV test summary:
With the Project Site Permissions check box cleared, our AD group of 8,000 users took on average 30 minutes to sync. This was in line with our baseline times. With the exception of one test sync that took 99 minutes to complete.
That anomaly is acquiescent with what I’ve seen over the years. Sometimes syncs do some unusual things.
With the Project Site Permissions check box selected, our AD group of 8,000 users took on average 690 minutes (11.5 hours) to sync. Unacceptable of course.
So here’s what we’ve learned when dealing with extremely large numbers of active directory users in your Resource Pool sync:
We did not see a decrease in subsequent sync times after the initial Active Directory Resource Pool Synchronization as some might expect.
Our attempt to decrease sync time via the option of removing the View Project Sites was not successful. (Unless we interpreted Microsoft's document incorrectly.)
However, our interpretation of the recommended software boundaries and limits of SharePoint Server 2010 as it pertains to security scopes per site at 1,000, appears to be correct.
Using the option of clearing the Project Site Permissions does produce a reduction in AD sync time, but at a cost segregating your project sites and thus the creation of new processes of maintaining them.
I’ll remind others that these results are particular to our environments, there may still be exceptions yet to discover. Others may see numbers contrary to ours.
The biggest surprise to some members on our team (myself excluded) was that we did not see a reduced sync time after any of our initial syncs. Some are under the impression that after your initial sync, you should see reduced sync times. I haven’t
found that to be the absolute case in all situations, just in some situations. The reason for this still eludes me. Any thoughts would be appreciated.
I’ll let this sit a bit longer, but if no one disagrees with the results, I think we have our answer:
The number of project sites directly affects your Active Directory Resource Pool Synchronizations if you are using the
Project Site Permissions option. If you plan on synchronizing over 1,000 users
and you have a large number of project sites, proceed with the knowledge that you may have performance issues and long sync times.
As always, I’d love to hear from you or others just in case I’m missing something.
Chris Addis - MCTS -
Authentication Plug-ins for active directory Multiple Domains(oidspad2.sh)
hi ,
i have use note 294791.1 from metalink to try link to active directory i have 2 one is staff and another is student
i first ran oidspadi.sh to create plugin for staff it works then i edit the 2 script to oidspad2.pls and oidspad2.sh with the require changes inside the files then i ran it it work but now the problem is the first ad now cant work this is my changes below
FOR oidspad2.pls
Rem
Rem $Header: oidspada.pls 02-aug-2004.04:45:11 saroy Exp $
Rem
Rem oidspads.pls
Rem
Rem Copyright (c) 2002, 2004, Oracle. All rights reserved.
Rem
Rem NAME
Rem oidspada.pls - 9.0.4 OID Password Active Directory
Rem External Authentication Plug-in
Rem
Rem
Rem NOTES
Rem <other useful comments, qualifications, etc.>
Rem
Rem MODIFIED (MM/DD/YY)
Rem saroy 08/02/04 - Fix for bug 3807482
Rem qdinh 01/27/04 - bug 3374115
Rem dlin 01/08/04 - pingan perf
Rem dlin 08/22/03 - 3111770 bug fix
Rem dlin 08/27/03 - change the way to get name
Rem dlin 08/13/03 - bug 2962082 fix
Rem dlin 02/21/03 - plug-in install changes
Rem dlin 02/13/03 - dlin_bug-2625027
Rem dlin 02/05/03 - fix ssl & failover
Rem dlin 01/31/03 - dlin_adextauth1
Rem dlin 01/30/03 - Created
Rem
SET echo off;
SET serveroutput off;
SET feedback off;
SET verify off;
CREATE OR REPLACE PACKAGE OIDADPSW2 AS
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
AD_HANDLE DBMS_LDAP.session DEFAULT NULL;
END OIDADPSW2;
SHOW ERROR
CREATE OR REPLACE PACKAGE BODY OIDADPSW2 AS
SUBTYPE LDAP_SESSION IS RAW(32);
SUBTYPE LDAP_MESSAGE IS RAW(32);
SUBTYPE LDAP_BER_ELEMENT IS RAW(32);
SUBTYPE ATTRLIST IS DBMS_LDAP.STRING_COLLECTION;
SUBTYPE MOD_ARRAY IS RAW(32);
SUBTYPE BERLIST IS DBMS_LDAP.BERVAL_COLLECTION;
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_bind_replace()');
DBMS_LDAP.USE_EXCEPTION := FALSE;
result := 49;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := 1;
plg_debug('Can not get ADUserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_bind_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_bind_replace() ===');
RETURN;
END IF;
plg_debug( 'Go to AD for authentication');
-- externally authenticate user
IF ('&1' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&2', &3);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
-- Should free the old session if retry logic kept failing
-- to cause the number of outstanding sessions exceeding the
-- limit session number
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&4', &5);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
-- SSL bind
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&6', &7);
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&8', '&9', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM
-- or LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&10', &11);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&12', '&13', 2);
IF (retval != 0) THEN
plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session1);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
-- for failover to connect to the secondary server
IF ('&14' = 'y' AND retval != 0) THEN
IF ('&15' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&16', &17);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&18', &19);
plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'retry simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&20', &21);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&22', '&23', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&24', &25);
plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&26', '&27', 2);
IF (retval != 0) THEN
plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
END IF;
IF (retval = 0) THEN
result := 0;
plg_debug('AD auth return TRUE');
ELSE
result := retval;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_bind_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
OIDADPSW2.AD_HANDLE := NULL;
plg_debug( ' exception unbind_res returns ' || TO_CHAR(retval));
errormsg := 'Exception: when_bind_replace plugin';
plg_debug( 'Exception in when_bind_replace(). Error code is ' ||
TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
END;
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_compare_replace()');
result := DBMS_LDAP.COMPARE_FALSE;
DBMS_LDAP.USE_EXCEPTION := FALSE;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('Can not get ADuserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_compare_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_compare_replace() ===');
RETURN;
END IF;
-- externally authenticate user
IF ('&28' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&29', &30);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&31', &32);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&33', &34);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&35', '&36', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&37', &38);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&39', '&40', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
-- for failover to connect to the secondary AD
IF ('&41' = 'y' AND retval != 0) THEN
IF ('&42' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&43', &44);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&45', &46);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&47', &48);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&49', '&50', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&51', &52);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&53', '&54', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session1);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
END IF;
IF (retval = 0) THEN
result := DBMS_LDAP.COMPARE_TRUE;
plg_debug('AD auth return TRUE');
ELSE
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_compare_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
errormsg := 'Exception: when_compare_replace plugin';
plg_debug( 'Exception in when_compare_replace(). Error code is ' ||
TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
OIDADPSW2.AD_HANDLE := NULL;
END;
END OIDADPSW2;
SHOW ERRORS
EXIT;
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
FOR oidspadi.sh
#!/bin/sh
# $Header: oidspadi.sh 13-may-2005.13:48:51 saroy Exp $
# oidspadi.sh
# Copyright (c) 2002, 2005, Oracle. All rights reserved.
# NAME
# oidspadi.sh - AD external authentication plug-in install
# DESCRIPTION
# <short description of component this file declares/defines>
# NOTES
# <other useful comments, qualifications, etc.>
# MODIFIED (MM/DD/YY)
# saroy 05/13/05 - Fix for bug 4233817
# saroy 02/18/05 - Fix for bug 4054414
# saroy 11/02/04 - Fix for bug 3980370
# qdinh 01/19/04 - bug 3374115
# dlin 07/10/03 - turn off debug
# dlin 02/21/03 - plug-in install changes
# dlin 02/13/03 - dlin_bug-2625027
# dlin 07/22/02 - Creation
ADHOST="A"
ADPORT="1"
ADSSLPORT="1"
WALLETLOC="A"
WALLETPWD="A"
WALLETPWD2="A"
CONNECT="A"
ODSPWD="A"
ODSPWD2="A"
OIDHOST="A"
OIDPORT="1"
ORCLADMINPWD="A"
ORCLADMINPWD2="A"
PRGDN="A"
SCUSB="A"
EP="A"
ISSSL="n"
ISFAILOVER="n"
ISFAILOVERSSL="n"
SECADHOST="A"
SECADPORT="1"
SECADSSLPORT="1"
SECWALLETLOC="A"
SECWALLETPWD="A"
SECWALLETPWD2="A"
clear
echo "---------------------------------------------"
echo " OID Active Directory Plug-in Configuration"
echo "---------------------------------------------"
echo " "
echo "Please make sure Database and OID are up and running."
echo " "
LDAP_DIR=${ORACLE_HOME}/ldap
LDAP_LOG=${LDAP_DIR}/log
## ORACLE_HOME
if [ -z $ORACLE_HOME ] ; then
echo " ORACLE_HOME must be set for this installation script"
exit 0
fi
# gather required information
if [ ${ADHOST} = "A" ] ; then
printf "Please enter Active Directory host name: "
read ADHOST
fi
## active directory host name is required
if [ "${ADHOST}" = "" ]
then
echo "Active Directory host name is required";
exit 1;
fi
printf "Do you want to use SSL to connect to Active Directory? (y/n) "
read ISSSL
if [ "${ISSSL}" = "n" ]
then
if [ ${ADPORT} = "1" ] ; then
printf "Please enter Active Directory port number [389]: "
read ADPORT
if [ "${ADPORT}" = "" ]
then
ADPORT="389"
fi
fi
fi
if [ "${ISSSL}" = "y" ]
then
if [ ${ADSSLPORT} = "1" ] ; then
printf "Please enter Active Directory SSL port number [636]: "
read ADSSLPORT
if [ "${ADSSLPORT}" = "" ]
then
ADSSLPORT="636"
fi
fi
if [ ${WALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read WALLETLOC
fi
## wallet location is required
if [ "${WALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${WALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read WALLETPWD ; stty echo ; echo
fi
if [ "${WALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${WALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read WALLETPWD2 ; stty echo ; echo
fi
if [ "${WALLETPWD}" != "${WALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
if [ ${CONNECT} = "A" ] ; then
echo " "
printf "Please enter DB connect string: "
read CONNECT
fi
if [ ${ODSPWD} = "A" ] ; then
printf "Please enter ODS password: "
stty -echo ; read ODSPWD ; stty echo ; echo
fi
## password is required
if [ "${ODSPWD}" = "" ]
then
echo "ODS password is required";
exit 1;
fi
if [ ${ODSPWD2} = "A" ] ; then
printf "Please enter confirmed ODS password: "
stty -echo ; read ODSPWD2 ; stty echo ; echo
fi
if [ "${ODSPWD}" != "${ODSPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
if [ "${CONNECT}" = "" ]
then
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD} "
else
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD}@${CONNECT} "
fi
# Check if ODS password and connect string is correct
${ORACLE_HOME}/bin/sqlplus -L ods/${ODSPWD}@${CONNECT} << END 1>/dev/null 2>/dev/null
exit;
END
if [ $? -ne 0 ]; then
echo "Incorrect connect string or ODS password specified"
exit 1;
fi
if [ ${OIDHOST} = "A" ] ; then
echo " "
printf "Please enter OID host name: "
read OIDHOST
fi
## oid host is required
if [ "${OIDHOST}" = "" ]
then
echo "OID host name is required";
exit 1;
fi
if [ ${OIDPORT} = "1" ] ; then
printf "Please enter OID port number [389]: "
read OIDPORT
if [ "${OIDPORT}" = "" ]
then
OIDPORT="389"
fi
fi
# Check if OID host and port is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect OID host or port specified"
exit 1;
fi
if [ ${ORCLADMINPWD} = "A" ] ; then
printf "Please enter orcladmin password: "
stty -echo ; read ORCLADMINPWD ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" = "" ]
then
echo "orcladmin password is required";
exit 1;
fi
if [ ${ORCLADMINPWD2} = "A" ] ; then
printf "Please enter confirmed orcladmin password: "
stty -echo ; read ORCLADMINPWD2 ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" != "${ORCLADMINPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
# Check if orcladmin password is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect orcladmin password specified"
exit 1;
fi
echo " "
if [ ${SCUSB} = "A" ] ; then
printf "Please enter the subscriber common user search base [orclcommonusersearchbase]: "
read SCUSB
if [ "${SCUSB}" = "" ]
then
SCUSB=`${ORACLE_HOME}/bin/ldapsearch -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} -s base -b 'cn=common,cn=products,cn=oraclecontext' -L 'objectclass=*' orclcommonusersearchbase | head -2 | grep -v 'dn:' | awk '{printf $2}'`
fi
fi
if [ ${PRGDN} = "A" ] ; then
printf "Please enter the Plug-in Request Group DN: "
read PRGDN
fi
if [ ${EP} = "A" ] ; then
printf "Please enter the exception entry property [(!(objectclass=orcladuser))]: "
read EP
if [ "${EP}" = "" ]
then
EP='(!(objectclass=orcladuser))'
fi
fi
echo " "
printf "Do you want to setup the backup Active Directory for failover? (y/n) "
read ISFAILOVER
if [ "${ISFAILOVER}" = "y" ]
then
if [ ${SECADHOST} = "A" ] ; then
printf "Please enter the backup Active Directory host name: "
read SECADHOST
if [ "${SECADHOST}" = "" ]
then
echo "Backup Active Directory host name is required";
exit 1;
fi
fi
printf "Do you want to use SSL to connect to the backup Active Directory? (y/n) "
read ISFAILOVERSSL
if [ "${ISFAILOVERSSL}" = "n" ]
then
if [ ${SECADPORT} = "1" ] ; then
printf "Please enter the backup Active Directory port number [389]: "
read SECADPORT
if [ "${SECADPORT}" = "" ]
then
SECADPORT="389"
fi
fi
fi
if [ "${ISFAILOVERSSL}" = "y" ]
then
if [ ${SECADSSLPORT} = "1" ] ; then
printf "Please enter the backup Active Directory SSL port number [636]: "
read SECADSSLPORT
if [ "${SECADSSLPORT}" = "" ]
then
SECADSSLPORT="636"
fi
fi
if [ ${SECWALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read SECWALLETLOC
fi
## wallet location is required
if [ "${SECWALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${SECWALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read SECWALLETPWD ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${SECWALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read SECWALLETPWD2 ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" != "${SECWALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
fi
# install the plug-in PL/SQL packages
echo " "
echo "Installing Plug-in Packages ..."
echo " "
# install plug-in debug tool
cp $ORACLE_HOME/ldap/admin/oidspdsu.pls $LDAP_LOG
chmod +w $LDAP_LOG/oidspdsu.pls
echo "EXIT;" >> $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$LDAP_LOG/oidspdsu.pls
rm $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspdof.pls
# install plug-in packages
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
#stty -echo; eval ${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# register the plug-ins
echo " "
echo "Registering Plug-ins ..."
echo " "
$ORACLE_HOME/bin/ldapadd -h ${OIDHOST} -p ${OIDPORT} -D cn=orcladmin -w ${ORCLADMINPWD} << EOF
dn: cn=adwhencompare2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapcompare
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhencompare2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginattributelist:userpassword
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
dn: cn=adwhenbind2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapbind
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhenbind2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
EOF
cat <<DONE
Done.
DONEHi,
This is a problem that is not made clear in the note. What is probably happening here is that both plugins are being fired when a user logs in. OID will only read the value returned from the final plugin to fire. This can be a problem if the user authenticates correctly against the first plug-in but fails on the second. This is entirely legitimate as this note tells you to configure this way but the OID only observes the final result. The note doesn't tell us this.
Here's an example:
We've two OID User users in different containers: cn=Al is in container cn=usersA,dc=oracle,dc=com and cn=BOB is in container cn=usersB,dc=oracle,dc=com.
We have two plugins: pluginA and PluginB. Installed in that order.
When Al logs in the two plugins fire. pluginA finds Al and returns a true, but then pluginB fires and returns a false undoing the good result. OID only accepts the final answer and so rejects the user. When Bob logins in both plugins fire again but it's the second plugin that returns the answer again. This is true and bob gets in.
There's a couple of ways around this and one of the more effective ways is to associate the plugin with the dn. So in our example, we associate the pluginA to fire only for the dn cn=usersA,dc=oracle,dc=com and pluginB only to fire when a user is in cn=usersB,dc=oracle,dc=com. This gets around the problem of mulitple plugins firing and giving conflicting answers as the appropriate plugin only fires once.
I've used this solution in a realtime environment when connecting and provisioning multiple ADs into one OID and found it to be extremely effective.
Another solution is to associate the plugins with groups.
Both of these options may be configured easily by modifying the plugin properties in ODM. Don't forget to restart OID after you've made the changes.
HTH!
Phil.
If -
How can you delopy NIDaq 8.3 with Windows 200x Active Directory.
We are developing our own in-house measurement application that is built with LV 8.2. It requires NI Daq 8.3 to be installed as well. I need to deploy this to anywhere from 30-60 computers now and many more as we expand in the future.
I know I probably could use the Setup.exe with some switches for a silent install however the two problems are:
I have to write a script for each computer or go to each computer.
Future compters will need to be manually touched as well.
We may need to uninstall in the future for newer deployments and that cannot be done easily with this method while in AD I just have to click a few things and then it is deployed.
I currently deploy apps like Office, Solidworks, Acrobat Reader, and a whole host of others with Active Directory by just adding the MSI file for these apps to the AD Container's Group Policy. I see on the NI Daq CD there are tons of subfolders and most have their own MSI file. I have attempted to see if I could just deploy these in order by just attaching these MSI files to the Group Policy, but AD tells me that "none" of these MSI files I have tried so far are valid MSI files because they have no deployment info in them.Hello Jordan,
If I understand you correctly, you are trying to push the installation of the DAQmx driver as well as your LabVIEW application out to several machines from a server. Ideally you do not want to take your installer do each machine individually, and you also would not want to have to write a script.
Unfortunately your options may be limited to the features provided by your IT tools. You mentioned that you are using Active Directory to push out other software packages using their msi files. While I am not familiar with this particular software, is there any other way to install software remotely using this tool? Basically, I am looking for another method by which you can configure this tool to run the Setup.exe silently on computers of your choice. It may be worth your time to look into the documentation of this tool to determine if this is at all possible. Please post back and let us know what you are able to find out. Thanks!
Mike D. -
My only Active Directory Server on win server 2008 R2 with one domain controller crashed today. The only backup that i had was IFM media.
So what i have done till now to recover it is a follow
I reintalled window server but this time it is winserver 2012. I added AD DS role to it. Promoted it to Domain Controller. (functionality level is 2008 R2)
On second server i installed win 2008 R2 and trying to add additional domain controller from IFM to recover all of my domain users,computers and GPO's. but i am getting this error
Could not replicate the directory partition CN=schema, CN= configuration, DC=XXX, DC=com from the remote domain
the naming context specified for this replication operation is invalid
i dont know weather my approach is correct or not
but my simple questions is
Can i recover my all domain computers and users from IFM and in-cooperate them in new forest ?? if yes how can i do that?? urgent help required.yup exactly i created a new domain(in new forest) with same previous name in window server 2012 on SERVER-1. As ifm file that i had was generated from 2008 r2 so on second server i installed window 2008 r2 and tried to add role of additional domain controller
from ifm file on SERVER-2 using dcpromo /adv . every step went ok but in last step when it starts replicating domain controllers it poup following error
Could not replicate the directory partition CN=schema, CN= configuration, DC=XYZ, DC=com. . .
and roll backs every thing. -
Weblogic with Active Directory Authentication provider problem: DN for user ....: null
I have a java application (SSO via SAML2) that uses Weblogic as a Identity Service Provider. All works well using users created directly in Weblogic. However, I need to add support for Active Directory. So, as per documentation:
- I defined an Active Directory Authentication provider
- changed it's order in the Authentication Providers list so that it comes first
- set the control flag to SUFFICIENT and configured the Provider Specific; here's the concerned part in config.xml:
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
<sec:name>MyOwnADAuthenticator</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
<wls:host>10.20.150.4</wls:host>
<wls:port>5000</wls:port>
<wls:ssl-enabled>false</wls:ssl-enabled>
<wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
<wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
<wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
<wls:cache-enabled>false</wls:cache-enabled>
<wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
</sec:authentication-provider>
I configured a AD LDS instance(Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to set msDS-UserAccountDisabled property to FALSE.
After restarting Weblogic I can see that the AD LDS's users and groups are correctly fetched in Weblogic. But, when I try to connect with my application, using Username:tadmin and Password:<...> it does not work.
Here's what I see in the log file:
<BEA-000000> <LDAP Atn Login username: tadmin>
<BEA-000000> <authenticate user:tadmin>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
So, I tried to look why do I have: <DN for user tadmin: null>. Using Apache Directory Studio I reproduced the ldap search request used in Weblogic and, sure enough, I get no results. But, changing the filter to only "(&(cn=tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; here's the result from Apache Directory Studio:
#!SEARCH REQUEST (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.324
# LDAP URL : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
# command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
# baseObject : CN=wl,DC=at,DC=com
# scope : wholeSubtree (2)
# derefAliases : derefAlways (3)
# sizeLimit : 1000
# timeLimit : 0
# typesOnly : False
# filter : (&(cn=tadmin)(objectclass=user))
# attributes : objectClass
#!SEARCH RESULT DONE (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.356
# numEntries : 1
(the "[email protected]" is defined as userPrincipalName in the tadmin user on AD LDS)
As you can see, "# numEntries : 1" (and I can see as result the entry "CN=tadmin,CN=wl,DC=at,DC=com" in Apache Directory Studio's interface); if I add the userAccountControl filter I get 0.
I've read that the AD LDS does not use userAccountControl but "uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute"; among those attributes is msDS-UserAccountDisabled which, as I said, I already set to FALSE.
So, my question is, how do I make it work? Why do I have "<DN for user tadmin: null>" ? Is it the userAccountControl ? If it is, do I need to do some other configuration on my AD LDS ? Or, how can I get rid of the userAccountControl filter in Weblogic?
I didn't seem to find it in config files or in the interface: I only have "User From Name Filter: (&(cn=%u)(objectclass=user))", there's no userAccountControl.
Another difference I noticed is that, even though in Weblogic I have set ssl-enabled flag to false, in the logs I see ldaps and not ldap ( I'm not looking to setup something production-ready and I don't want SSL for the moment ).
Here are some other things I tried but did not change anything:
- the other "msDS-" attributes were not set so I tried initializing them to some value
- I tried other users defined in AD LDS, not tadmin
- in Weblogic I added users that were imported from AD LDS in Roles and Policies> Realm Roles > Global Roles > Roles > Admin
- I removed all userAccountControl occurrences that I found in xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
Any thoughts?
Thanks.I managed to narrow it down: the AD LDS does not support the userAccountControl.
Anyone knows how I can configure my Active Directory Authentication Provider in Weblogic so that it does not implicitly use userAccountControl as filter?
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> -
Beginners guide to integration with Active Directory?
Hi (complete beginner to this, but a quick learner)
I don't know where to start with regards to getting the Macs on our network connecting like the PCs. Currently we have about 100 Macs on 10.4.x that are bound to the AD using Directory Access - users can log in, but that's about as far as integration goes. Their home folders do not "map" to the corresponding folders on the Macs, and we (as administrators) have no control over the Mac network users like we would have the local Mac users.
I've been asked to look into this issue, and along with creating new modular 10.5.x system builds for all our Macs (different hardware, different software needs, different physical locations), I need to know what the next steps are. I have no experience of using Mac OS X Server or Active Directory. Besides telling me to ask the IT department to hire a Mac professional, what should I be looking into next?
So far, this is how I think the process goes:
1) Ensure I have solid modular system builds ready to go for the different macs/different classrooms.
2) Get an Xserve for IT.
3) Have Open Directory integrate with Active Directory, so that the same access controls/permissions are applied to the Mac users as they are the Windows users (including Finder access controls, Application controls, folder mapping etc) - *this is where I need guidance*.
4) Push out the system builds to the Macs on the network
5) Connect the Macs using Open Directory...
6) ...
As you can see, my knowledge kind of peters out towards the end there; is this a realistic undertaking for me (a classroom technician who happens to use Macs - NOT trained in any of this) and the Mac-phobic IT department (who would prefer switching all of our workstations to PC)? Are we going to have to bite the bullet and get some expensive consultants in?pisto_grih wrote:
Hi (complete beginner to this, but a quick learner)
I don't know where to start with regards to getting the Macs on our network connecting like the PCs. Currently we have about 100 Macs on 10.4.x that are bound to the AD using Directory Access - users can log in, but that's about as far as integration goes. Their home folders do not "map" to the corresponding folders on the Macs, and we (as administrators) have no control over the Mac network users like we would have the local Mac users.
And that is about as far as the Apple plugin will take you. In order to do more you need to either extend schema (very scary), look at third party products like Centrify (very expensive), or look at getting an OS X Server and implementing the "magic triangle" in which OS X attributes are managed in OD while users, groups, and password are managed by AD.
I've been asked to look into this issue, and along with creating new modular 10.5.x system builds for all our Macs (different hardware, different software needs, different physical locations), I need to know what the next steps are. I have no experience of using Mac OS X Server or Active Directory. Besides telling me to ask the IT department to hire a Mac professional, what should I be looking into next?
If you go the route of OS X Server and MCX settings, make life easy on yourself and build one common build. Then limit app access based on your groups. That way you can simplify the number of images you maintain down to one (provided you have appropriate licensing).
So far, this is how I think the process goes:
1) Ensure I have solid modular system builds ready to go for the different macs/different classrooms.
See above. But if you need to, look at InstaDMG
2) Get an Xserve for IT.
Yep. But if you are only doing MCX you might want to look for a cheeper alternative. The Xserve can offer some nice additions, including software update server and Netinstall server among others.
3) Have Open Directory integrate with Active Directory, so that the same access controls/permissions are applied to the Mac users as they are the Windows users (including Finder access controls, Application controls, folder mapping etc) - *this is where I need guidance*.
Yep. You are on the money.
4) Push out the system builds to the Macs on the network
Push huh. Look at Radmind. Then take a summer off to learn it. Then become god.
5) Connect the Macs using Open Directory...
Actually, connect the macs to both AD and OD. This will allow authentication and instantiating through AD and management through OD. Works very well.
6) ...
As you can see, my knowledge kind of peters out towards the end there; is this a realistic undertaking for me (a classroom technician who happens to use Macs - NOT trained in any of this) and the Mac-phobic IT department (who would prefer switching all of our workstations to PC)? Are we going to have to bite the bullet and get some expensive consultants in?
It is learnable especially with the summer and available hardware. However, supporting the consulting industry is always nice http://consultants.apple.com
Hope this helps -
New Branch Office Opening. Active Directory Options
Hello.
Our company has a new branch site in Canada that's been in operation for some time now. the "admin" of that branch office is wanting to setup 2 new domain controllers, i was going to suggest that we could add a Canada site via Active directory
sites and services and configure it that way.
he suggested that he would like the to have a separate domain name, for instance if we're contoso.co.uk, they want to be contoso.ca
is the best option in this situation to have them setup there own domain and then just federate between them?
i have good experience with AD but as were a small company (geographically) so i have little knowledge of multi site / federation topology.
any suggestions would be most welcome.
Many ThanksHello
If you decide to deploy new Domain this will lead to new administrative tasks to able to support users(creating trust to support access to resources in other domain, other suit of GPOs etc.). Instead if second site is added this will be more simple solution.
semi -solution is to have child domain which back again will lead to other admin tasks. Also Recommendation by the vendor to have simple solution. -
Solaris 10 authentication on Windows 2008 Active Directory
Hi,
Does anyone done it?
I've do it against a Windows 2003 R2 Active Directory and now in production environment i'm having some issues with the password.
I'm using only the Active Directory LDAP without Kerberos.
I'm able to su to the user, getent passwd but everything that as password fails.
I guess is some configuration issue in active directory, some sync stuff becouse the ldap bind is correctly done, is after the bind that fails.
Bellow the sshd log with wrong user password.
sshd[23965]: [ID 293258 auth.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
sshd[23965]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
And with the correct user password.
sshd[23965]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
As you can see the bind is done but windows guys says everything is ok. This is a new implemantation both in Solaris side and Windows side.
This is how ldapclient is configured.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= CN=User Funcional Login de maquinas Unix CQ,OU=Utilizadores-Servicos,OU=Servicos-Transversais,OU=DOM,DC=Example,DC=com
NS_LDAP_BINDPASSWD= {NS1}a1493f3c77c616
NS_LDAP_SERVERS= 192.168.1.140, 192.168.1.141
NS_LDAP_SEARCH_BASEDN= ou=dom,dc=example,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=dom,dc=example,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=dom,dc=example,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=dom,dc=example,dc=com?sub
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
The nsswitch.conf has files ldap on both passwd and groups.
Best regards and thanks for the help you can giveThe problem was in pam.conf that had the module pam_ldap last in the order and it shouldn't be.
This is how it should be.
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password sufficient pam_ldap.so.1
other password required pam_authtok_store.so.1
Authentication against 2008 Active Directory working fine now. -
I have windows server 2012 R2 and install active directory
My question is I install active directory in windows server 2012 R2 and create Group Policy. ( These set-up is only for test)
Have not registered domain only install active directory to test.
So the problem is when I created Group policy for my user and put software restriction policy but its affected to my administrator accounts too, No when I open VMware (install Virtual Machine windows XP) and start os then its shows you can not user this
software as you restricted from installing software (Something like that don't know exact Error). I could not start installed Virtual Machine.
Please give me a solution for this.
This is the setup for a test use only so their not big environment connect with my pc.
Thanks in advance.
Regards,
KrunalHi,
The following article is talking about creating and managing Group Policy on a Windows Server 2012:
http://www.thomas-krenn.com/en/wiki/Creating_and_managing_a_Group_Policy_on_a_Windows_2012_Server
As Darren Blanchard mentioned, if you want to apply the GPO, you could link it to an OU that contain the computer or user.
Group Policy Overview
http://technet.microsoft.com/en-us/library/hh831791.aspx
Please feel free to let us know if you need further assistance.
Regards.
Vivian Wang -
Active Directory and Open Directory not working
I am experiencing an issue, or several issues that I can't figure out how to resolve.
I have an Active Directory domain set up (running 2003 server R2) and it is humming along quite nicely.
A few weeks ago I got a new XServe running 10.5.4. Booted it up, bound it to AD, and then set up and OD Master on it so that I could manage some new Macs that we have.
The Macs are bound to both directories.
The issue I have comes in when using Workgroup Manager, and trying to add AD user to OD groups. The groups drawer is open, but the little directory menu at the top of the drawer does not include the entry for Active Directory. I see Local, Search Policy, and /LDAPv3/127.0.0.1...
If I try to pull down the directory menu above the user list, I see the following: Loca, Search Policy, Other..., /Active Directory/All Domains, and /LDAPv3/127.0.0.1.
If I select /Active Directory/All Domains from that list I get the following error.
+Unable to open the requested node.+
+The node /Active Directory/All Domains couldn’t be opened because an unexpected error of type -14002 occurred.+
I think these issues are related, but I can find no help on the first item (AD not showing up in the groups menu)
and a search for the second item only reveals the following page form Apple, which means absolutely nothing to me.
http://developer.apple.com/documentation/Networking/Reference/OpenDirectoryRef/Reference/reference.html
The killer is that this all worked at one point. I had an Apple Tech out here and he helped me set up this 'Golden Triangle" method of authenticating against both directories. And it works... sort of... I can create groups in OD and add OD machine accounts to the group to enforce some settings. But I can't bring in AD users, cause I can't see the AD user list.
I hear that this is supposed to work... I can't figure it out.
Any help would be appreciated.
Thanks for your time.
BillHi
Can you access Active Directory from the command line using dscl?
In what order are the LDAP directories listed in Directory Utility on the Server?
Is Kerberos running on the OD Master?
If you issue klist from the command line on the server itself - what is the result?
Or don't bother with any of the above and start again. You've nothing to lose anyway apart from some managed preferences which you can redo in little time. Scrub the configuration in the AD plug-in and demote to Standalone. Restart and go for an AD rebind. Make sure the edu.mit.Kerberos file is created in /Library/Preferences. Launch WGM and you should see AD Users and Groups this time, If you do go for promotion again. What you want to see in the OD Overview pane is everything running apart from Kerberos and the search base reflecting the FQDN of the OD Master. Make sure there is the loopback entry (127.0.0.1) in the LDAPv3 plug in. Finally make sure the OD Master lists itself first in the Directory Search Order.
I'm assuming the Server is configured as Advanced and is updated to 10.5.4.
Tony
Maybe you are looking for
-
Support package / add on import error in DB2 V9.1 / windows 2003 system
Hi I have installed ERP 6.0 IDES version in Windows 2003 server with DB2 LUW 9.1 / FP5. I have selected "Row Compression" and "Deferred Table Creation" during installation. Now when I am importing add on BI Content 7.03, I am getting error during Mov
-
CS5.5 Mac Indesign crash associated with linguistics
This problem has been plaguing me for two months. As soon as I open an Indesign document, the program crashes. I have discovered the following --deleting the Linguistics folder in Application Support for Indesign solves the problem, but then my user
-
I met someone last weekend and I stored the number in my phone but don't remember the person's number. My phone has tons of numbers so it's impossible to tell which one is hers. Is it possible to tell which are the last numbers I added to the phone?
-
Html or css - What's best practice for email?
Hello, I am struggling getting fonts to look a certain way across all browsers. I used CSS like this: <style type="text/css"> .header { font-family: Arial, Helvetica, sans-serif; font-size: 32px; text-transform: uppercase; color: #FFAE39; </style> <
-
Archive start from sequence=2...
Hi All, After completion Database (10g) installation on solaris machine , check the sequence number from v$log view as shown below : it display sequence 2 is current and archive is also start from sequence 2.(check this archive files manually from lo