Group Permission on Active Directory ?

Hello every body ...
PLz Help Me .
I want To create the Group That its members can remote as a limited user and disconnect automatically at 14:00 pm from Server . (with AD)
how to do this job ?

hello Mr
Thank for your Attention
Active Directory on Windows Server 2008 r2 .
I want To create the Group That
its members can remote as a limited user to one member server and disconnect automatically at 14:00 pm from Server . (with AD)

Similar Messages

Creating group dynamically in active directory depending on their role

Hi,
I have sycn oid and active directory using directory integration platform. Now the scenario is We have one system says hr system which take care of entering all the user information. Once it submit that information it goes to oid. Now we want that when we import all that user from oid to active directory it didn't duplicate any user as well as depending on their role it should create groups dynamically in active directory. For e.g: If user belong to Trainee category or manager category it must create Trainee group & Manager group & respective person should go into that group. I don't know whether my question is placed in right group or not. I am using filter to do this task but not able to write proper condition in "source matching filter" and "destination matching rule". Any help will be appreciated.
Thanks,
Sonya Sharma

Thanks Tamim. To clear your thought, i will explain again. I have sync oid and active directory through Directory integration platform. I have created user in oid.(cn=users,dc=mycompany,dc=com). It get sync in active directory properly. Now i have created two group in active directory say for e.g Trainees and Manager. There is a field name position in oid which is a custom attribute. When i fill the information of user in oid, I have to fill "Position" attribute also. So my question is that, if i fill Trainee as a value in Position attribute and click on submit it should go in Trainee Group In active directory and not in user group. Same for manager. How can we achieve this? Can we do it through filter? Or any other way? It's needed desperately. Please help me in resolving this issue.
Regards,
Sunil

Get Password Expiration Date of Group members in Active Directory

hi,
How can I get password Expiration date of Group members in Active Directory – please advise me
Fasil CV

Or DSQUERY Commands.
dsget group "CN=Group1,DC=myinfralab,DC=com" -members | dsget user - -acctexpires
Santhosh Sivarajan | Houston, TX | www.sivarajan.com
ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
Blogs: Blogs
Twitter: Twitter
LinkedIn: LinkedIn
Facebook: Facebook
Microsoft Virtual Academy:
Microsoft Virtual Academy
This posting is provided AS IS with no warranties, and confers no rights.

I am new How to make internet enable group in my active directory 2003 ?

I am new How to make internet enable group in my active directory 2003 ?
Thanks & Regards, Amol . Amol Dhaygude

Greetings!
What is Internet Enabled Group? Would you please clarify this?
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers?

How to create User in the specific group in Microsoft Active Directory

Hi,
I am using Nestcape LDAP, and want to create user in the user defined group. I have created a new user group "TestUsers" in the "Users" container of Active Directory, I want to add the new user to Test Users group But my problem is that whenever I create a new user
it get added to Domain Users group.
I tried adding memberOf attribute with value "TestUsers"
attr = new LDAPAttribute("memberOf", "TestUsers");
attrs.add(attr);
It gives me following error :
code= 53 Exception 0000209A: SvcErr: DSID-031A0D6F, problem 5003 (WILL_NOT_PERFORM), data 0
Following is the code I am using.
public LDAPResult createUserID(
String userId,
String pwd,
String pId,
boolean resetonLogOn,
LDAPConnection ldCon) {
boolean flag = false;
int code=0;
try {
String pwdLastSetVal;
String desName;
String desc;
/* Specify the DN of the new entry. */
String dn =
"CN=" + userId + ",CN=" + this.container + "," + this.baseDN; // container = "Users"
/* Create and add attributes to the attribute set. */
String objectclass_values[] =
{ "top", "person", "organizationalPerson", "user" };
// LDAPEntry findEntry=null;
/* Create a new attribute set for the entry. */
LDAPAttributeSet attrs = new LDAPAttributeSet();
/* Attribute sAMAccountName */
LDAPAttribute attr = new LDAPAttribute(LDAP_SAM_KEY, userId);
attrs.add(attr);
/* Attribute unicodePwd */ // LDAP_PASSWORD_KEY = "unicodePwd"
attr =
new LDAPAttribute(
LDAP_PASSWORD_KEY,
(byte[]) this.encodePassword(pwd));
attrs.add(attr);
/* Attribute Display Name */
desName = userId + ":" + pId;
//desName = userId ;
attr = new LDAPAttribute(LDAP_DIS_NAME_KEY, desName);
attrs.add(attr);
/** Attribute userAccountControl to enable the userid.
attr = new LDAPAttribute(LDAP_ACCOUNT_KEY, LDAP_ACCOUNT_EN_VAL); // LDAP_ACCOUNT_EN_VAL= "548"
attrs.add(attr);
/* Attribute pwdLastSet to reset the password on first logon*/
if (resetonLogOn == true) {
pwdLastSetVal = "0";
} else {
pwdLastSetVal = "-1";
attr = new LDAPAttribute(LDAP_RESET_KEY, pwdLastSetVal);
attrs.add(attr);
/* Attribute Description */
desc = " Account Created by HelpNow App";
attr = new LDAPAttribute(LDAP_DESC_KEY, desc);
attrs.add(attr);
/* Attribute objectclass */
attr = new LDAPAttribute("objectclass", objectclass_values);
attrs.add(attr);
attr = new LDAPAttribute("memberOf", "TestUsers");
attrs.add(attr);
/* Create an entry with this DN and these attributes . */
LDAPEntry myEntry = new LDAPEntry(dn, attrs);
/* Add the entry to the directory. */
ldCon.add(myEntry);
flag = true;
}catch (LDAPException e) {
flag = false;
code=e.getLDAPResultCode();
}catch (Exception e) {
flag = false;
code=LDAPException.OTHER;
}finally {
ldaprs.flag=flag;
ldaprs.code=code;
return ldaprs;
}

Refer to the post titled "JNDI, Active Directory and Group Memberships" available at http://forum.java.sun.com/thread.jspa?threadID=581444&tstart=150

How to create user in specific user group in Microsoft Active Directory ?

Hi,
I am using Nestcape LDAP, and want to create user in the user defined group. I have created a new user group "TestUsers" in the "Users" container of Active Directory, I want to add the new user to Test Users group But my problem is that whenever I create a new user
it get added to Domain Users group.
Following is the code I am using which adds user to default group Domain Users.
public LDAPResult createUserID(
String userId,
String pwd,
String pId,
boolean resetonLogOn,
LDAPConnection ldCon) {
boolean flag = false;
int code=0;
try {
String pwdLastSetVal;
String desName;
String desc;
/* Specify the DN of the new entry. */
String dn =
"CN=" + userId + ",CN=" + this.container + "," + this.baseDN; // container = "Users"
/* Create and add attributes to the attribute set. */
String objectclass_values[] =
{ "top", "person", "organizationalPerson", "user" };
// LDAPEntry findEntry=null;
/* Create a new attribute set for the entry. */
LDAPAttributeSet attrs = new LDAPAttributeSet();
/* Attribute sAMAccountName */
LDAPAttribute attr = new LDAPAttribute(LDAP_SAM_KEY, userId);
attrs.add(attr);
/* Attribute unicodePwd */ // LDAP_PASSWORD_KEY = "unicodePwd"
attr =
new LDAPAttribute(
LDAP_PASSWORD_KEY,
(byte[]) this.encodePassword(pwd));
attrs.add(attr);
/* Attribute Display Name */
desName = userId + ":" + pId;
//desName = userId ;
attr = new LDAPAttribute(LDAP_DIS_NAME_KEY, desName);
attrs.add(attr);
/** Attribute userAccountControl to enable the userid.
attr = new LDAPAttribute(LDAP_ACCOUNT_KEY, LDAP_ACCOUNT_EN_VAL); // LDAP_ACCOUNT_EN_VAL= "548"
attrs.add(attr);
/* Attribute pwdLastSet to reset the password on first logon*/
if (resetonLogOn == true) {
pwdLastSetVal = "0";
} else {
pwdLastSetVal = "-1";
attr = new LDAPAttribute(LDAP_RESET_KEY, pwdLastSetVal);
attrs.add(attr);
/* Attribute Description */
desc = " Account Created by HelpNow App";
attr = new LDAPAttribute(LDAP_DESC_KEY, desc);
attrs.add(attr);
/* Attribute objectclass */
attr = new LDAPAttribute("objectclass", objectclass_values);
attrs.add(attr);
/* Create an entry with this DN and these attributes . */
LDAPEntry myEntry = new LDAPEntry(dn, attrs);
/* Add the entry to the directory. */
ldCon.add(myEntry);
flag = true;
}catch (LDAPException e) {
flag = false;
code=e.getLDAPResultCode();
}catch (Exception e) {
flag = false;
code=LDAPException.OTHER;
}finally {
ldaprs.flag=flag;
ldaprs.code=code;
return ldaprs;
}

Refer to the post titled "JNDI, Active Directory and Group Memberships" available at http://forum.java.sun.com/thread.jspa?threadID=581444&tstart=150

Getting list of all users and their group memberships from Active Directory

Hi,
I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
==================
import javax.naming.*;
import java.util.Hashtable;
import javax.naming.directory.*;
public class GetUsersGroups{
     public static void main(String[] args){
          String[] attributeNames = {"memberOf"};
          //create an initial directory context
          Hashtable env = new Hashtable();
          env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
          env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
          env.put(Context.SECURITY_AUTHENTICATION, "simple");
          env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
          env.put(Context.SECURITY_CREDENTIALS, "p8admin");
          try {
               // Create the initial directory context
               DirContext ctx = new InitialDirContext(env);
               //get all the users list and their group memberships
               NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
               while (contentsEnum.hasMore()){
                    NameClassPair ncp = (NameClassPair) contentsEnum.next();
                    String userName = ncp.getName();
                    System.out.println("User: "+userName);
                    try{
                         System.out.println("am here....1");
                         Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
                         System.out.println("am here....2");
                         Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
                         System.out.println("-----"+groupsAttribute.size());
                         if (groupsAttribute != null){
                              // memberOf is a multi valued attribute
                              for (int i=0; i<groupsAttribute.size(); i++){
                              // print out each group that user belongs to
                              System.out.println("MemberOf: "+groupsAttribute.get(i));
                    }catch(NamingException ne){
                    // ignore for now
               System.err.println("Problem encountered....0000:" + ne);
               //get all the groups list
          } catch (NamingException e) {
          System.err.println("Problem encountered 1111:" + e);
=================
The following exception gets thrown at every user entry:
User: CN=Administrator
am here....1
Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
]; remaining name 'CN=Administrator'
I think it gets thrown at this line in the code:
Attributes attrs = ctx.getAttributes(userName, attributeNames);
Any idea how to overcome this and where am I wrong?
Thanks in advance,
Regards.

In this sentence:
Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
userName + ",CN=Users,DC=filenetp8,DC=com"
But I still have some problem with it.
Hope it will be useful for you.

Filtering Groups on Windows Active Directory using LDAP Authentication

Hi All,
I have small module that filters the groups from the Windows AD using LDAP attributes and flushes the data into the DB[code below].
This module was developed and tested on weblogic 8.1[on windows]and works fine.
Now the same is moved to another environment- Websphere on Linux Suse. The code fails to retreieve any value from the Windows AD.
Please note no exception is aslo thrown.
env.put(Context.INITIAL_CONTEXT_FACTORY,ldapCtxFactory);
          //set security credentials, note using simple cleartext authentication
          env.put(Context.SECURITY_AUTHENTICATION,authentication);
          env.put(Context.SECURITY_PRINCIPAL,adminName);
          env.put(Context.SECURITY_CREDENTIALS,adminPassword);
          //connect to my domain controller
          env.put(Context.PROVIDER_URL, domainController);
          // Create the initial directory context
          try {
                              dirCtx = new InitialDirContext(env);
               // Create the search controls
               SearchControls searchCtls = new SearchControls();
               //Specify the attributes to return
               String returnedAtts[]={"member"};
               searchCtls.setReturningAttributes(returnedAtts);
               //Specify the search scope
               searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
               int totalResults = 0;
               int iteration=0;
               // Search for objects using the filter
               NamingEnumeration results = ctx.search(searchBase, searchFilter, searchCtls);
In the above code the method exits even before the try block[i could detect this using Sysout's]
Below is the property file from which the values are read.
admin=username
password=password
#AD search attributes
searchBase=DC=domainname,DC=domainname
searchFilter=(&(objectClass=group) (CN=value*))
#JNDI context attributes
ldapCtxFactory=com.sun.jndi.ldap.LdapCtxFactory
authentication=simple
domainController=ldap://address
groupPattern=pattern
Please Assit,
Thanks in Advance
Message was edited by:
radiant
Message was edited by:
radiant

Assuming it is the same Active Directory environment and only your Java platform has changed, the I can only assume that if no exception is thrown, and no data is returned, then the credentials you are using on the new Java platform are being mapped to an anonymous user (perhaps a blank password ?). By default, Windows Server 2003 domains, do not return any results to anonymous users.

Group Blogs when Active Directory is involved.

I have an OS X server running 10.5.4, bound to Active Direcotry to create Apple's "Golden Triangle" My Mac users are able to authenticate against AD, but get their computer's preferences from the OS X server. It's working well. However, I am having some issue related to Web Services.
I am trying to create a group blog for my dorm parents. I have tried a number of things, including the following:
In Server Admin, under Web -> Sites -> Web Services I have checked the blog box, and then checked the "Wiki and blog" box.
I have tried adding the following entities to the "Allow the follow to create wikis on this site:" box.
AD Users
OD Users
AD Groups
OD Groups
In every case, the username or group name that I have added remains in the box for a short period of time and then disappears.
I have even tried leaving the box empty to let my OD test user create a blog. That doesn't work so well at all.
Any ideas? Any more info I can provide to help you help me?
Thanks.
Bill

Here is my standard response to such issues. If this does not resolve your problem, let us know and hopefully someone will have the solution.
I have been successful in doing the following for imported Active Directory (AD) users in both Advanced and Workgroup mode in 10.5.3:
- creating calendars in iCal
- subscribing to group calendars in iCal
- accessing group Wiki's
But there are a few workarounds that must be applied and some simple steps that must be followed in order to be able to get this functionality to work.
Whenever people have a problem doing any of the above, I find that it's usually due to one of the following:
1. The binding was not done correctly.
The OD Master should have a binding to the AD server, and the client machine must be bound to both the OD Master and AD server. If the OD Master or client machine cannot bind to the AD server, it could be that these machines are not entered into the DNS, and/or are not entered in forward/reverse check. (I'm not an expert on DNS so I won't speak to that.)
2. An older version of Leopard server is being used.
It's been my experience that the OD/AD config works much better in 10.5.3. In fact, the version of Workgroup Manager (WGM) that was released in 10.5.3 provides a means for enabling calendaring for imported AD users in Advanced mode. (Discussed below.) Before 10.5.3, I don't know of any way to enable calendaring for AD users in Advanced mode (although it worked in Workgroup mode).
3. Workarounds to enable clear text for both iCal and Wiki have not been applied.
Clear text authentication must first be enabled for both Wiki and iCal in order for certain functionality to work. So there are a couple of workarounds that must be applied.
For Wiki, there is a KBase article that provides instructions and background info on this subject:
http://docs.info.apple.com/article?artnum=306750
For iCal, you must edit the caldavd.plist file for the following:
<key>Authentication</key>
<dict>
<key>Basic</key>
<dict>
<key>Enabled</key>
<false/> <----- change to true
</dict>
<key>Digest</key>
<dict>
<key>Algorithm</key>
<string>md5</string>
<key>Enabled</key>
<true/> <---------- change to false
<key>Qop</key>
<string></string>
</dict>
<key>Kerberos</key>
<dict>
<key>Enabled</key>
<true/>
<key>ServicePrincipal</key>
<string></string>
</dict>
</dict>
4. AD users have not been imported.
This primarily relates to calendaring. Binding to an AD server will allow you to see the AD users in WGM, but binding alone will not enable the users for calendaring.
In Advanced mode, what you need to do is select the 'New Augmented User Records' item from the 'Server' window in WGM. In the resulting window, select the 'Calendar Server' from the drop down list at the bottom. Then select the AD user(s) you want to import.
In Workgroup mode you would import the AD users using Server Preferences.

Add users to a group from another Active Directory domain

Hi Folks,
I need add users in a group the active directory through the FIM 2010 R2.
My scenery it is:
Domain A with FIM 2010 R2 provisioning users for Domain B;
I need get users the Domain B and add in group in Domain C.
What's better way, create FIM portal for them, or create aditional script/development for FIM 2010 R2.
Thanks a lot!
Wilsterman Fernandes

There are two approaches to do it.
1st - easier - using FIM Portal/Service - just create a criteria based group that would be created in Domain C.
2nd - more difficult, but you don't need FIM Service/FIM Portal - just export all users to one table in SQL and create a view, where a group and members (users from Domain B) are. It would be cheaper as you don't have to have FIM Service to do it. But if
you have it, first is easier.
If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

Populate the EmployeeID attribute of a user, based on their security group membership in Active Directory

Hey guys, I need to create a script that assigns a value to the EmployeeID of every user that is a member of a particular AD security group.
For example, there are the following groups - Accounting_01, Accounting_02, Accounting_03. The script has to read what members there are in these groups and assign to the people of Accounting_01 an EmployeeID of 01, to the people of Accounting_02 an EmployeeID
of 02, and to the people of Accounting_03 an EmployeeID of 03.
I have a script that adds a user to a security group, based on the value of a certain attribute, but not the other way around. Have you written such a script? Thanks in advance

I haven't tried the code, because I don't have AD cmdlets.
But I see some discrepancies between the documentation and your code.
Looking at http://technet.microsoft.com/en-us/library/hh852287.aspx (Set-ADUser cmdlet) we can read for the
-Replace<Hashtable> parameter: ... Use this parameter
to replace one or more values of a property that cannot be modified using a cmdlet parameter ...
But the OP referred to EmployeeID, which is a Set-ADUser cmdlet parameter (look for -EmployeeID),
thus, cannot be used with -Replace<Hashtable> parameter (as per the documentation).
Also, the documentation states for this same
-Replace<Hashtable> parameter: ... To modify
an object property, you must use the LDAP display name ...
And the LDAP display name for EmployeeID is employeeID, and not employeeid as in your code (although I'm
not sure if LDAP display name
is case sensitive).
As you say your code works correctly, I
suspect that you created a new property named employeeid, which is not the same referenced by the parameter
-EmployeeID.
The documentation merely says that it can be used to modify attributes that do not have their own parameter. If they were to include a parameter for every AD attribute the list would be huge. It doesn't imply that -replace cannot be used instead of the defined
parameters.
I must admit that I didn't realise that -EmployeeID could be used as I didn't consult the documentation before I wrote the code but I can confirm that using the method I posted the employeeID attribute was modified. It didn't create a second attribute with
different letter casing.

Active Directory users not made member of Local Network group

Hi all,
I've just done a clean install from 10.6 Server to 10.8.4.
The issue I seem to be having is a mismatch between what Groups in Server.app is reporting as members (who happen to be users or groups from our Active Directory domains) of a Local Network group and what dseditgroup reports as members of the same network.
The Setup:
In Groups in Server.app under Local Network Group I have created a group call "AccessServer"
Members in that group are:
     - AD-Domain User Group (so should be all users in the domain)
     - MacOS X "netaccounts" group (again, should capture all users that connect through the network I've used this in the past/10.6 very handy)
     - AD User 1
     - AD User 2
     - AD User 3
The Server is bound to the AD Domain, All-Domains is not selected and a Search Path is added for each Domain needed and set at the top of the search order.
The Behaviour:
AD User 1 can access AFP and other services as expected.
AD User 2 and 3 cannot.
Another user within AD-Domain User Group or netaccounts can access AFP and other services as expected
Yet other users within AD-Domain User Group or netaccounts cannot
Furthermore:
If I REMOVE AD User 1 (a working user) *and* the AD Domain Group and netaccounts Group. I can still login with that account!
Diagnosis:
I tried checking group membership with dseditgroup, the results match the behaviour, not the setup.
>dseditgroup -o checkmember -m ADUser1 accessserver
yes ADUser1 is a member of accessserver
>dseditgroup -o checkmember -m ADUser2 accessserver
no ADUser2 is NOT member of accessserver
>dseditgroup -o checkmember -m ADDomainUser/netacc accessserver
yes ADDomainUser/netacc is a member of accessserver
>dseditgroup -o checkmember -m n accessserver
no ADUser2 is NOT member of accessserver
When non-member users try to connect I get a message in the logs of (IP/DNS values anonymized):
2013-06-25 3:04:36.794 PM sshd[5217]: error: PAM: authentication error for illegal user ----- from ----.mala.bc.ca via x.x.
I get the same results even after removing the user from the Groups screen!
Failed Solutions
- As we are a large AD I've tried specifying specific Active Direcotry servers that might better be able to find the users in question and authenticate.
- I've let the system just sit, in hopes delayed replication would solve the problem overnight.
- I've deleted and recreated the groups.

Upon further investigation we have discovered:
a) the main behaviour that is causing the problem is best described as AD users that are added to a Local or Network OS X group... either individually or through a Domain group.... are not actually recognized as members of that OS X group even though the GUI or CLI tool have added them and acknowledge them as being in the list.
b) This is NOT limited only to MacOS X Server 10.8. The same behaviour is occuring on a long-running 10.6 server as well.
c) The problem remains whether we nest AD groups to capture a large bunch of users, or add users individually. If the user is part of the mysteriously denied set, how they are added to the OD or local group is irrelevant, including if added from the command line.
d) Which users are allowed and which are not is unclear and appears generally random. We have found 3 'classes' of users:
          1 - those that are successfully becoming members every time.
          2 - those that are intermittent members. Members on one server or another, or in one case even go from being reported as a member (by dseditgroup), to not being a member, to being a member again within the span of only a minute or two.
          3 - those that are never successfully admitted as a member.
So the problem is both Apple's and Windows in that:
Apple: Is allowing a group and/or user to be added and implying then membership in the group even though that membership is not being honoured in some way and there is no feedback or communication of that fact aside from generic 'denied' or 'illegal user' errors.
Windows: Is passing along membership through its groups and users, but not completely, for reasons that are, at this point, a mystery.
Really hoping people have some ideas on this. This system of nested groups or individual user access is something we have of course being using for many years. So this is a major setback.

Deploying Flash player with Active Directory Group Policy

I manage hundreds of computers at several different locations
and have the nightmare of updating Flash Player everytime a new
version comes out. The file I download from Adobe's site is an .exe
and does not contain a .msi file for Active directpry deployment.
How can I use group policy in Active Directory to deploy this
software to all my computers without me having to individually
touch each machine?

quote:
Originally posted by:
ocpltech
I manage hundreds of computers at several different locations
and have the nightmare of updating Flash Player everytime a new
version comes out. The file I download from Adobe's site is an .exe
and does not contain a .msi file for Active directpry deployment.
How can I use group policy in Active Directory to deploy this
software to all my computers without me having to individually
touch each machine?
so did any one ever send you an email or pm on the solution?
I was searching the web for this exact topic and so far only found
your question.
12 days later - you'd think someone here would have typed up
a solution........
H

Configuring Active Directory Realm with WLP7.0

Has any one configured win 2000 Active Directory(AD) LDAP v2 compatibility realm
with WLP7.0?
We don't have any groups and all Users in AD are under one dn. Since AD is administered
by a different group, I have decided to put the Portal mandated Groups/Users in
the filerealm.properties file.
After configuration and successful booting of weblogic server, I am able to see
the groups in the Active Directory LDAP via the weblogic console. I get the "Sizelimit
exceeded" exception when I try to browse users which makes sense. A partial list
of Users is listed in the console. Surprisingly all the users are listed with
a "=" sign in front of them.
I am not able to authenticate against any users in AD. I am not able to login
in to the PortalAppTools using "administrator" user although I have put it in
the "filerealm.properties". I am able to log in to the PortalAppTools using
"system" user but that doesn't help as I cannot see Default Portal Mgmt stuff.
user.administrator=password
user.praveen=paul
user.ashley=ashley
group.Monitors=Administrators
group.Deployers=Administrators
group.Administrators=weblogic,system,paul
group.SystemAdministrator=administrator,paul
group.AdminEligible=ashley
group.DelegatedAdministrator=paul
When I try to open the Portal Application, I get the following exception:
<Mar 13, 2003 8:03:46 PM MST> <Error> <Security> <090060> <The AccessDecision
class "weblogic.securi
ty.providers.realmadapter.AuthorizationProviderImpl" returned an error: java.lang.SecurityException:
Realm Adapter ACL Mapping Failed.
java.lang.SecurityException: Realm Adapter ACL Mapping Failed
at weblogic.security.providers.realmadapter.AuthorizationProviderImpl.isAccessAllowed(Author
izationProviderImpl.java:345)
at weblogic.security.service.AuthorizationManager.isAccessAllowed(AuthorizationManager.java:
475)
at weblogic.security.service.AuthorizationManager.isAccessAllowed(AuthorizationManager.java:
612)
at weblogic.jndi.internal.ServerNamingNode.checkPermission(ServerNamingNode.java:332)
at weblogic.jndi.internal.ServerNamingNode.checkLookup(ServerNamingNode.java:295)
at weblogic.jndi.internal.ServerNamingNode.lookupHere(ServerNamingNode.java:146)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:187)
at weblogic.jndi.internal.RootNamingNode_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:159)
at weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java:262)
at weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java:229)
at weblogic.jndi.internal.ServerNamingNode_WLStub.lookup(Unknown Source)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:337)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:332)
at javax.naming.InitialContext.lookup(InitialContext.java:345)
at weblogic.jndi.internal.WLNamingManager.getObjectInstance(WLNamingManager.java:94)
at weblogic.jndi.internal.BasicNamingNode.resolveObject(BasicNamingNode.java:763)
at weblogic.jndi.internal.BasicNamingNode.resolveObject(BasicNamingNode.java:735)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:190)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:337)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:332)
at weblogic.jndi.factories.java.ReadOnlyContextWrapper.lookup(ReadOnlyContextWrapper.java:36
at weblogic.jndi.internal.AbstractURLContext.lookup(AbstractURLContext.java:124)
at javax.naming.InitialContext.lookup(InitialContext.java:345)
at com.bea.p13n.util.JndiHelper.lookupNarrow(JndiHelper.java:96)
at com.bea.portal.appflow.PortalAppflowHelper.<clinit>(PortalAppflowHelper.java:70)
at com.bea.portal.appflow.servlets.internal.PortalWebflowServlet.init(PortalWebflowServlet.j
ava:84)
at javax.servlet.GenericServlet.init(GenericServlet.java:258)
at weblogic.servlet.internal.ServletStubImpl$ServletInitAction.run(ServletStubImpl.java:1075
at weblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManager.java:744)
at weblogic.servlet.internal.ServletStubImpl.createServlet(ServletStubImpl.java:899)
at weblogic.servlet.internal.ServletStubImpl.createInstances(ServletStubImpl.java:833)
at weblogic.servlet.internal.ServletStubImpl.prepareServlet(ServletStubImpl.java:773)
at weblogic.servlet.internal.ServletStubImpl.getServlet(ServletStubImpl.java:517)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:351)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:306)
at weblogic.servlet.internal.RequestDispatcherImpl$ForwardAction.run(RequestDispatcherImpl.j
ava:341)
at weblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManager.java:744)
at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:251)
at weblogic.servlet.jsp.PageContextImpl.forward(PageContextImpl.java:116)
at jsp_servlet.__index._jspService(index.jsp:3)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:27)
at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.jav
a:1058)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:401)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:445)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:306)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletC
ontext.java:5412)
at weblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManager.java:744)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:30
86)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2544)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)
>
<Mar 13, 2003 8:03:46 PM MST> <Error> <PortalAppflow> <415400> <Could not lookup
PortalManagerHome i
n the JNDI tree using EJB reference java:comp/env/ejb/PortalManager.
javax.naming.LinkException: . Root exception is javax.naming.NoPermissionException:
User <anonymous
does not have permission on portalAppat weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174)
Any help is appreciated.
Thank You
Paul

hi Paul
check this doc out
http://dev2dev.bea.com/resourcelibrary/technicalguides/LDAP_in_Portal_7.0.jsp
-tulan
"Paul" <[email protected]> wrote in message
news:[email protected]...
>
Has any one configured win 2000 Active Directory(AD) LDAP v2 compatibilityrealm
with WLP7.0?
We don't have any groups and all Users in AD are under one dn. Since ADis administered
by a different group, I have decided to put the Portal mandatedGroups/Users in
the filerealm.properties file.
After configuration and successful booting of weblogic server, I am ableto see
the groups in the Active Directory LDAP via the weblogic console. I getthe "Sizelimit
exceeded" exception when I try to browse users which makes sense. Apartial list
of Users is listed in the console. Surprisingly all the users are listedwith
a "=" sign in front of them.
I am not able to authenticate against any users in AD. I am not able tologin
in to the PortalAppTools using "administrator" user although I have put itin
the "filerealm.properties". I am able to log in to the PortalAppToolsusing
"system" user but that doesn't help as I cannot see Default Portal Mgmtstuff.
>
user.administrator=password
user.praveen=paul
user.ashley=ashley
group.Monitors=Administrators
group.Deployers=Administrators
group.Administrators=weblogic,system,paul
group.SystemAdministrator=administrator,paul
group.AdminEligible=ashley
group.DelegatedAdministrator=paul
When I try to open the Portal Application, I get the following exception:
<Mar 13, 2003 8:03:46 PM MST> <Error> <Security> <090060> <TheAccessDecision
class "weblogic.securi
ty.providers.realmadapter.AuthorizationProviderImpl" returned an error:java.lang.SecurityException:
Realm Adapter ACL Mapping Failed.
java.lang.SecurityException: Realm Adapter ACL Mapping Failed
atweblogic.security.providers.realmadapter.AuthorizationProviderImpl.isAccessA
llowed(Author
izationProviderImpl.java:345)
atweblogic.security.service.AuthorizationManager.isAccessAllowed(Authorization
Manager.java:
475)
atweblogic.security.service.AuthorizationManager.isAccessAllowed(Authorization
Manager.java:
612)
atweblogic.jndi.internal.ServerNamingNode.checkPermission(ServerNamingNode.jav
a:332)
atweblogic.jndi.internal.ServerNamingNode.checkLookup(ServerNamingNode.java:29
5)
atweblogic.jndi.internal.ServerNamingNode.lookupHere(ServerNamingNode.java:146
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:187)
at weblogic.jndi.internal.RootNamingNode_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:159)
atweblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
:262)
atweblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
:229)
at weblogic.jndi.internal.ServerNamingNode_WLStub.lookup(Unknown Source)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:337)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:332)
at javax.naming.InitialContext.lookup(InitialContext.java:345)
atweblogic.jndi.internal.WLNamingManager.getObjectInstance(WLNamingManager.jav
a:94)
atweblogic.jndi.internal.BasicNamingNode.resolveObject(BasicNamingNode.java:76
3)
atweblogic.jndi.internal.BasicNamingNode.resolveObject(BasicNamingNode.java:73
5)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:190)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:337)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:332)
atweblogic.jndi.factories.java.ReadOnlyContextWrapper.lookup(ReadOnlyContextWr
apper.java:36
atweblogic.jndi.internal.AbstractURLContext.lookup(AbstractURLContext.java:124
at javax.naming.InitialContext.lookup(InitialContext.java:345)
at com.bea.p13n.util.JndiHelper.lookupNarrow(JndiHelper.java:96)
atcom.bea.portal.appflow.PortalAppflowHelper.<clinit>(PortalAppflowHelper.java
:70)
atcom.bea.portal.appflow.servlets.internal.PortalWebflowServlet.init(PortalWeb
flowServlet.j
ava:84)
at javax.servlet.GenericServlet.init(GenericServlet.java:258)
atweblogic.servlet.internal.ServletStubImpl$ServletInitAction.run(ServletStubI
mpl.java:1075
atweblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManage
r.java:744)
atweblogic.servlet.internal.ServletStubImpl.createServlet(ServletStubImpl.java
:899)
atweblogic.servlet.internal.ServletStubImpl.createInstances(ServletStubImpl.ja
va:833)
atweblogic.servlet.internal.ServletStubImpl.prepareServlet(ServletStubImpl.jav
a:773)
atweblogic.servlet.internal.ServletStubImpl.getServlet(ServletStubImpl.java:51
7)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:351)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:306)
atweblogic.servlet.internal.RequestDispatcherImpl$ForwardAction.run(RequestDis
patcherImpl.j
ava:341)
atweblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManage
r.java:744)
atweblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImp
l.java:251)
at weblogic.servlet.jsp.PageContextImpl.forward(PageContextImpl.java:116)
at jsp_servlet.__index._jspService(index.jsp:3)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:27)
atweblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(Servle
tStubImpl.jav
a:1058)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:401)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:445)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:306)
atweblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(W
ebAppServletC
ontext.java:5412)
atweblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManage
r.java:744)
atweblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
ntext.java:30
86)
atweblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
:2544)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)
>
<Mar 13, 2003 8:03:46 PM MST> <Error> <PortalAppflow> <415400> <Could notlookup
PortalManagerHome i
n the JNDI tree using EJB reference java:comp/env/ejb/PortalManager.
javax.naming.LinkException: . Root exception isjavax.naming.NoPermissionException:
User <anonymous
does not have permission on portalAppat weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174)
Any help is appreciated.
Thank You
Paul--
Edited by jonmountjoy at 01/03/2008 1:45 AM

ACS 5.3 WLC Certificates RADUIS Active Directory

Hi,
I have a wireless controller and an ACS 5.3. I would like to create a wireless network where a corporate laptop would use the certificates installed to connect to the wireless and then authentication with AD and laptop certificates to the ACS. So if a user from work brings a home laptop this won't be able to connect as they don't have a certificate installed on the laptop.
I have setup ACS to connect to AD.
I have added the local certificate with my company's CA
acs.blah.com
acs.blah.com
SubCA3-1
09:50 28.09.2012
09:50 28.09.2018
EAP, Management Interface
I create a very simple rule and then try connect through the laptop. I select the certicate on the client and click connect. The connection works fine and I am on the network.
Authentication Summary
Logged At:
October 2,2012 3:06:37.996 PM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
blah\Eddy
MAC/IP Address:
18-3d-a2-26-7f-b9
Network Device:
L39-WC-5508-01 : 10.49.2.150 :
Access Service:
WirelessAD
Identity Store:
AD1
Authorization Profiles:
Wireless AD
CTS Security Group:
Authentication Method:
PEAP(EAP-MSCHAPv2)
I then just try a laptop I brought from home I used my AD username and password and this also connected. This Laptop doesn't have a certificate how can I make it so only work laptops with certificates be allowed to connect to the wireless?
any help would be great happy to send screen shots of my setup.
Cheers
Eddy

Hi Guys,
Well I configured the ACS following Scott's information, and I then tried to connect with the laptop and I got this.
Logged At:
October 12,2012 2:50:17.866 PM
RADIUS Status:
Authentication failed : 15039 Selected Authorization Profile is DenyAccess
NAS Failure:
Username:
blah\eddy
MAC/IP Address:
00-21-6a-07-31-88
Network Device:
-WC-5508-01 : 10.10.2.10 :
Access Service:
WirelessAD
Identity Store:
AD1
Authorization Profiles:
DenyAccess
CTS Security Group:
Authentication Method:
PEAP(EAP-MSCHAPv2)
I copied the two rules used in the setup by Scott and I still get this. I have copied and pasted the logs below any ideas on how to get this to work? I dont have MARS is MARS required for this PEAP setup?
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD1
24430 Authenticating user against Active Directory
24416 User's Groups retrieval from Active Directory succeeded
24101 Some of the retrieved attributes contain multiple values. These values are discarded. The default values, if configured, will be used for these attributes.
24420 User's Attributes retrieval from Active Directory succeeded
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
Evaluating Group Mapping Policy
11824 EAP-MSCHAP authentication attempt passed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12314 PEAP inner method finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory
any ideas guys?
thanks for the help.

Group Permission on Active Directory ?

Similar Messages

Maybe you are looking for