Hos to setup a LDAP filter in OpenDirectory

Similar Messages

• How to setup an LDAP filter in OpenDirectory

  Hello,
  I hope I am posting to the right forum.
  I have an existing central directory managed by LDAP.
  The users can authenticate against my LDAP server.
  In the LDAP directory, the users have a special attribute, making a list of machines and services they can or cannot access.
  How to configure OpenDirectory to apply a filter to the LDAP records, so only users with a given value (lets say "macosx" in a given attribute) can authenticate?
  For example, on another machine (FreeBSD) I have the following in pal_ldap configuration:
  nssbasepasswd ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th?one?csimAccountPermission=sambalogin
  where csimAccountPermission=sambalogin is the filter and only users with that key will be able to use samba service.
  TIA,
  Olivier

  Please try this forum, its for OS X server.
  http://discussions.apple.com/category.jspa?categoryID=96

• Trying to setup a LDAP Realm

  I'm runing WLS6.0 SP2 and I'm trying to set up a LDAP realm to talk to a openldap
  server. I'm on Win2k and have it installed as a service.
  I can connect to the server via a ldap browser, and I have a user in the ldap
  tree with a clear text password.
  I created a LDAP realm but I can't find where to configure WebLogic to use that
  LDAP realm for authentication.
  thanks
  joe

  I guess they don't use the LDAP Realm in Weblogic, you should create your custom
  realm that access to AD and return user/group enumerations, acl's, etc...
  I'm able to access to AD using jdk1.4, and I have my custom realm, the only
  problem is wl uses jdk1.3 (+jaas) and I couldn't connect to AD with the old jaas,
  because it didn't support kerberos authentication. A more complete jaas it's included
  in jdk1.4
  Regards,
  Marc
  "Roy Cornell" <[email protected]> wrote:
  Great news, Scott. I hope you don't mind answering the three questions
  below:
  1. Which LDAP realm ***version*** did you use : V1 or V2?
  2. Which LDAP realm type did you specify during the configuration: "MS
  Site
  Server" or other ?
  3. Did you encounter any problems during the integration?
  Thanks a lot.
  Roy
  "Scott Harger" <[email protected]> wrote in message
  news:3b794a7c$[email protected]..
  We have been able to get the LDAP realm (6.0 SP1) to work with Active
  Directory.
  Scott
  "Roy Cornell" <[email protected]> wrote in message
  news:3b72eb32$[email protected]..
  I've got the same question (posted it yesterday). Please, Please,
  Please,
  could somebody reply.
  "Andrew Wallace" <[email protected]> wrote in message
  news:3b72ce38$[email protected]..
  Somehow my last message got truncated. Here's the full deal:
  We're trying to setup an LDAP realm in a microsoft-centric environment
  (Windows 2000). All the documentation from BEA that I've found
  talks
  about MS Site Server, which, as near as I can find, is not an LDAPserver.
  So - can I use MS Active Directory on Win2k? Is it functionally
  the
  same
  thing? Does the MS template in LDAP Realm V2 support it? Does anyone
  have success or horror stories about using AD?
  thanks,
  andy

• Creating LDAP filter in authorization rule OAM 10G

  Hi,
  I want to set up a LDAP filter in Authorization rule based on which i will redirect users to specific URL's. what is the syntax to writing LDAP filters in OAM authorization policy. Any pointers to documentation will be appreciated.
  Also i want to know whether authorizations always follow authentication. i.e. my redirection will be successful only after a user is authenticated in end application based on the headers we send out after successful authentication.
  Please Help
  Thanks
  Edited by: 904630 on Dec 27, 2011 5:34 AM
  Edited by: 904630 on Dec 27, 2011 5:36 AM

  Open Identity server console and check the attribute's Display Name and type in Object classes section. I recently faced a similar issue and it got fixed after providing these two values.
  Hope it works for your as well :)

• Can I setup a spam filter on my ipad2 email?

  How do I setup a spam filter on my ipad2 email?

  You have to set up any spam filters in your webmail email using a browser. The Mail app on the iPad does not have a spam filter function. Go to your webmail and set it up in the account preferences.

• VSOM 7.0.1 LDAP Filter AD

  Hello!
  LDAP server settings are as follows: 
  Name: SFC.LOCAL
  Host Name: 192.168.104.252
  port: 389
  Member of: %USERID%@sfc.local
  Database search for users: OU=Accounts,DC=sfc,DC=local
  User ID attribute: sAMAccountName
  How to create a filter selecting users from a specific location in aerarhii AD?
  People are on the way: 
  OU=SPK,OU=Offices,OU=Delegate,OU=Common,OU=Accounts,DC=sfc,DC=local
  try like this: 
  search path: OU=Accounts,DC=sfc,DC=local
  Filter: (&(sAMAccountName=%USERID%)(memberOf=CN=SPK,OU=Offices,OU=Delegate,OU=Common,OU=Accounts,DC=sfc,DC=local))
  Runtime Error: The user with the given name is not found in the LDAP filter by (&(sAMAccountName=drozdov.alexander)(memberOf=CN=SPK,OU=Offices,OU=Delegate,OU=Common,OU=Accounts,DC=sfc,DC=local))
  in it may be inaccurate filter configuration?

  Hello Alex,
  Here is the example to do LDAP serach filter configuration. Let me know if this help
  •General Settings
  Hostname: ds.cisco.com
  Port: 389
  Principal: %USERID%@cisco.com
  User Search Base: ou=Cisco Users,dc=cisco,dc=com
  Userid Attribute: sAMAccountName
  •LDAP Search Filter:
  Select a Cisco mailing list you are on from mailer.cisco.com, and substitute its name for <anyMailer> in the Filter below
  Search Path: ou=Cisco Users,dc=cisco,dc=com
  Filter: (&(sAMAccountName=%USERID%)(memberOf=CN=<anyMailer>,OU=Mailer,OU=Cisco Groups,DC=cisco,DC=com))
  Br,
  Nadeem Ahmed

• LDAP Servers not listed when trying to setup new LDAP connection

  Using SQL Developer: 1.5.1
  Oracle Database 10g Enterprise Edition Release 10.2.0.2.0
  Windows XP client environment
  Can anyone clarify how to setup LDAP connections in SQL Developer. We use LDAP for our connections with all the other Oracle tools like SQL*Plus and other developer tools like forms. LDAP is working fine for all of those tools. However, when I try to setup an LDAP connection for SQL*Developer no servers are found for the drop down box. Do we need to put the sqlnet.ora and ldap.ora files somehwere so that SQL Developer can find them? Does SQL Developer even need them? How does the LDAP server get populated in SQL Developer? Thanks. I have tried looking at other posts on this issue and nothing really jumped out at how to do this. I do have some older version Oracle homes setup also. For example we have a Oracle 6i home setup on our machines for the old versions of forms and reports.

  I set it to C:\Oracle10g_DevSuiteHome_1\NETWORK\ADMIN. This is under one of my Oracle Homes on this machine that contains the sqlnet.ora and the LDAP.ora files. This didn't appear to make any difference. Still no LDAP servers listed when you try to add or build a new connection. I tried some of my other Oracle Homes and still no effect. I have also tried copying the sqlnet.or and the ldap.ora files to other directories. I have switched my default Oracle Home to point to the 9i and above homes and this made no difference.
  I have never had to do anything with an environment variable called TNS_ADMIN before. I almost remember a variable called TNS_ADMIN years ago in the registery that had to be modified and it was TNS_ADMIN if I remember correclty. When you said to set an environment variable you did mean to just set or create a new environment variable using the My Computer > Properties > Advanced Tab > Environment Variables on the client machine. I just want to make sure I set the right variable. Thanks for you help and suggestons.
  By the way I can connect just fine using basic or advanced connections. I just would like to use LDAP so I don't have to maintain connections when port, server or SID change. For example we just failed over and the fail over database is on a different server. We do this as a test or when needed for failover purposes. If you are using the basic and advanced connections you need to go in a update connection information. If we use LDAP this is all maintained by the DBAs and individual clients shouldn't have to maintain any connection information as long as the have the right SID. The documentation for SQL Developer doesn't really seem to address how to setup LDAP connections it just mentions that you can do it and it sounds simple.

• How to create LDAP filter-based rule to check Group membership in OAM

  Hi folks,
  I'm having hard time creating an authorization rule to verify ldap group membership. I've followed "Configure User Authorization" article from Oracle website (http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2authz.htm#BABHBFEJI) and created an Authorization scheme w ldap_attribute_name as User Parameter and ruleExpression as Required Parameter. Then, inside my policy I created an Authorization Rule based on my Authz scheme w Allow Access attrib filter-based Rule which looks like this:
  ldap://ldap_server:port/ou=People,o=Company,c=US??sub?(ldap_attribute_name=ldap_attribute_value)
  This works fine.
  Now, I've added another filter-based rule under the same Authz Rule/Allow Access:
  ldap://ldap_server:port/ou=Groups,o=Company,c=US?uniqueMember?sub?(&(objectClass=groupOfUniqueNames)(cn=ldap_group_name))
  While query looks somewhat correct and works as a command-line argument (slightly modified format), it does not work in OAM (meaning people w out req-d group membership can still login).
  Can someone steer me to the right direction as to what do I need to do:
  1. Change/fix the ldap query
  2. Create new Authz scheme with uniqueMember userParameter; create new Authz rule based on new authz scheme; create new Allow Access filter rule with the ldap query I have
  3. Do smth else
  Any help is greatly appreciated.
  Thank you, Roman

  You can create two authorization rules
  First for user with attribute
  and second for group
  and then in authorization expression you can have AND of these two.
  Regarding your query...
  First ... If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
  All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access
  Second.. If your requirement is such that you want to give access to a member of a group which has certain attribute lets say group with status active ( In this case you are not aware of the name of the group because user can be a member of any group but you want to give access only to the group with specific attribute.) then you have to write custom authorization plugin.
  If the option is second let me know i can give you a solution which will work for a single domain without any effort of developing a major plugin.
  Hope this helps,
  Sagar

• LDAP Filter to exclude a sub OU?

  I have a need to exclude a sub OU from a search base.  CUCM is LDAP integrated to Active Directory.  The directory search basically OU=Users, DC=company,DC=local.  There is a couple of OU's located under the Users container (OU=service, OU=special).  A third party manages this companies AD and is not willing to make any changes to the structure.  Does anyone have a suggestion for a filter that will work to filter out the users in the OU=special?  I have tried several things but the ones i thought would work are:
  1. (&(objectClass=user)(!(OU=special)))  have tried this with the full search base as well
  2. (!(&(objectClass=user)(OU=special)))
  Any help would be appreciated.

  Hi gpword,
  I dont think you can exlcude a sub OU, at least I could never get it working.
  A few options you can use.
  1. Add all the users in the "Special" OU to a group and then exclude that group - I use this option and it works
  (&(ipPhone=*)(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(memberOf=cn=GrouptoExclude,ou=XXXX,ou=XXXXX,DC=domain,DC=local)))
  2. As above you could utilise the ipPhone field and only sync users who have this set or only sync users who are a member of a particular group below
  (&(ipPhone=*)(objectclass=user)(memberOf=cn=USERStoSYNC,ou=XXXX,ou=XXXX,DC=domain,DC=local)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
  The above examples also exclude disabled accounts, computer objects and inlcude only users with the ipPhone field set.
  Thanks,

• Q: UCM Ldap filter not finding groups

  Hi There,
  I am setting up UCM and am having problems with group(roles) being set by the ldap provider.
  The users authorizes, but the ldap search returns no groups.
  LDAP mapping of roles gives the following error every time...
  userstorage 09.03 10:06:59.806 IdcServerThread-34 Loaded extended info for user ucm_user
  userstorage 09.03 10:06:59.806 IdcServerThread-34 Loading Attributes for user ucm_user
  userstorage 09.03 10:06:59.806 IdcServerThread-34 UseFullGroupName false
  userstorage 09.03 10:06:59.807 IdcServerThread-34 UseGroupFilter true
  userstorage 09.03 10:06:59.807 IdcServerThread-34 Searching for groups containing user CN=ucm_user,OU=city,OU=Users-Active,DC=abc,DC=com
  userstorage 09.03 10:06:59.807 IdcServerThread-34 Using search filter (&(objectclass=group)(member=CN\3ducm_user\2cOU\3dcityr\2cOU\3dUsers-Active\2cDC\3dabc\2cDC\3dcom))
  userstorage 09.03 10:06:59.807 IdcServerThread-34 Searching for groups based at DN ou=Users-Active,dc=abc,dc=com
  userstorage 09.03 10:06:59.904 IdcServerThread-34 No groups found for user CN=ucm_user,OU=city,OU=Users-Active,DC=abc,DC=com
  userstorage 09.03 10:06:59.905 IdcServerThread-34 Adding default network account '#none" to CN=ucm_user,OU=city,OU=Users-Active,DC=abc,DC=com
  userstorage 09.03 10:06:59.905 IdcServerThread-34 Attributes loaded
  userstorage 09.03 10:06:59.905 IdcServerThread-34 LdapProvider.checkCredentials() finished in 0.182 seconds.
  Using a freeware ldap gui (ldapadmin.exe), I can run the query just fine, the groups are found.
  Has anyone seen this before?
  Thanks

  Please see the attached link under primaryGroupID, which states that the
  Domain Users group is not part of the memberOf attribute.
  http://msdn.microsoft.com/en-us/library/ms677943.aspx
  That explains why the mapping fails for any Domain Users as seen in the debugs

• LDAP - Filter on groups (iPlanet)

  We connected Weblogic to our LDAP server (iPlanet type) and successfully imported all users and groups.
  No we want to filter on the users being in one group (we are not interested in all users)
  With an ActiveDirectory LDAP Provider you can set at the All Users filter & User From Name filter:
  (&(sAMAccountName =*)(memberOf= CN=OBIEE,OU=Security,OU=Groups,OU=COMP1,DC=COMPANY,DC=com)(objectclass=person))
  With this filter in place, only users that are member of "CN=OBIEE,OU=Security,OU=Groups,OU=COMP1,DC=COMPANY,DC=com" will be able to login.
  Now we are migrating the LDAP server from ActiveDirectory to iPlanet.
  The structure of this system is:
  GROUPS
  GRP OBIEE
  uniqueMember:MVL
  uniqueMember:DFG
  USERS
  uniqueMember: MVL
  The relation between users and groups is stored on group level.
  Does anyone know if this is possible and what the structure of the filter is?
  Thanks in advance.

  Have you already found a work around?
  Depending on your DIT, I'd assume you could set your base lower, and just do a search for (!(objectclass=SAccount)).
  Also, you've probably checked it a number of times already, but could there be a spelling error? Have you tried using the wildcard on your ! filter, so that it reads:
  (&(objectclass=customAccount)(!(objectclass=customSA*)))
  Good luck!

• How to setup a query filter?

  I'm trying to run the query cards method using a queryfilter object[][]. Can someone provide a working example of the filter. What I'm using below is throwing a SQL error:
  SQL Open Error (0x80040e21): SELECT DISTINCT C.OBJECTID, C.NAME, C.LASTMODIFIED, C.IMAGEUUID, C.URL1, C.URL2, C.URL3, C.URL4, FC.FOLDERID FROM PTCARDS C, PTFOLDERCARDS FC, PTCARDSECURITY CS, PTVGROUPMEMBERSHIP GM1, PTFOLDERSECURITY FS, PTVGROUPMEMBERSHIP GM2 WHERE C.CRAWLERID = ? AND C.OBJECTID = FC.CARDID AND FC.CARDSTATE = 2 AND C.OBJECTID = CS.OBJECTID AND CS.GROUPID = GM1.GROUPID AND GM1.USERID = ? AND FC.FOLDERID = FS.OBJECTID AND FS.GROUPID = GM2.GROUPID AND GM2.USERID = ? ADO Error: count = 1, return code = 0x80040e21 Multiple-step OLE DB operation generated errors. Check each OLE DB status value, if available. No work was done. (SQL State (null))
  object[][] aQuery = {
  new object[] {PT_PROPIDS.PT_PROPID_NAME},
  new object[] {PT_FILTEROPS.PT_FILTEROP_CONTAINS},
  new object[] {"Presentation"}
  IPTQueryResult pResult = pCatalog.QueryCards(PT_CLASSIDS.PT_CRAWLER_ID,203,false,false,PT_PROPIDS.PT_PROPID_NAME | PT_PROPIDS.PT_PROPID_LASTMODIFIED | PT_PROPIDS.PT_PROPID_OBJECTID | PT_PROPIDS.PT_PROPID_FOLDER_PATH | PT_PROPIDS.PT_PROPID_CARD_PARENTFOLDERID | PT_PROPIDS.PT_PROPID_IMAGEUUID,null,0,100,aQuery);

  I'm trying to run the query cards method using a queryfilter object[][]. Can someone provide a working example of the filter. What I'm using below is throwing a SQL error:
  SQL Open Error (0x80040e21): SELECT DISTINCT C.OBJECTID, C.NAME, C.LASTMODIFIED, C.IMAGEUUID, C.URL1, C.URL2, C.URL3, C.URL4, FC.FOLDERID FROM PTCARDS C, PTFOLDERCARDS FC, PTCARDSECURITY CS, PTVGROUPMEMBERSHIP GM1, PTFOLDERSECURITY FS, PTVGROUPMEMBERSHIP GM2 WHERE C.CRAWLERID = ? AND C.OBJECTID = FC.CARDID AND FC.CARDSTATE = 2 AND C.OBJECTID = CS.OBJECTID AND CS.GROUPID = GM1.GROUPID AND GM1.USERID = ? AND FC.FOLDERID = FS.OBJECTID AND FS.GROUPID = GM2.GROUPID AND GM2.USERID = ? ADO Error: count = 1, return code = 0x80040e21 Multiple-step OLE DB operation generated errors. Check each OLE DB status value, if available. No work was done. (SQL State (null))
  object[][] aQuery = {
  new object[] {PT_PROPIDS.PT_PROPID_NAME},
  new object[] {PT_FILTEROPS.PT_FILTEROP_CONTAINS},
  new object[] {"Presentation"}
  IPTQueryResult pResult = pCatalog.QueryCards(PT_CLASSIDS.PT_CRAWLER_ID,203,false,false,PT_PROPIDS.PT_PROPID_NAME | PT_PROPIDS.PT_PROPID_LASTMODIFIED | PT_PROPIDS.PT_PROPID_OBJECTID | PT_PROPIDS.PT_PROPID_FOLDER_PATH | PT_PROPIDS.PT_PROPID_CARD_PARENTFOLDERID | PT_PROPIDS.PT_PROPID_IMAGEUUID,null,0,100,aQuery);

• Are there any rough processes for Solaris administrator to setup Sun LDAP as nameing server at Sun sparc host? like: 1st: modify /etc/nfsswitch.nfs 2nd: add LDAP server in /etc/hosts. 3rd: ......

  Besides, can we install the LDAP server in sparc hosts as nameing system? Can we use Sun LDAP server or iPlanet Directory Server? or need BIND DNS server too?

  There is a nice book from Michael Haines and Tom Bialaski: "Solaris and LDAP Naming Services" which contains all you need to configure Directory Server, LDAP, Naming Switch...
  Ludovic.

• Not possible to setup icloud email filter rules from ipad

  Users on ipads with icloud for email appear to have no way to set or edit their email filter rules, as this functionality is not provided via any mail app menu, and attempts login and edit these via webmail is not possible since Apple has set  icloud.com to intercept and disallow ipad web browser logins.   Is there a workaround or do we just direct people over to gmail?

  No, there is no workaround available. Unfortunately, you would have to use a PC or Mac in order to sign in to the web portal www.cloud.com.

• Jabber Windows - no phone control with LDAP Custom filter

  I am unable to control the desktop phone from the Jabber 9.1 Windows client when the CallManager LDAP Directory uses a Custom Filter.
  Has anyone else experienced this?
  If I set the LDAP Custom Filter to <none> and save, then Desktop Phone control works great.
  If I set it to use my custom filter, then trying to enable Desktop control just gives me the spinning circle, then times out to the Red X symbol.
  I do not need to resync the LDAP Directory to get the error, just enable/disable the custom filter and save.
  In both cases calling from the Computer works great.
  This is an On-Prem deployment with full MS-AD LDAP integration.
  Versions are:
  Jabber - 9.1.0 build 12296
  CUPC - 8.6.4.11900-1
  CUCM - 8.6.2.22900-9
  I upgraded to CUCM 8.6.2 SU2 last night hoping that would fix the problem, but no luck.
  The LDAP filter is one I have used in numerous other clusters with no CTI issues.
  It allows me to sync to the root directory, but only import active user accounts with an entry in the ipPhone AD attribute:
  (&((objectclass=user)(ipPhone=*))(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
  Thanks, Randy

  Hi Randy,
  Have you specified this base filter in jabber-config.xml file? As per Admin Guide:
  "In some cases, base filters do not return query results if you specify a closing bracket in your Cisco Jabber for Windows  configuration file. For example, this issue might occur if you specify  the following base filter: (&(memberOf=CN=UCFilterGroup,OU=DN))
  To resolve this issue, remove the closing bracket; for example, (&(memberOf=CN=UCFilterGroup,OU=DN)"
  Thanks,
  Maqsood