Implementing local user security with ZCM11

Similar Messages

• Problem using Implementing Remote Panel Security with a Login Example Guide

  I'm having issues implementing a Remote Panel protected by username and password using this NI guide:
  Implementing Remote Panel Security with a Login Example
  Remotepanellogin.zip
  After login process using Login.vi, if the user has the right password, his IP will be included in the Webserver allowed access list and the user can open the web site which hosts the Main.vi. Ok.
  But if the user doesn't have the password, his IP will be denied!
  Here is the problem: Will his IP be denied at all including Login.vi? 
  I can't block access to Login.vi because even if the user entered a wrong password, he can still try login again....
  How can I configure a type of Allowed and Denied table using Webserver properties? For example:
  IP: 10.0.0.2 - Login.vi (allowed) - Main.vi (allowed) -> User entered a right password
  IP: 10.0.0.3 - Login.vi (allowed) - Main.vi (denied) -> User entered a wrong password
  Note: Login.vi must be visible and accessible always.
  These are the Implementing Remote Panel Security with a Login Example instructions:
  After you configure the VIs with the Web Publishing Tool, browse to the Remote Panel Login VI and run it. When this VI runs, LabVIEW gives remote panel access to all users, but they can view and control only this VI.
  If a user successfully logs in by supplying the Username of NI and password of labview (both are case sensitive) then LabVIEW gives remote panel access to the IP address specified in the Remote Panel Login VI only. That user can then browse to and run the Main VI.
  Thanks in advance!
  APrado
  Message Edited by APrado on 04-01-2009 08:21 AM

  I'm thinking about using the option Reentrant Execution (VI property > Category > Execution).
  Could anyone help me?
  Thanks.

• Migrating local users failed with migration tool

  Getting an error trying to migrate local users from windows server 2003 R2 (X86) to windows 2008 R2. There is no domain involve in our environment. Both are workgroup servers.
  By following the steps given by Microsoft, trying to export local users and group information but failed with the error massage below,
  Export-SmigServerSetting : Initialization of the migration failed.
  The migration operation encountered an unknown exception.
  At line:1 char:25
  + Export-SmigServerSetting <<<<  -User All -Group -Path C:\migrate\miguser -Ver
  bose
      + CategoryInfo          : InvalidOperation: (:) [Export-SmigServerSetting]
     , MigrationException
      + FullyQualifiedErrorId : Microsoft.Windows.ServerManager.Migration.Comman
     ds.ExportSvrMigSettingCommand
  Trying to find this error massage through web page but none encounter this before.
  Not sure if there is something that I missed out or it would be something to do with the source machine.
  thanks,

  Hi,
  Did you follow this MS article?
  http://technet.microsoft.com/en-us/library/dd379531(v=ws.10).aspx#BKMK_strategy
  Meanwhile, hops this helps:
  Troubleshooting Cmdlet-based Migration
  http://technet.microsoft.com/en-us/library/dd871120.aspx
  Regards.
  Vivian Wang

• Single Sign On and user security with IS

  We have installed Information Steward 4.1 SP1 Patch 1 with Data Services 4.1 SP1 Patch 2 on Information Platform Services 4.0 SP 5 patch 6.  The Information Steward system is installed on it's own server.  We are connecting IS to our SAP Netweaver 7.3 system. 
  I have set up Single Sign On using Windows AD authentication.  The connection to the SAP system uses a service account. 
  Because the SAP system has our payroll information on it, we want to restrict Information Steward users based on their SAP security profiles.  We don't want to have to maintain security settings in both SAP and Information Steward. 
  Does anyone know if there's a way to set up Single Sign On so it passes the user credentials from SAP to Information Steward?  Then restrict the users on Information Steward based on their SAP security settings?
  Any advice would be appreciated!

  Hi,
  You can use Windows AD or SAP Authentication and configure it with SSO. However this should be done in the BI/IPS plaftorm and not IS. See the BI admin guide (http://help.sap.com/bobip40) section "Authentication options in BI platform". Please let me know if that's what you wanted.
  thanks

• How to implement Oracle Label Security with Oracle8.1.5 database

  I want some fields in some tables which could not be even viwed by DBA..
  I am working on Oracle Server 8.1.5
  If possible it should be in the same database,same schema but different schema may also work..
  Please help

  I don't think this is going to be possible.
  When you register a crawler, you have to declare it as one of three types: Public, Identity-based or Attribute-based.
  The database crawler is registered as attribute-based, and therefore must be used with a suitable authorization manager.
  I guess in theory you could create a new authorization manager class which queries active directory to get the appropriate security attributes for a user (corresponding to the security attributes crawled from the database), but I suspect it might be easier to figure out a way to copy AD attributes into a database table (perhaps updating the table once a day via a nightly crawl of AD) and then use the standard database authorization manager.

• Is it possible to move or merge my local user account with an Active Directory account?

  10.7.2 update now allows me to authenticate against AD, and I have a shiny new account on my mac.  Is there any way to merge my local and AD accounts?  Or link my local account to my AD account? Can I change the home directory of the AD account to point to my local account folder?

  Gary,
  Performance would be absolutely horrible if you hung a USB drive off an AEBS and used that as your home directory, wirelessly. You're going to be getting no more than about 10 MB/sec, or roughly 1/5 the speed (in the IDEAL case -- practically it's worse than that) of your current setup.
  If you want to access the same email from multiple Macs, you should consider using IMAP. .Mac can do this -- and you can have up to 4 GB on the server, if you pay for it. Default is up to 1 GB, if you shrink your iDisk space to nothing.
  Another alternative if you want to share something centrally is to use OS X Server and Portable Home Directories. This is pretty complicated for the home user, though, and requires OS X Server (minimum $499), a machine to run it on, and some good knowledge of Open Directory and AFP services. It works quite well for corporate clients though.
  Otherwise, synching stuff across multiple machines may work. But don't even think about moving your whole home directory to a central network mounted drive, especially something as slow as a USB drive on an AEBS over wireless.

• What is involved in going from local user accounts to active directory accounts with CCM 9.1.2?

  We are currently using local user accounts with CUCM 9.1.2 and are looking at integrating it into the active directory structure.
  We do utilize the same structure for user ID's.
  I am looking to find out what the changeover will entail and if anything else needs to be done prior to the integration.
  We also have Unity syncing up with CUCM for users as well as Contact Center sync'ed up for our ACD system.
  Thanks
  Mike

  Hey Mike,
  The process is pretty straight forward.  CUCM 9.X supports the coexistence of AD integrated users and local users so you don't have to worry about local accounts disappearing if they don't have an AD account.  The biggest thing to watch out for is that if you decide to revert back for whatever reason then the accounts that were in AD will be marked for deletion (from the CUCM, not AD) and will be removed after approximately 24 hours.  
  I recommend the following if you'd like to move to AD.
  Run a DRS backup of CUCM.  This is not necessary for the integration but is good practice in my opinion.  I'd also do a full export of your users using the BAT so you can reimport users to how they were before the integration should you decide to revert for any reason.
  Determine if you want to put the user's extensions in the telephonenumber field or ipPhone field in AD.  Once you make a decision, I recommend populating that information in AD so it is available when you do the integration.  
  Make sure your local CUCM user accounts usernames are exactly the same as your domain accounts.  That way when you do the integration the local users become AD users and keep all of their phone associations, group memberships, etc.  If you need to change the usernames then be sure to notify your users ahead of time so they can start logging into UCCX or UCM user pages, etc. using their new username. 
  Create an account in AD that has read-only rights to your directory.  Set the password to never expire.  You will use this account later for the integration.  
  In CUCM, go into Serviceability and make sure the "Cisco DirSync" service is activated on the Publisher server.
  Also in CUCM, navigate to the administration page and do the following:
  Go to System > LDAP > LDAP System and Check the box to enable Synchronizing.  Confirm the LDAP server type and attribute for User ID is accurate.  This is typically Microsoft Active Directory and sAMAccountName respectively.
  Go to System > LDAP > LDAP Directory
  Click Add New
  Give it a name (whatever you want).
  Put in the Distinguished Name of the AD integration account you created earlier. For example, if you created an account called ciscoldap in the Service Accounts OU in the abc.com domain then it would look something like this... CN=ciscoldap,OU=Service Accounts,DC=abc,DC=com
  Enter the password for the account.
  Enter the search base.  This can be a specific OU where your users exist, a parent OU which contains other OUs which contain all of your users or the entire domain.  If you do the entire domain then in the abc.com example you would specify DC=abc,DC=com.
  Select the option to perform a sync with AD on periodic intervals.  The lowest interval you can set is every 6 hours.
  Select either the telephonenumber or ipPhone field to be used for the user's extensions.  This will be whatever you decided and populated in AD in an earlier step.
  Add your primary and any backup domain controllers and ports.  If they are just domain controllers and you are not using SSL then specify port 389.  If they are also global catalog servers then you can do port 3268.
  Click Save and Click the "Perform Full Sync Now" button.
  I recommend that you also use LDAP for authentication as well so you only have one username and password to remember which is all controlled by AD.  To add this do the following:Go to System > LDAP > LDAP Authentication.
  Click Add New
  Check the box to use LDAP Authentication
  Add the same Distinguished name, passwords and user seach base that you used for your integration account earlier under the synchronization section.  Also add the same primary and secondary LDAP servers and ports you used earlier.  
  Click Save
  You can go a step further and create a filter to only pull in the users within the search base you specified and apply that.  For example, maybe only pull in users that have their ipPhone field populated.  Let me know if you have any questions on that or any of the above.
  I hope this helps!

• Data level Security with Oracle Apps as Source

  Hi all
  I am implementing Data level Security with Apps as Source(OLTP) on Single Sign On.(Oracle has provided the Vanila rpd & we are working on that)
  I need to Filter data based on Business Group, Users are created in Apps and they are registered with some Responsibilities.
  (for eg, OBI User CHINA is a Responsibility; Now he will get only Business Group ID for China)
  I have created Groups in rpd with same name as the responsibility in Apps.
  I have created Initialization Blocks from which I m getting only 1 business group ID for every :USER.(I tried the code in TOAD & I m getting the correct BG ID)
  I have created Group in WEB with the same name as the Group name in rpd.
  If I say show all Users and Groups in WEB, I m getting the APPS Users.
  I hv Reloaded the server metadata files and restarted the BI Server/WEB Server also...
  But in the Report, I m getting all the Business Group Ids,
  Plz advice if I m doing something wrong.
  ThanQ
  Anand

  You need to be creating your "business groups" as a group in the RPD, init blocks to retrieve the user business group at login. Filters in the Logical table sources to restrict data to relevant business groups only.
  Presentation 'Web Cat' groups with the same name as the RPD groups so a user inherits membership automatically.
  I'd suggest sourcing a vanilla OBIA rpd to see how it is implemented out of the box.

• What happens to my local user data? -newbie question sorry

  Hi All,
  Firstly apologies if this seems a dumb question, I've scoured the forums but I require something that fits my specific situation.
  I've had a (my first) MacBook for about 9 months, built up a fairly healthy local user, setup just how I like it, MobileMe, iTunes, Chrome, iPhoto library, lots of other apps, etc etc and so forth.
  I'm setting up a Mac Mini Server, and was wondering what I can do to join the new server, but take all my settings/downloads/iTunes etc with me... I don't want it all stored on the server, but I come from a Micro$oft Windows background. With MS, when you add a PC to a domain, login with the appropriate user account, you have a fresh profile, no settings, no files, no customisations etc etc is this also the case when I hit that Join Network Account server button on my Mac? Will I get a blank fresh account on my Macbook?
  I'm guessing this must happen quite often as people start their way into Apple technology and build up a nice healthy local account before branching further into the Apple world...

  The two laptops I use everyday have access to all the servers via my network account. It is set so that my user account is listed as having "no home" So I log into the laptop with my local user account with a UID of 501 but access all the network services via the go menu and my network account of the same name but with a UID of 1034.
  For all other users in the company, if they are on a laptop, I use network accounts. The machines are managed to ask if the user wants to create a mobile account when they login. For permanently assigned laptop users, the answer is yes. This puts their home on the laptop and ties them to that machine. I use mobile account syncing to make sure their critical data is copied to the server for backup.
  By having the machine ask to create the mobile account, users can answer no and login to their network home. The use of the laptop may be needed temporarily if a regular workstation is down.
  Once in a while I will need to convert a local account to a network account. While a bit more laborious that setting it up correctly at the beginning, it can be done.
  But I never let any user account have the UID of 501. I would set that up as the local admin account I use for installing updates and performing other maintenance. If needed, I would back up the user data and erase and re-install the OS.

• Bug When Converting (Back) To Local User Account

  I am using Windows 8.1 Pro and began by setting up a local user account, which is the Administrator account. I then successfully switched the account to a Microsoft account, with the same user name.
  As a test, I then decided to switch back to a local user account.
  The bug is that I was not permitted to use the same user name. I had to select a different user name. This defeats the purpose of transparently switching a from a Microsoft account to a local account.
  Fortunately (for me) I had anticipated that something might go wrong and had performed a full system backup to a external USB drive before I began this switching test.
  L.M.Cohen

  While Windows 8.1 (Pro) allows you to create new User accounts, it is set up to "convince" you to create Microsoft-type user accounts, rather than local user accounts.
  And if you try to convert a Microsoft-type account to a local user account,
  with the same user name, it will not yet you do it. However it will allow you to convert in the opposite  direction,
  with the same user name.
  So I started all over and carefully read the small print -- to learn that you can initially set up a local user account. But this is discouraged, but if you persist, it can be done -- even though it is implied that "the sky might fall."
  This is disingenuous.
  However now that I understand the dynamics, I have no more problems.
  Regards,
  L.M.Cohen
  L.M.Cohen

• Secure External LDAP with local user provisioning in a org.

  To all:
  I'm working with 05Q1 or as some say v3. I was able to successfully set up user authentication with external ldap and dynamic creation of users with in local org and ldap and map over attributes for storage into local ldap. Now I need to try and make it a secure external ldap authentication. Without disturbing any of the other orgs with in the local system.
  Is it possible without turning on security for all? Where would the certs be stored for the secure external LDAP that I am authenticating against?
  Help would be appreciated.
  If anyone is trying to do the same thing let me know if your having trouble. I sure did, just getting to the point that I am right now.
  Thanks,
  - Milo

  Hi,
  Check following forum thread.
  Re: custome role maper example
  Regards,
  Kal

• Web - What is easiest way to implement User Security and User Profiles

  Hi, I am new to these forums and kind of new to Java. Sorry if this is in the wrong forum!
  Bit of background to my experience with java
  I have been playing about with java for a number of years and have created a few basic programs such as a screen shot tool that allows you to capture to default locations and look at previews first etc. I am now venturing into web related stuff. I work in IT doing systems testing and have done bits of basic development on various things.
  What I've done so far
  I am using Netbeans IDE 6.7 and MySQL 5.0
  I am trying to learn more complex java and have decided to try build a basic web / database system that basically implements adding / amending / deleting data from a MySQL database through web pages. I am now trying to implement basic user access and profiles. I have so far got the following:
  - MySQL table with user info - username / password
  - JSP page with usual login stuff
  - Servlet that validates the username and password - if correct forwards to main menu page.
  Its as simple as that - there is nothing stopping you just typing in the URL of the main menu page and going from there.
  What I want
  I am wanting to eventually get the following:
  - User authentication so that you have to logon before you can access anything else
  - User profiles that determine what each user can or can't do, restricting the pages / services / options available (i.e. normal user can't delete etc)
  - Would it need some sort of session manager to allow multiple users etc?
  I appreciate this is a fairly open question but what is the easiest way to start implementing this? Not after specific code as I would prefer to try figger things out myself, but a point in the right direction would be great. It doesn't have to be extremely secure as this is just for me at the minute.
  I have spent all day looking at things like session data / url rewriting / security settings in web.xml / bespoke servlets and am now in java overload!

  Hi everyone,
  I've now actually gone back to the tutorial that I linked to above and implemented that using form login and j_security_check.
  Agree with Saish, and although I don't know enough about the other options to give a good reason, using realms and j_security_check just seems to be a bit cluncky and messy. I would also prefer something a bit more generic, that doesn't rely on setting users in glassfish, hence why I started with my own user table.
  Anyway, I will leave it as is for now and maybe come back and try one of the other options.
  The only problem I can see now is that to add users i will need to go through all the steps of adding users in glassfish and web.xml... Is there a way to do this through a servlet or something so I can have a jsp page to add users that also creats all the other bits for it to work?
  Thanks everyone for your help

• SSO for application systems with local users?

  Hi all,  I'm new to Oracle Identity Management.  My company is going to implement SSO for inhouse applications.  However, some applications have their own local users (e.g. admin, guest, etc.) who have to login to the application system through the same interface.  We put all organization users in an Oracle enterprise Directory server, which is the authentication backend of the Access Manager.   After implementing webgate, such local users can't get authenticated.  I'd like to know if it's possible to configure particular users/applications to bypass SSO and use local authentication?     Thanks.
  Rgds
  /ST wong

  Possible solution is to create a new entry point for local users. Create two proxies one for actual user entry and another for local user. You can restrict n/w access to proxy with local login so that only few hosts based on your requirement who needs to access system with local accounts. This way you will have two web sites for single application.

• Get error while Integrating with Oracle's Enterprise User Security

  Hi,
  I am trying to create an Oracle Enterprise User integrating with OVD and MS Active Directory.
  I am following all the steps in Integrating with Oracle's Enterprise User Security.
  In the documentation section: "Configuring Oracle Virtual Directory for the Integration"
  I have applied the steps successfully until:
  Update and load the entries into the Local Store Adapters by performing the following steps:
  I have successfully extended the Oracle Virtual Directory schema with the loadOVD.ldif
  However I am getting errors in the next step: Update realmRoot.ldif to use your namespaces
  The next step states the following:
  Update realmRoot.ldif to use your namespaces, including the dn, dc, o, orclsubscriberfullname,
  and memberurl attributes in the file. If you have a DN mapping between Active Directory and
  Oracle Virtual Directory, use the DN that you see from Oracle Virtual Directory.
  The realmRoot.ldif file is located in ORACLE_VIRTUAL_DIRECTORY_HOME/eus,
  where ORACLE_VIRTUAL_DIRECTORY_HOME represents the location where Oracle Virtual Directory is installed.
  The realmRoot.ldif file contains core entries in the directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the user's Enterprise User Security hashed password attribute.
  Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command:
  ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port -D cn=admin -w Admin_Password -v -a –f realmRoot.ldif
  When I run the ldapmodify command I get the following error:
  add dc:
  testldap
  add objectclass:
  top
  domain
  domainDNS
  adding new entry DC=testldap,DC=local
  ldap_add: Operations error
  ldap_add: additional info: LDAP Error 1 : null
  The actual realmRoot.ldif looks like this:
  # Please uncomment the following one line if you are importing this
  # LDIF file via OVD Manager or OVD Server's ldapmodify tool.
  #version: 1
  #dn: dc=com
  #dc: com
  #objectclass: domain
  dn: DC=testldap,DC=local
  changetype: add
  dc: testldap
  #o: subarashii
  objectclass: top
  objectclass: domain
  objectclass: domainDNS
  #objectclass: orclSubscriber
  #orclsubscriberfullname: subarashii
  #orclVersion: 90400
  # If your domain structure has more layers than dc=subarashii,dc=com,
  # for example, it's dc=us,dc=subarashii,dc=com, you will need to load
  # the following ldif entry/entries too.
  # Uncomment out the following, if required.
  #dn: dc=us,dc=subarashii,dc=com
  #orclversion: 90400
  #orclsubscriberfullname: us
  #objectclass: domain
  #objectclass: top
  #objectclass: orclSubscriber
  #dc: us
  # Adding EUSDBGroup entry
  # Modify the memberurl attribute and replace it with your own domain name
  #dn: cn=EUSDBGROUP,dc=subarashii,dc=com
  #cn: EUSDBGROUP
  #memberurl:ldap:///dc=subarashii,dc=com??sub?(&(objectclass=orclService)(objectclass=orclDBServer))
  #objectclass:groupofuniquenames
  #objectclass:groupofurls
  #objectclass:top

  Did you ever get your questions answered about the realmRoot.ldif file? Did you manage to configure a successful integration of OVD with EUS? I am battling with trying to get Oracle Virtual Directory integrated with Enterprise User Security, but every step I take in Chapter 7 of the OVD manual fails in some way, and the instructions are often vague. I am not sure how to modify the realmRoot.ldif file. Is there any improved documentation on this? I have logged a Service Request, but not getting any help. Any resources or documentation you know of that provides better guidance would be much appreciated. I am way behind my schedule now and this is a very frustrating exercise.
  Thanks.

• Implementing LCDS Security with MDD

  I am trying to understand security with MDD.
  In my scenario, a user submits a document. I want to ensure that when the document is updated, the person who updated the document is the one who is updating the document.
  My concern: If the submittedByUserID is returned to the client, a malicious authenticated user can falsify the headers to change the submittedByUserID.
  My initial thoughts: I need to have a userServiceImpl that has a loginUser() method. The loginUser() method sets the user's ID in the session and I need to populate the submittedByUserID with this session information using the update-security-constraint.
  Am I correct in the approach above? Is there a better way? Am I totally off-base?
  If I am correct, how would I go about implementing this approach?
  Data Structure:
  <model>
      <entity name="User" persistent="true">
          <id name="userID" type="integer" generated="true"/>
          <property name="username" type="string"/>
          <property name="password" type="string"/>
          <property name="documents" type="Document[]"/>
      </entity>
      <entity name="Document" persistent="true">
           <id name="documentID" type="integer" generated="true"/>
          <property name="body" type="blob"/>
           <property name="submittedByUserID" type="integer"/>
      </entity>
  </model>

  Hi ,
    If you want ensure & maintain security for your LAN sub nets  , kindly move the gateway towards your fortigate 60c  from  distribution switches , by this way u dont want to write ACL on your distribution switches and manage it . (Subinterface on fortigate 60c )
     If your subnet is getting expanded downline , you can plan for mix
  1) defining gateway on firewall { subinterface on firewall } for subnet which need control on access 
  2) defining gateway on distribution switches  for subnet which dont need any access control . 
  HTH
  sandy