IOS LDAP authenication against sAMAccountName

Similar Messages

• ACS LDAP authenication - restrict to only certain LDAP users?

  I'm configuring Secure ACS v4.2 for TACACS+ authentication/authorization and command logging. I'd like to use my external LDAP user database for authentication.
  I have this fucntionality up and working and have one of our 3550 switches able to sucessfully authenticate against ACS with one of my LDAP username/passwords. Command logging and authorization also appear to be working as I can see them in the TACACS+ Accounting/Administration logs on the ACS server.
  Is there a way to restrict what LDAP users are allowed to authenticate? For example, out of my 16000 users in LDAP, I only want only a handfull of users to be able to authenticate against the LDAP server via TACACS+ and get into my devices.
  Can I create an LDAP filter someplace in ACS that specifies only XXX users can
  authenticate against LDAP and to deny all other users?
  Oh and we do not use the "group" functionality on our LDAP server. All users are part of the same OU in LDAP and are not seperated out by a different group OU. I know I know.....I could probably do it this way, but since that info doesn't exist in our LDAP server I'm looking for another solution.
  I'm running ACS v4.2.0.124.

  Sure, add the allowed users to a group in ACS, then use NAR to restrict what devices they can get to. This link might help as well.
  http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc25eb6
  Hope that helps.

• Ios 7 goes against apples philosophy to keep things simple

  In my opinion...one step forward and two steps back
  The new apple ios 7 has gone against everything apple set out to be from the start of the iphone operating system. They have just responded to critics, who said "its is out of date" and "not keeping up with modern trends" and ruined the unique user-friendly simplicity of the iPhone.
  I dont want to watch my apps open and dont want to see message bubbles moving and boucing into eachother, its pointless and consumes battery power!
  All it has done is blurred the lines that define apple as the best smartphone producer the world-over. I am disappointed with "new" system and have already started looking at putting my loyalty and my money elsewhere in the smartphone market.
  Would appreciate other opinons/discussions
  Thanks

  PRAshton wrote:
  e. I bought in to apple soley for the simple user friendly experience and now my iphone 4s duw to battery consumption has been turned into a house phone, i have to take my charger everywhere.
  http://www.apple.com/batteries/iphone.html
  also
  http://theweek.com/article/index/250098/ios-7-battery-life-6-simple-ways-to-keep -your-iphone-powered-up
  http://www.tuaw.com/2013/09/18/how-to-stop-ios-7-from-destroying-your-iphones-ba ttery-life/
  Regards.

• Configured for LDAP authenication , still giving odbc error.

  Hi,
  I have gone through several posts in forum.I did not find solution for my issue.
  Here is what we have done
  We are trying OBIEE authentication and authorization by LDAP (Nortell Directory Server).Here is what i did
  -Impersonator User created and Credentials are added to Oracle BI Presentation Services Credential Store
  We have following config in instanceconfig.xml
  <Auth>
  <SSO enabled="true">
  <ParamList>
  <!--IMPERSONATE param is used to get the authenticated user's
  username and is required -->
  <Param name="IMPERSONATE"
  source="httpHeader"
  nameInSource="Z-USERID"/>
  </ParamList>
  <LogoffUrl>http://IP/analytics/saw.dll?Logoff</LogoffUrl>
  </SSO>
  </Auth>
  -Configured LDAP Server under Security Manager/LDAP Servers( set cn attribute in advanced tab for user name attribute).Tested connection It is successful.We are not importing users.
  - In Variable manager created an intilization block named it 'Authentication' and mapped three System variables(USER,GROUP,WEBGROUPS) with LDAP atrributes( for groups and webgroups we provided an attribute under user DN). Tested by supplying a username and password it pulled the attribute values.
  We log into a WebApplication and the webapplication redirect the request to along with header Z-USERID.
  https://XXX.COM/analytics/saw.dll
  Here is how it is working:
  If supply username and password in two URL parameters nquser and nqpassword it works,i get Dasboard page and other links according to the configured groups in LDAP.
  if i do not supply URL parameters nquser and nqpassword, i get "not logged in page."
  the initblock that deals with authentication and autherization is working fine.
  Single sign on is not working, it is reading the httpheader that we supply.I am not sure why it expecting password.
  ssw Logs show following error
  Odbc driver returned an error (SQLDriverConnectW).
  State: 08004. Code: 10018. NQODBC SQL_STATE: 08004 nQSError: 10018 Access for the requested connection is refused.
  nQSError: 43001 Authentication failed for loggedinIN_USERID in repository Star: invalid user/password. (08004)
  I tried some of the suggestion on this site like change passwords to 8 characters of impersonator passphrase etc with no success.
  It looks like it is trying databse authentication even though we configured initblock with LDAP settings.
  Please help!.

  Hi
  have you created an impersonate user in the Repository ??
  Yes,added him to groups Administrator and XMLP_ADMIN
  Can you open the url through firefox and look at the cookies ..,
  Yes, I opened, When i get not logged in page, when i check cookies ,
  i see following cookies
  SAWISAPI
  nquireID
  sawP  - Blank
  sawU - loggedinUSERID
  another two session based cookies.
  open the saw.log in textpad and launch your sso link in Firefox
  Search for the nquserID and check the values ...it will be encrypted but should be there !!
  I searched both saw and server logs, i did not find "nquserID" String.ofcourse i see logged user's login ID in saw logs.
  Also do you have load Balanced web servers .. if yes can you ask your web admin to enable sticky session ??
  I checked with IChain admin, if the webapp is load balanced they would add sticky bit.But currently app is not in load balanced environment.
  Thanks Sid,  Please help me resolve this,
  Thanks

• LDAP authenication with authorization roles

  I currently have LDAP functioning and working correctly on my application (APEX 4.0). Our system is limited to a certain number of users witiin the AD group that can access the system. I have created an authorization scheme that looks at a database table to determine if the user has access to the system. If I put this authorization scheme on the login process of the login page it works successfully however the failure error message does not show up if the user does not have access. If I put this authorization scheme on the page that you are redirected to after login I get the message. However, what I would like to do is have this authorization failure message appear as a pop up message on the login screen once the login button is pressed. Is this possible?
  Thank You!

  However, what I would like to do is have this authorization failure message appear as a pop up
  message on the login screen once the login button is pressed. Is this possible?Create a 'Page processing' process that runs after the login completes. Apply the authorization function to it. If it fails the authorization, this should abort the login and display an error on the login page. Theoretically... not something I've needed to do.

• LDAP authenicated app links to another ldap app ?

  Hello
  I am trying to achieve the following and have not been able to find a solution so far.
  APEX appA is a core app which has links to other apps in the same workspace.
  All apps have ldap authentication.
  If I log in appA and then navigate to appA I am forced to sign on again. How can I get appB to allow me in without signing on again?
  Do I need to write some new routine?
  Thanks
  Futehr info do I need to make use of owa_cookie to acheive this storing user id and password?
  Edited by: PolarWarrior on 13-Feb-2012 07:12
  ah ha added a cookie into the authentication scheme and that seems to do the trick
  Edited by: PolarWarrior on 13-Feb-2012 07:37

  Are you passing the APP_SESSION in the URL of your calling application ?
  Something like:
  Button on App A:
  <a href = X f ? p=1000: 1 : &APP_SESSION. X >AppB</a>replace X with double quotes...
  remove spaces for the url...
  Edited by: Vitor Rodrigues on 13/Fev/2012 17:44
  Edited by: Vitor Rodrigues on 13/Fev/2012 18:32

• Config transparent Proxy with LDAP authen with L4 switch?

  How to config policy based routing on L4 switch if wsa run in transparent mode with LDAP authentication?
  Async OS: 5.1.0-420
  Thank you,
  Thanapol

  Ezekiel,
  I wanted to add some clarification to your comments:
  1) Network TAP connected to T1/T2.
  This will work good. You will need to tap one direction of traffic to the T1 port and the other direction in to the T2 interface.
  2) L4 switch connected to P1.
  This will NOT work. Further explaination below. What you can do is use a switch that supports port spanning / port mirroring. You'll need to send a COPY of all traffic going to gateway to the T1 interface.
  The L4TM will need to be in 'duplex' mode - Configurable in the GUI.
  3) WCCP v2 connected to P1.
  WCCP cannot be used at all with the L4TM, because WCCP doesn't 'copy' the traffic, it redirects it.
  L4TM information
  The L4TM can be thought of as a completely seperate appliance that operates primarily via the t1 / t2 interfaces.
  The L4TM is a sniffer application, meaning that you cannot redirect traffic to it (such as L4 switching PBR or WCCP), but you can send a copy of traffic to it (port mirroring or physical tap).
  If you are blocking with the L4TM, the WSA will use M1/P1 to send the TCP RST packets. This is the ONLY use for the M1/P1 interfaces that the L4TM will use.
  The P1 interface is intended to be used for Web proxy traffic and the L4TM does not listen on this interface.

• Help with ios LDAP setup for VPN access

  I am trying to move Microsoft LDAP for my vpn setup to an ISR router with 15.1 code . It has support but very little doccumentation. Anyone configured this before? i need some help or  basic  config.

  Ldap authentication started from 7.1 if I recall correctly along with LDAP mapping which helps you validate whether the user has the dial in attribute on or of. I would say starting from 7.1 till the latest 8.X version.
  Version 6.X does not have this feature.

• LEAP - ACS Authen. against active directory for users of another domain

  We installed ACS 3.0 on W2000 server, member of a domain. When we tried
  to authenticate users from another domain, but it failed.
  We achieved to find out the problem. First, the server tries to find the PDC of the other domain (DNS request : _ldap._tcp.pdc._msdcs.domain). The DNS
  server answer with the full name and IP address. But afterwards, instead of using the DNS answer, the server make a new request with the PCD name
  and appending its own domain. The DNS request fails, and the user is not authenticated. A workaround consists in chaging the DNS search-list for the server, but I'm intersted if anyone had a better solution, or if the new release (ACS 3.1) solves this issue.

  Your case looks similair to this bug CSCdy18833, the bug has a work around also check it out.

• Color picker in iOS 8 app built against AIR 16 not showing up correctly

  I am using Flash CS6 to publish a coloring book app for Android and iOS. As of AIR SDK 15, the ColorPicker no longer shows up correctly in iOS, though the code continues to work correctly on Android. I have tried both AIR 15 and 16, and neither works correctly on iOS (only tested against iOS 8).
  The color picker from iOS8, AIR SDK 14 (as it should appear):
  The color picker from iOS 8, AIR SDK 16 (with black boxes covering each sample):
  Functionally they both work and there was no change to the code between the two builds. Anyone experience a similar issue or have ideas on navigating around it?
  Oh, here is the code I use to generate the colorpicker, in case it is useful:
  //Color picker colorPicker = new ColorPicker();
  colorPicker.setStyle("swatchWidth", swatchWidth);
  colorPicker.setStyle("swatchHeight", swatchHeight);
  colorPicker.setStyle("selectedColor", 0xffffff);
  colorPicker.colors = [0x330033, 0x000066, 0x330099, 0x3300cc, 0x3300ff, 0x6600ff, 0x6600cc, 0x660099, 0x660066, 0x660033,0x660000,0x330000,0x000000, 0x000033, 0x000066, 0x000099, 0x0000cc, 0x0000ff, 0x333333, 0x333366, 0x333399, 0x3333cc, 0x3333ff, 0x6633ff, 0x6633cc, 0x663399, 0x663366, 0x663333,0x663300,0x333300,0x003300, 0x003333, 0x003366, 0x003399, 0x0033cc, 0x0033ff, 0x336633, 0x336666, 0x336699, 0x3366cc, 0x3366ff, 0x6666ff, 0x6666cc, 0x666699, 0x666666, 0x666633,0x666600,0x336600,0x006600, 0x006633, 0x006666, 0x006699, 0x0066cc, 0x0066ff, 0x339933, 0x339966, 0x339999, 0x3399cc, 0x3399ff, 0x6699ff, 0x6699cc, 0x669999, 0x669966, 0x669933,0x669900,0x339900,0x009900, 0x009933, 0x009966, 0x009999, 0x0099cc, 0x0099ff, 0x33cc33, 0x33cc66, 0x33cc99, 0x33cccc, 0x33ccff, 0x66ccff, 0x66cccc, 0x66cc99, 0x66cc66, 0x66cc33,0x66cc00,0x33cc00,0x00cc00, 0x00cc33, 0x00cc66, 0x00cc99, 0x00cccc, 0x00ccff, 0x33ff33, 0x33ff66, 0x33ff99, 0x33ffcc, 0x33ffff, 0x66ffff, 0x66ffcc, 0x66ff99, 0x66ff66, 0x66ff33,0x66ff00,0x33ff00,0x00ff00, 0x00ff33, 0x00ff66, 0x00ff99, 0x00ffcc, 0x00ffff, 0xccff33, 0xccff66, 0xccff99, 0xccffcc, 0xccffff, 0xffffff, 0xffffcc, 0xffff99, 0xffff66, 0xffff33, 0xffff00, 0xccff00,0x99ff00, 0x99ff33, 0x99ff66, 0x99ff99, 0x99ffcc, 0x99ffff, 0xcccc33, 0xcccc66, 0xcccc99, 0xcccccc, 0xccccff, 0xffccff, 0xffcccc, 0xffcc99, 0xffcc66, 0xffcc33, 0xffcc00, 0xcccc00,0x99cc00, 0x99cc33, 0x99cc66, 0x99cc99, 0x99cccc, 0x99ccff, 0xcc9933, 0xcc9966, 0xcc9999, 0xcc99cc, 0xcc99ff, 0xff99ff, 0xff99cc, 0xff9999, 0xff9966, 0xff9933, 0xff9900, 0xcc9900,0x999900, 0x999933, 0x999966, 0x999999, 0x9999cc, 0x9999ff, 0xcc6633, 0xcc6666, 0xcc6699, 0xcc66cc, 0xcc66ff, 0xff66ff, 0xff66cc, 0xff6699, 0xff6666, 0xff6633, 0xff6600, 0xcc6600,0x996600, 0x996633, 0x996666, 0x996699, 0x9966cc, 0x9966ff, 0xcc3333, 0xcc3366, 0xcc3399, 0xcc33cc, 0xcc33ff, 0xff33ff, 0xff33cc, 0xff3399, 0xff3366, 0xff3333, 0xff3300, 0xcc3300,0x993300, 0x993333, 0x993366, 0x993399, 0x9933cc, 0x9933ff, 0xcc0033, 0xcc0066, 0xcc0099, 0xcc00cc, 0xcc00ff, 0xff00ff, 0xff00cc, 0xff0099, 0xff0066, 0xff0033, 0xff0000, 0xcc0000,0x990000, 0x990033, 0x990066, 0x990099, 0x9900cc, 0x9900ff, 0x000000, 0x333333, 0x666666, 0x999999, 0xcccccc, 0xffffff, 0xff0000, 0x00ff33, 0x0000ff, 0xffff00, 0xff00ff, 0x00ffff];
  colorPicker.selectedColor = color;
  colorPicker.x = gWidth - buttonSize - 10; colorPicker.y = 5;
  colorPicker.addEventListener(ColorPickerEvent.CHANGE, changeHandler);
  //Colorpicker button;
  colorPicker.width = buttonSize;
  colorPicker.height = buttonSize;
  shapeTransform = new ColorTransform();
  shapeTransform.color = color;
  addChild(colorPicker);

  I have exactly the same problem in one of my apps - it worked perfectly well when published with air 14 but I am getting the black squares when published with air 15 or 16.
  Anyone know how to get around this or whether there is a solution to the issue?

• User authentication against LDAP - Non-AD

  Hi,
  We are trying to setup LDAP authentication against an LDAP, Oracle Unified Directory and below are the parameters of ldap.properties file:
  ldapAuthentication.defaultRole = ROLE_AUTHENTICATED_PRINCIPAL
  ldapAuthentication.enabled = true
  ldapAuthentication.tryNextProviderIfNoAuthenticated = true
  ldapAuthentication.stopIfCommunicationError = true
  ldapAuthentication.url=ldap\://localhost:389/
  ldapAuthentication.rootContext=DC=test,DC=com
  ldapAuthentication.securityPrincipal=CN=Directory Manager
  ldapAuthentication.securityCredential.encrypted=password
  ldapAuthentication.keepContextPrefix=false
  ldapAuthentication.isAD=false
  ldapAuthentication.userAccountSearchKey=CN
  ldapAuthentication.firstNameSearchKey=givenName
  ldapAuthentication.lastNameSearchKey=sn
  Still I am getting while I try to login to OIA as an OUD user:
  WARN [UserManagerImpl] RbacxUser with username: 'cn=oiaadmin' not found
  Please help

  Hi Jcorker,
  According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
  In SSAS we can use the solution below achieve the requirement.
  1.Create new domain account and impersonate the web site with that.
  2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
  However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
  create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
  Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
  http://technet.microsoft.com/en-us/library/cc961481.aspx
  Regards,
  Charlie Liao
  If you have any feedback on our support, please click
  here.
  Charlie Liao
  TechNet Community Support

• LDAP Authentcation on Cisco ASA 8.2(1)

  Dear Security Experts,
  i am facing an issue while trying to configure LDAP integration on Cisco ASA firewall. The requirement is allow the remote access VPN to specific group defined on AD. When i checked the debug logs " debug ldap 255" , it shows that the authenication is sucessfull with the LDAP server , but the ldap attribute is not getting mapped and because of this reason , the tunnel-group default group policy of "NOACCESS" is getting applied ( vpn simultanous set to zero) that results zero connection.
  I confirmed this by changing the value of NOACCESS from zero to one and found that the VPN is getting connected
  The name of user account is testvendor that belongs to the group of Test-vendor.
  Could you kindly advice me what i am missing in this configuration.Highy appreciated the help on this .
  The configuration and debug output is shown below.
  SHOW RUN
  ldap attribute-map ABC-VENDOR
    map-name  memberOf Group-Policy
    map-value memberOf CN=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
  aaa-server ldapvend protocol ldap
  aaa-server ldapvend (INSIDE) host 10.1.141.7
  ldap-base-dn DC=abc,DC=local
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *
  ldap-login-dn CN=ldapvpn,OU=ServiceAccounts,OU=Abc,DC=abc,DC=local
  server-type microsoft
  ldap attribute-map ABC-VENDOR
  group-policy NOACCESS internal
  group-policy NOACCESS attributes
  vpn-simultaneous-logins 0
  group-policy Allow-Vendor internal
  group-policy Allow-Vendor attributes
  vpn-simultaneous-logins 10
  vpn-tunnel-protocol IPSec
  dns-server value 10.1.141.7
  default-domain value abc.org
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split_acl
  tunnel-group ABC-AD-VENDOR type remote-access
  tunnel-group ABC-AD-VENDOR general-attributes
  address-pool vendor_pool
  authentication-server-group ldapvend
  default-group-policy NOACCESS
  tunnel-group ABC-AD-VENDOR ipsec-attributes
  pre-shared-key *
  Note : I tried the below map-value under the ldap attribute ABC-VENDOR as part of troubleshooting
  map-value memberOf CN=Test-vendors,CN=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
  map-value memberOf CN=Test-vendors,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
  map-value memberOf CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
  DEBUG LDAP 255
  [454095] Session Start
  [454095] New request Session, context 0xb1f296b0, reqType = Authentication
  [454095] Fiber started
  [454095] Creating LDAP context with uri=ldap://10.1.141.7:389
  [454095] Connect to LDAP server: ldap://10.1.141.7:389, status = Successful
  [454095] supportedLDAPVersion: value = 3
  [454095] supportedLDAPVersion: value = 2
  [454095] Binding as ldapvpn
  [454095] Performing Simple authentication for ldapvpn to 10.1.141.7
  [454095] LDAP Search:
          Base DN = [DC=abc,DC=local]
          Filter  = [sAMAccountName=testvendor]
          Scope   = [SUBTREE]
  [454095] User DN = [CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local]
  [454095] Talking to Active Directory server 10.1.141.7
  [454095] Reading password policy for testvendor, dn:CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local
  [454095] Read bad password count 0
  [454095] Binding as testvendor
  [454095] Performing Simple authentication for testvendor to 10.1.141.7
  [454095] Processing LDAP response for user testvendor
  [454095] Message (testvendor):
  [454095] Checking password policy
  [454095] Authentication successful for testvendor to 10.1.141.7
  [454095] Retrieved User Attributes:
  [454095]        objectClass: value = top
  [454095]        objectClass: value = person
  [454095]        objectClass: value = organizationalPerson
  [454095]        objectClass: value = user
  [454095]        cn: value = testvendor
  [454095]        givenName: value = testvendor
  [454095]        distinguishedName: value = CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local
  [454095]        instanceType: value = 4
  [454095]        whenCreated: value = 20111019133739.0Z
  [454095]        whenChanged: value = 20111030135415.0Z
  [454095]        displayName: value = testvendor
  [454095]        uSNCreated: value = 20258545
  [454095]        uSNChanged: value = 20899179
  [454095]        name: value = testvendor
  [454095]        objectGUID: value = ).u>.v.H.6>..u.Z
  [454095]        userAccountControl: value = 66048
  [454095]        badPwdCount: value = 0
  [454095]        codePage: value = 0
  [454095]        countryCode: value = 0
  [454095]        badPasswordTime: value = 129644550477428806
  [454095]        lastLogoff: value = 0
  [454095]        lastLogon: value = 129644551251183846
  [454095]        pwdLastSet: value = 129635050595360564
  [454095]        primaryGroupID: value = 513
  [454095]        userParameters: value = m:                    d.                       
  [454095]        objectSid: value = ...............n."J.h.0.....
  [454095]        accountExpires: value = 9223372036854775807
  [454095]        logonCount: value = 0
  [454095]        sAMAccountName: value = testvendor
  [454095]        sAMAccountType: value = 805306368
  [454095]        userPrincipalName: value = [email protected]
  [454095]        objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
  [454095]        msNPAllowDialin: value = TRUE
  [454095]        dSCorePropagationData: value = 20111026081253.0Z
  [454095]        dSCorePropagationData: value = 20111026080938.0Z
  [454095]        dSCorePropagationData: value = 16010101000417.0Z
  [454095]        lastLogonTimestamp: value = 129638228546025674
  [454095] Fiber exit Tx=719 bytes Rx=2851 bytes, status=1
  [454095] Session End

  Thankyou Jennifer for the responds.
  Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
  i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
  [454095] sAMAccountName: value = testvendor
  [454095] sAMAccountType: value = 805306368
  [454095] userPrincipalName: value = [email protected]
  [454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
  [454095] msNPAllowDialin: value = TRUE
  [454095] dSCorePropagationData: value = 20111026081253.0Z
  [454095] dSCorePropagationData: value = 20111026080938.0Z
  [454095] dSCorePropagationData: value = 16010101000417.0Z
  Is their any other settings that i need to do it on AD ?
  Kindly advice
  Regards
  Shiji

• LDAP authentication to Win2K8 server nightmare.

  Hello All, I have been trying to get LDAP authentication working on this Solaris 10 server. To this point i've had little success. The domain controller/LDAP server is W2K8. I am able to authenticate successfully using "kinit" so i'm sure kerberos is configures. I have extended the Unix services on 2K8 as well. Here is the /var/ldap/ldap_client_file:
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_SERVERS= parwindom
  NS_LDAP_SEARCH_BASEDN= dc=stcg,dc=net
  NS_LDAP_AUTH= sasl/GSSAPI
  NS_LDAP_CACHETTL= 0
  NS_LDAP_CREDENTIAL_LEVEL= self
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=Unix Services,ou=Service Accounts,dc=stcg,dc=net?one
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Unix Services,ou=Service Accounts,dc=stcg,dc=net?one
  NS_LDAP_ATTRIBUTEMAP= shadow:uid=sAMAccountName
  NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
  NS_LDAP_ATTRIBUTEMAP= shadow:shadowflag=shadowFlag
  NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
  NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
  NS_LDAP_ATTRIBUTEMAP= passwd:uid=sAMAccountName
  NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
  NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
  NS_LDAP_ATTRIBUTEMAP= passwd:gecos=gecos
  NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
  NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid
  NS_LDAP_ATTRIBUTEMAP= group:userpassword=userPassword
  NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
  NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
  NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
  The ldap service is enabled. Here is /etc/nsswitch.conf
  passwd: files ldap [TRYAGAIN=5]
  group: files ldap
  hosts: dns files
  ipnodes: dns files
  networks: files
  protocols: files
  rpc: files
  ethers: files
  netmasks: files
  bootparams: files
  publickey: files
  netgroup: files
  automount: files
  aliases: files
  services: files
  printers: user files
  auth_attr: files
  prof_attr: files
  project: files
  tnrhtp: files
  tnrhdb: files
  And Finally here is /etc/pam.conf
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth required pam_unix_cred.so.1
  login auth required pam_unix_auth.so.1
  login auth required pam_dial_auth.so.1
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth required pam_unix_cred.so.1
  rlogin auth required pam_unix_auth.so.1
  krlogin auth required pam_unix_cred.so.1
  krlogin auth required pam_krb5.so.1
  rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_cred.so.1
  krsh auth required pam_unix_cred.so.1
  krsh auth required pam_krb5.so.1
  ktelnet auth required pam_unix_cred.so.1
  ktelnet auth required pam_krb5.so.1
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_unix_cred.so.1
  ppp auth required pam_unix_auth.so.1
  ppp auth required pam_dial_auth.so.1
  other auth requisite pam_authtok_get.so.1
  other auth required pam_dhkeys.so.1
  other auth sufficient pam_krb5.so.1
  other auth required pam_unix_cred.so.1
  other auth required pam_unix_auth.so.1
  passwd auth required pam_passwd_auth.so.1
  cron account required pam_unix_account.so.1
  other account requisite pam_roles.so.1
  other account sufficient pam_unix_account.so.1
  other account required pam_ldap.so.1
  other session required pam_unix_session.so.1
  other password required pam_dhkeys.so.1
  other password requisite pam_authtok_get.so.1
  other password requisite pam_authtok_check.so.1
  other password required pam_authtok_store.so.1
  Here is what happens if i run ldaplist
  # ldaplist
  ldaplist: Object not found (LDAP ERROR (12): Unavailable critical extension.)
  I have been pulling what little hair I have left out on this issue and I'm starting to run out of time on this project. There is nothing in any log file anywhere. Any help would be greatly appreciated.

  Nathalie,
  LDAP authentication against AD is fully supported since AD is LDAP v3 compliant. 
  For the Unix and Linux versions of XIR2 / XI31, LDAP is really your only choice since the Active Directory tab is not displayed unless your CMS is on windows.
  To get LDAP working against AD I would recommend the following::
  1) Use an IP address
  You can use the IP of a Domain Controller or a Global Catalog Server depending on how large your AD domain is.
  2) Use port 3268 over 389 for large AD configurations.
  This port is the Global Catalog server port.  The GC server contains all the information about all objects in an AD Forest.  This is useful when using groups across multiple domains where 389 just contains information in 1 domain.
  3) Change your Application Mappings
  On the LDAP tab, connecting to AD wont work unless you make a few changes.  First, change your Application mappings to "Microsoft Active Directory Application Server" and then choose "Show Application Mappings".
  Change:
  User Name: sAMAccountName
  Default User Search Attribute: sAMAccountName
  These settings should work for you.
  Also note that the group "Domain Users" is not valid when querying AD via LDAP.
  Regards,
  -Brian

• Question regarding LDAP and SSO Authentication

  Hello,
  We have Oracle Portal as our intranet and by default all users are authenicated against OID when the access intranet page.
  My question how I make use of the OID authentication in apex application? I do not want users to re-enter their login credentials if they want to access the apex application.
  How can I acheive this?
  Thanks

  What exactly do you mean by "the apex application", the development and administration interface to Application Express, or the applications you develop?
  For the former case, you cannot change the way authentication is done. For your own apps, that's up to you.
  Scott

• ASA VPN with LDAP authentication

  We currently use a Cisco ASA (5510, 8.2) IPsec VPN client with RADIUS as a backend authentication service. We have configured IAS on one of our domain controllers to issue a RADIUS Accept/Deny based on the users' group membership within a "VPN Users" group. The IAS policy rules makes this very easy (it understands Windows group membership), and we like using groups because it is easy to send mail to all VPN users.
  The things we don't like about using RADIUS is the idea that IAS has to be configured as a middleman service, and sometimes IAS does not always successfully start after a system reboot (we are not sure why).
  We were wondering if it was possible to skip the middleman and use LDAP directly, pointing to our pool of domain controllers. There are many LDAP examples out on the net, but they consist of using an LDAP Attribute map to either use the "Remote Access Permission" of the user's DialIn profile, or by associating an AD group to a Cisco policy.
  The former does not fit our model because it bypasses the group membership concept and requires VPN control via profile. The latter does not fit because, while we do have a "VPN Users" group to map in the affirmative, we do not have an inverse to map to a Deny policy. There is no "NOT" logical operator in the LDAP Attribute mapping.
  Does anyone know a way to accomplish what we are after, using LDAP rather than RADIUS, where a single group can determine Accept (and more importantly, absence equals Deny)?

  Hi,
  I believe that second option you've mentioned will work for you. Why? using that if you map single AD group to right cisco policy. then this will work the way you want; where absence means deny to other users.
  Here is con fig example you may try:
  Configuration for restricting access to a particular windows group on AD/LDAP
  group-policy noaccess internal
  group-policy noaccess attributes
  vpn-simultaneous-logins 0
  address-pools none
  ldap attribute-map LDAP-MAP
  map-name memberOf IETF-Radius-Class
  map-value memberOf
  aaa-server LDAP-AD protocol ldap
  aaa-server LDAP-AD host
  server-port 389
  ldap-base-dn
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-dn
  ldap-login-password
  server-type microsoft
  ldap-attribute-map LDAP-MAP
  group-policy internal
  group-policy attributes
  vpn-simultaneous-logins 3
  vpn-tunnel-protocol IPSec l2tp-ipsec ...
  address-pools value
  tunnel-group type remote-access
  tunnel-group general-attributes
  authentication-server-group LDAP-AD
  default-group-policy noaccess
  HTH
  JK
  -Plz rate helpful posts-