Is LDAP on Port 3269 Secure?

Similar Messages

• WL10: How to port sample security providers?

  Hello,
  I've downloaded sample security providers for WL8.1 and trying to get them working on my WL10 setup. It seems quite a lot has changed since wl8.1. For example information how to setup security providers by using admin console are completely different. Also when I tried to workaround this by using ant setup, it also failed with:
  [java] Executing command: INVOKE -mbean Security:Name=SampleRealmManageable
  SampleAuthenticator -method createUser sampleuser samplepassword nodescription
  [java] Could not find the instance for Security:Name=SampleRealmManageableS
  ampleAuthenticator
  [java] Error: setupSampleRealm.adm at line number: 45
  [java] --------------------------------------------------------------------
  [java] --------------------------------------------------------------------
  [java] Batch Command Results:
  [java] Total Commands Executed: 23
  [java] Commands Successful: 22
  [java] Commands Failed: 1
  BUILD SUCCESSFUL
  Total time: 7 seconds
  My question is: has anybody already ported sample security providers to the WL10?
  Thanks,
  Karel

  "Laurent Duperval" <[email protected]> wrote in message
  news:3fe07edb$[email protected]..
  >
  Hi,
  I'm trying to get the sample realm working as the default realm to startWeblogic.
  The goal is to modify it piece by piece to a more secure model, but I'mstarting
  from the basics.
  Here's what I've done now: I created a new realm and I used all thedefault providers
  except the authentication provider. For that, I used the Manageableauthentication
  sample. The problem is that it uses non-encrypted data to set the passwordbut
  the boot.properties file containes 3DES data. So now, the realm won'tstart. How
  can I set up the boot.properties file to enable the use of my new realm asthe
  default?
  The boot.properties should work with any provider. WLS decrypts the username
  and password
  before passing it to the provider. I would double check to make sure that
  username and
  password is defined in your manageable authentication sample.
  You can define the DebugSecurityAtn="true" attribute for the ServerDebug
  Mbean to get
  additional debugging information.

• Dynamic Login Environment with LDAP and Database level security.

  JDeveloper 11.1.1.0.1 + ADF BC + ADF RC
  Hi everyone,
  We are ready to begin creating a dynamic login environment.
  We would like to be able to keep security on the database side, instead of in the application layer.
  We also want to be able to use Oracle LDAP for authentication.
  Can anyone suggest any good documentation for our situation?
  Highly appreciated. Thanks!

  Alexander,
  unlike in Forms, authentication is separate from connection. You can have individual user connections - like in Forms - but this most likely is not of best performance. A document and example for this to follow is
  http://radio.weblogs.com/0118231/2008/08/06.html#a902
  Note that authentication does not need to be hard coded in either way. If you use a single database connection and container managed authentication, then all users access the database from the same user account but can have their authenticated names passed through. In ADF BC you can use the prepareSession method on the ApplicationModule to pass the name to the database as a prepared statement (e.g. to set the predicate on a VPD database). However, using PLSQL for authorization is a bit difficult because the business logic, unlike in Forms isn't executed in PLSQL. You can look up PLSQ from ADF BC - or Java in general - but its a separate call.
  Frank

• LDAP and Notes Group Security Authentication Troubles

  First, my apologies if this is in the wrong forum, but after looking at the forum names a few times this seemed the most appropriate.
  I have a PDF file that I would like to have access restricted to a certain group on my organization's directory server. I'm kind of the new guy here, so I'm not 100% certain on this, but I'm pretty sure that our setup is:
  A Lotus Domino LDAP server storing the directory information in a Lotus Notes database. Each user has a Notes certificate stored on the server for authentication to various databases we have on our intranet.
  I've entered the LDAP server information in the Security Settings... window in Acrobat, and I'm sure its correct as I can use the same information to browse the LDAP server with Softerra LDAP browser. There is no authentication required, but the server might restrict access based on domain; I'm not sure (shouldn't matter). Anyway, when I go to Manage Trusted Identities... then Add Contacts, then Search, I can never get any results to return.
  I wish to only allow users in a certain group, CN=ALLOWED - GROUP, to have access to the PDF. I feel that there should be a way to accomplish this with the Notes certificates. Anyone know what I'm doing wrong or need to do?
  If something I've said is wrong or unclear, I'd be happy to try again; this sort of thing isn't my forte.
  Thanks in advance,
  Mark

  > I guess the CA is the machine that's hosting the Lotus notes database
  No, the CA is merely an "entity". It's your Certificate Authority, the master certificate used to sign and authenticate all subsidiary certificates. You are talking about setting this up as a PKI for signature validation and managed security, right? Or am I way off base with your workflow and leading you away from where you should be (if so, feel free to ignore me - lots of people do)?
  Leonard is right though, for securing individual PDFs to a specific group you would need LiveCycle Rights Management ES. The security needs to be in the PDF itself otherwise its useless. Say you configure your security at an application level, as you are trying to do, and then someone copies the PDF to a USB key and takes it home. No longer on your network, so they can now freely open the document.

• Port forwarding & security level

  [was orig sent to fios internetforum in error- I'm on a dsl line]
  I've set up port forwarding for various services (mIRC, ftp, etc) on my Versalink gateway (Westell 327W router/modem). Ports are OK, Still, I can't access these when my firewall is set to "Typical Security" - I have to go down to Minimum for anything to get through. Is this the way it's supposed to work? I thought that port forwarding opened my selected ports in the firewall without compromising security otherwise. If I have to choose min. security, what's the point of port forwarding? Thanks for any feedback - ed

  At this time I can't tell you about the Security Level setting, but I can answer this question
  eda wrote:
  What's the point of port forwarding?
  I point to the info at
  grc.com's pure CSS menu (Research -> Recent -> NAT Router Security)
  Direct URL: http://www.grc.com/nat/nat.htm
  But, it gets kind of weird.
  For example, I point to the info at
  DSLR (dslreports.com) ->  FAQs -> Verizon Online FiOS FAQ -> Troubleshooting -> What is the NAT Table problem in the Actiontec?
  Direct URL: http://www.dslreports.com/faq/16233
  ^^^
  If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

• Port forwarding security cameras WPA2 blocked?

  I just bought an Airport Extreme router and set up port forwarding for home security cameras.
  When I have no security - I can access the cameras remotely (iPhone) and locally with no problems on my iPhone. However, when I add on WPA2 security everything gets blocked. Is there a firewall or feature inside the AEBS that needs to be modified? Help!

  The fact that you can access the cameras remotely verifies that the port settings are correct on your AEBS.
  Wireless security does not use ports as it is a local network feature so no additional base station settings should be required.
  The issue appears to be with your iPhone Wi-Fi connection when wireless security is enabled. WPA2 is supported with all iPhone models.
  I would recommend at this point to change the security password to see if this resolves the problem. Temporarily try the following as the base station's Wireless Security password: 0123456789abcdef0123456789
  Note that there are exactly 26 characters. If this works, go ahead and change the password. I would recommend one that contains a combination of 26 letters, numbers, & punctuation marks without using any spaces.

• Port Forward Security

  Hi,
  I have a Linksys WRT54G, and a question in regards to port forwarding. I use Remote Desktop to access my home network when I am at school, and enable port 3389 each day before school, then disable access to that port at the end of the school day. This allows me access to my home network when I am at school, and then I close the port when back home, for security purposes. 
  Does anyone know of a way to limit what IP addresses (incoming) are allowed to use that port, where I can enter the IP address of the school computer so that it is allowed access, and then do not have to disable port access every day?
  tia,
  Vgolfmaster 

   Currently the included firmware does not support a source IP for specific port forwarding.  Luckily the DMZ does!  Set your computer as the DMZ with the source IP of your school.  Setting yourself as the DMZ essentially forwards all ports.  This may seem less secure, but since you can set a source IP it is more secure. 
  Nevermind that part, after reading saber_tooth's post, I looked up your router and he is right, your router does not support a source IP address for the DMZ.  
  If you don't want to use the DMZ, you could take advantage of port triggering.  Port triggering means that, when there is a connection on port x, forward port y.  So you could set up a small server of any kind, and connect to it from your school's computer.  For example, set up a small telnet server, and set port 23 as the triggering range, and 3389 as the forwarding range.  This means that port 3389 is only forwarded when there is a connection on port 23.  If you wanted to be really security paranoid (not a bad thing ) you could set up something like this: (after forwarding port 1)
  Forwarding range ---------- Triggering range
  2-2 ------------------------------ 1-1
  3-3 -------------------------------2-2
  4-4 -------------------------------3-3
  3389-3389 --------------------4-4
  This would mean you would have to connect on port one, which would unlock port two.  Connect on port two to unlock port three, and so on, until you unlock port 3389.  It would also prevent 3389 from being scanned on your system (very secure!).  You can also use any ports you want, not just 1 2 3 4, so long as you remember them!
  Obviously you would need something to listen on each of those ports, I recommend using Port Listener.
  From there you could use Telnet (Start > Run > Telnet) and connect on each of those ports, using the command "o ip.add.re.ss port".  So you would open four telnet windows, and connect to your computer on each triggering port.  You could even create a Windows batch file to do this automatically.  
  I know it sounds complicated but it really isn't! 
  You may also be able to find a software firewall that allows port exceptions by time, and set it up so it is only forwarded while you are in school.
  I hope I answered your question,
  Zach
  Message Edited by zachlr on 04-05-2009 10:08 AM
  Message Edited by zachlr on 04-05-2009 11:15 PM

• Increase Port 443 Security in RV082

  I recently installed a RV082 so that a branch office could have an always-on connection with the main office.  That branch, among others, processes credit cards for payment.  A security company, Security Metrics, scans their network and looks for any security vulnerabilities.  If the company fails the test they are charged a monthly fee to be able to continue processing credit cards.
  The branch office that had the router installed failed due to several security issues involving port 443.  Is there a way to secure the port in the router?  I have attached the Securites Vulnerabilities report that gives the details.
  The branch office does not have a server, only about 5 XP Pro workstations (one does the credit card transactions).  The other 3 branches have the same setup but they use PIX routers and they do not have any security issues.
  Thanks

  I am running an old version 1.3.2.  I am going to do the update after hours and then run another security test tomorrow and report back.
  Thanks

• WRT1900AC - Open Port - 52147 - Security Vulnerability?

  I recently noticed in the router logs incoming connections on port 52147. I have confirmed that this port on the router is open (not closed or stealthed), by using the port scan tool at www.grc.com.  See port scan screenshot below.
  This situation is present with no devices connected to my internal network. My router is on the current firmware (1.1.8.164461).
  Anyone have an idea what is going on?
  Jeff
  Incoming log
  Source IP address | Destination port number
  110.93.76.194          52147 
  73.52.28.251            52147

  Yes, I did setup a Smart Wifi account during initial setup.
  It there any documentation where I can confirm that the port is open for Smart Wifi services, and should I be concerned about the inbound connections listed in the log (See above)?
  I am seeing a few more random IP addresses associated with that port in the log each day or so, and I would think that if it was due to legitimate Smart Wifi services activity, the traffic would be from a specific (and documented) address for Linksys servers.
  UPDATE: I just checked the log again, and there are a dozen or so random IP addesses in the Incoming Log associated with port 52147. Who-Is lookups place these addresses all around the world. Until this is explained to my satisfaction, I am leaving my devices disconnected from this router, and treating this as a security vulnerability.
  If anyone has any information or insight into this, it would be greatly appreciated.

• How can I access the username and password entered into an https IPlanet login so that it may be passed to an LDAP to obtain additional security classification information for that user?

   

  Have you tried simply using the REMOTE_USER environment variable which is accessible via CGI by the following:
  $customer = $ENV{"REMOTE_USER"};
  Once you have that (which will correspond to the uid attribute in your LDAP server) you can do a query for the other things. The password shohuld not be required to lookupu other info since you know at this point that the are already authenticated.

• Relay access denied', Port: 25, Secure(SSL): No, Server Error: 554,

  hi configured the server and i am able to receive the emails and i am able to send the emails internally. but when i am trying to send an emails to other domains i am getting this error.

  acserver:~ admin$ postconf -n
  alias_maps = hash:/etc/aliases
  command_directory = /usr/sbin
  config_directory = /etc/postfix
  content_filter =
  daemon_directory = /usr/libexec/postfix
  debugpeerlevel = 2
  enableserveroptions = yes
  html_directory = no
  inet_interfaces = all
  mail_owner = postfix
  mailboxsizelimit = 0
  mailbox_transport = cyrus
  mailq_path = /usr/bin/mailq
  manpage_directory = /usr/share/man
  mydestination = $myhostname,localhost.$mydomain,localhost,mobilekiwi.com
  mydomain = mobilekiwi.com
  mydomain_fallback = localhost
  myhostname = macserver
  mynetworks = 192.168.1.14/32
  mynetworks_style = host
  newaliases_path = /usr/bin/newaliases
  ownerrequestspecial = no
  queue_directory = /private/var/spool/postfix
  readme_directory = /usr/share/doc/postfix
  recipient_delimiter = +
  relayhost =
  sample_directory = /usr/share/doc/postfix/examples
  sendmail_path = /usr/sbin/sendmail
  setgid_group = postdrop
  smtpdpw_server_securityoptions = none
  smtpdrecipientrestrictions = permitmynetworks,reject_unauthdestination,permit
  smtpdsasl_authenable = no
  smtpdtls_keyfile =
  smtpduse_pwserver = no
  unknownlocal_recipient_rejectcode = 550
  virtualmailboxdomains =
  virtual_transport = virtual
  macserver:~ admin$
  macserver:~ admin$
  i am able to receive emails but i am no able to send emails to other domains. but i am able to send emails internally.

• Whether WLC support LDAP Secure ?..

  Hi ,
  We are using 5508 WLC with software version of 7.4.100.60 . Whether this code will support that ? When we tried LDAP on with port number 389 , we are able to authenticate the user . But with LDAPS on port number 636 we are not getting response from AD?
  Any clue on this...
  Thanks,
  Regards,
  Vijay.

  You can change the port, but you are not changing how it communicates by changing the port. If you search for WLC LDAP Configuration, you will not see any reference to supporting LDAPS. If there was a setting on the WLC to choose to use LDAP or LDAPS, then it would work. You have also tested it and you can see it doesn't work. Sniff the traffic and see if it is secure or not as that will also tell you.
  You can alway contact your local SE and put in for a feature request for that.
  Sent from Cisco Technical Support iPhone App

• 3rd party LDAP security provider problem

  I'm having an issue that when I've deployed my j2ee application to Oracle AS 10g rel3 app server, the security-constraint I've configured in my web.xml file isn't being obeyed, or at least it doesn't appear to be.
  As part of the deployment process I've configured a 3rd party LDAP server as the security provider. As for mapping groups to roles, I've set it such that all users and groups should be mapped to the role AuthorisedUser - my intention is that for any protected url's defined in the web.xml, the user should be redirected to a login page as defined in the web.xml file as well (I'm using FORM based authentication in the login-config) - but after they are logged in they will be assigned the role of AuthorisedUser.
  The following is being written to the orion-application.xml file
  <security-role-mapping name="AuthorisedUser" impliesAll="true" />
  What I'm observing is that users aren't being challenged when they hit a secured url-pattern. Is this as a result of the impliesAll="true" attribute ?

  I found that the <security-role-mapping> element is not functioning correctly for 10.1.3.4 OC4J LDAP authentication. I saw in the log.xml that I was getting authenticated but it wasn't finding the role-group map.
  I changed the role-name in the web.xml to be the exact same thing as the group in LDAP and that fixed that problem.
  I know the original poster has gone past this problem, but for people in the future, I hope this helps.
  Now my problem is the j_security_check... once I'm authenticated, the browser ends up at http://hostname:port/OrderManagement/j_security_check instead of the application page. Any ideas?
  Thanks,
  David

• Cannot send email via Hotmail through port 587 with Secure Connection (SSL) set

  Something is blocking my attempts to send email (with Outlook Express) via my hotmail.com account. The error I receive is as follows:
  Your server has unexpectedly terminated the connection. Possible causes for this include server problems, network problems, or a long period of inactivity. Account: 'Hotmail', Server: 'smtp.live.com', Protocol: SMTP, Port: 587, Secure(SSL): Yes, Error Number: 0x800CCC0F
  When Hotmail.com first changed over to a POP3 server (Sept 2009), I could send emails through them using port 587, which they require. But then something happened, with no changes on my part, to disable my ability to send.
  I have checked and rechecked my Outlook Express account settings. I can send email through another third-party mail account (at 1&1 Internet.com) using port 587, which does not require setting SSL to yes. I can also ping the Hotmail SMTP server via port 587 and receive a response from it.
  I connect to Verizon DSL via a Westell 327W modem/router. Clearly it is not blocking port 587 without SSL. Does it have the capability to block SSL traffic? Or is the Verizon server the culprit, not allowing emails to be sent via Hotmail.com?
  Two different computers on my LAN have the same problem sending emails via Hotmail.com. I have tried everything the Hotmail people have suggested; at this point they think it is an ISP problem, hence this post. This problem doesn't make sense to me and is driving me crazy. Can anyone help me with this?
  Thanks.

  You can still have your reply address set to your hotmail address. And you don't have to really remember to do anything. Configure your client for the HOTMAIL account with Verizon's outgoing server. It will automatically send via Verizon. You don't reveal your verizon.net address, you are just using their server to transmit.
  If a forum member gives an answer you like, give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem.
  "All knowledge is worth having."

• How can i use dsadm to change the ldap port?

  I have a ldap with port 1389,I changed it to 389,now I can not start it because it is a non root user.
  Now I want to change the port back to 1389,but I can not use dsconf because the server is not running.
  How can i do now? How can i use dsadm to change the port?
  Thank u very much.

  My apologies, I didn't mean to be rude/impolite.
  I just wanted to emphasize that in a situation where a Directory Server doesn't even start, you cannot interact with the live server to configure the new port (either talking LDAP or otherwise). All you can do in that case won't be related with the LDAP (that's just the name of the protocol): either assigning network privileges to the user, or changing the Directory Server configuration file.
  The other thing I'd like to outline (and this could take a separate thread ;-) ), is that semantically, I'd prefer talking of a Directory Server instead of an LDAP Server because the former is 'something' providing Directory Services, whereas the latter is just the name of the protocol we use to interact with the server; but this is just my personal opinion, you don't have to agree with me.
  that's all folks!
  marco