ISE - Active Directory - LDAPS

Similar Messages

• Getting User Attributes from an Active Directory LDAP

  Hello all.
  I want to extract attributes assigned to a user in the Active Directory LDAP and make them available through the getPropertyValue property in Javascript. I know that a user's System Attributes can be accessed with getPropertyValue but I have not found a way to get specific attributes from the LDAP and make them available as specific attributes in xMII. System attributes like "EmailAddress1" seem to transfer from the LDAP but others don't. Anyone have any ideas?
  Thanks.
  ...Sparks

  Sparks,
  If you're using 11.5 or 12 actually they should all map into the system as session properties.  You can use the following URL to verify your session properties:
  http://<xMIIServer>/Lighthammer/PropertyAccessServlet?Mode=List
  If you are not seeing the attributes you expect then your Attribute Query for User or Role is incorrect for your LDAP system and you need to change the LDAP configuration queries.
  -Sam

• Integrating Active Directory LDAP in OBIEE 11g

  Hi All,
  I Have Configured Active Directory LDAP in OBIEE.
  Steps i have Followed are,
  1) configured Active Directory in providers under Scurity Releam.
  2) Restarted BI Services to Load the Ldap Users.
  3) login to the EM under bifoundation domain selected securitues->security configuration provider.created user.login.attr and username.attr.
  4) under Credentials->oracle.bi.system map->system.user->deleted BISystemUser and Created key with the Existing name in Active Directory.
  5) assigned System user to BISystem role in em.
  6) in Console Roles and Polocies->Global Roles->Roles->Admin->view Role Condition (User = Active Directory User or Group=Administrators).
  7) Restarted BI Server and Presentation Services.
  Now I am Unable to Login to Presentation Services.
  Please Reply ASAP.
  Thanks and Regards
  Kiran Kumar

  Kiran, Is there a specific reason for using RPD for LDAP authentication? From 11g onwards, the best practice is to use Weblogic (or external Authentication providers). Is it correct to say that for "Authentication' without proper RPD LDAP config for "USER" variable, users cannot login via presentation layer?
  Cheers!
  BK

• Active Directory LDAP integration; can not see the XMLP_ groups/roles

  We have configured XMLP 10.1.3.3 to use "LDAP" as the Security model. The LDAP server is Active Directory running under Windows Server 2003.
  It is working to a certain extent:
  Users can log on to the XML Publisher using login/password as defined in AD.
  -When logged in as administrator, groups (roles) are visible in Admin/Roles and Permissions and can have assigned folders and data sources.
  Problems/questions:
  The required roles ("XMLP_ADMIN, etc) can not be seen in Admin/Roles and Permissions. Is this as expected or is it an error?
  -When logging in as a user who is member of the group/role XMLP_ADMIN, I do not get any administrator privileges (I have not tested the other XMLP_* roles defined in AD yet). So all administration has to be done as the local superuser.
  Is there any way to monitor the login process to try and see what goes wrong?
  -Roald
  -Roald

  The problem has been solved, it was self inflicted, typo in the config file:
  <property name="LDAP_PROVIDER_USER_DN" value="Cn=Users;dc=company,dc=com"/>
  (semicolon instead of comma after Users).
  It is a little surprising that this typo lead to problems with group matching, though. It took some time before this part of the config got enough attention.
  -Roald

• SJSAS7 - Access to Active Directory LDAP

  Hi All
  Is it possible to connect SJSAS7 to Active Directory via LDAP. I know that this can be done with other app servers like WebSphere 4 & 5.
  I would like to use our existing Active Directory infrastructure for authentication of Admin and Application users.
  Does anyone have information how to configure this or can point me to some documents with this info.
  Any help would be much appreciated.
  TIA
  Tony Hawes

  Although I haven't tried it, I would guess that this is possible. We are using the LDAP realm with Sun's directory server and a few years ago I used the standard LDAP provider in the JDK to connect to Active Directory. The only problem I had was that I had to connect with a user that had the form "domain/user" instead of a common name. The online help in the admin console describes the properties you can use.
  HTH,
  Gunnar

• Cisco ISE Active Directory Add Group

  Hi,
  I came across the Cisco ISE on integrating with Microsoft Active Directory; I would like to check what may be the use case of the add group function (External identity source-->active directory-->group-->add group)? Not too sure if it may be possible to group multiple active directory groups to the created group?
  I have attached a print capture of the "add group" for reference.
  Any suggestion is appreciated.

  I apologize for not following Ravi's post. However you can enter the group if searching for groups fails. It is case and format sensitive so using the method has to be precise....one example is looking in the authenticatiin report for a user under the "other attributes" if there is a group you want to apply as a policy you can copy and paste that group syntax under the add group which you posted.
  Sent from Cisco Technical Support Android App

• ISE / Active Directory

  We have a wireless setup using WLC and ISE, authenticating BYOD against Active Directory.
  The challange we have is that when users change their AD password, they forget to update their smartphones resulting in their AD accounts being locked out.
  We have PEAP enabled, with retries set to 1.
  When does the retries "reset" so that it will try again?
  And is there other things we can look at to prevent this behaviour?

  The best thing to do is to train your users to update the password in all their devices. Otherwise the account will be mostly locked out if an auto-auth device is configured with the old password.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• ISE : Active Directory integration long usernames sAMAccountname

  Have a customer deploying ISE for wireless authentication using PEAP-MSCHAPv2.  They've encountered an issue where some users with long usernames are failing authentication to ISE.  ISE logs that the user is not found in the user database (Active Directory).
  Upon further review, it appears that ISE is using the sAMAccountname as the username token to authenticate against.
  sAMAccountname is limited to 20 characters. 
  Customer is running a full Windows 2008 domain and users login to the domain using their User Principal Name (no 20 character limit).  Therefore, when the user creates a wireless connection and passes his Windows credentials to PEAP, it fails because the username is too long and ISE does not find user in AD database.
  Is there a way to point ISE to use a different username token instead of sAMAccountname?  or is this a known issue?

  I don't think there is any way to increase the limit of 20 characters. You have to create to user name with 20 characters limit.

• MS Active Directory LDAP Authentication/Locking Issue.

  Dear All,
  We are a software company; we have implemented feature of LDAP Authentication in our product using Java API and its working fine from our network environment.
  We have used following things with LDAP feature.
  1. User Authentication.
  2. Locking account after exceed the maximum attempts that has configured in window server.
  Main our issue is: The LDAP feature is not working properly from our client side. They are able to authenticate their LDAP user but do not able to lock user account however they have exceeded the maximum attempts from login dialog of our products but it still working in our side.
  If anybody has any experienced about it then please reply with positvie solution or any other information like require do the specific configuration for different version of Windows and Active Directory Server etc.
  Can any body know what are the possibilities for identifying and resolving this issue?
  Please help us if anybody has any experienced about it.
  Please do the needful.
  Thanks,
  Mehul.

  Hi,
  Thanks for your reply.
  We have used java package of javax.naming.* and javax.naming.directory.* for LDAP Authentication.
  Following code for checking whether ADS User is valid or not.
  * Function checks whether ADSUser is valid user or not
  * @returns int value indicating result.
  public int isValidADSUser() {
  Hashtable env = new Hashtable(5);
  Vector adsInfoVec = getADSInfo();
  env.put("java.naming.referral", "ignore");
  // env.put("java.naming.security.authentication", "simple");
  env.put(Context.SECURITY_AUTHENTICATION,"simple");
  String provider = "com.sun.jndi.ldap.LdapCtxFactory";
  env.put("java.naming.factory.initial", provider);
  //For handling Uncontinued reference found message of partial result exception
  env.put(Context.REFERRAL, "follow");
  env.put("java.naming.ldap.derefAliases", "always");
  env.put("java.naming.ldap.deleteRDN", "false");
  env.put("java.naming.ldap.attributes.binary", "");
  env.put(Context.PROVIDER_URL,
  "ldap://" + (String) adsInfoVec.elementAt(0) + ":" +
  (String) adsInfoVec.elementAt(1));
  // env.put("java.naming.security.principal",
  // userNameStr + "@" + (String) adsInfoVec.elementAt(0));
  env.put(Context.SECURITY_PRINCIPAL,
  userNameStr + "@" + (String) adsInfoVec.elementAt(0));
  if (userPassStr == null) {
  userPassStr = "";
  // env.put("java.naming.security.credentials", userPassStr);
  env.put(Context.SECURITY_CREDENTIALS, userPasswordStr);
  try {
  DirContext ctx = new InitialDirContext(env);
  ctx.lookup("");
  //System.out.println(ctx.lookup(""));
  ctx.close();
  catch (javax.naming.AuthenticationException ex) {
  //System.out.println();
  ex.printStackTrace();
  return AUTHENTICATION_ERROR;
  catch (javax.naming.PartialResultException pex) {
  pex.printStackTrace();
  return COMMUNICATION_ERROR;
  catch (javax.naming.CommunicationException pex) {
  pex.printStackTrace();
  return COMMUNICATION_ERROR;
  catch (NamingException e) {
  System.out.println("Failed to connect to ");
  e.printStackTrace();
  return COMMUNICATION_ERROR;
  return SUCCESS;
  Result of this code from our company: We are able to Authenticate LDAP user and also Lock User Account after exceed the Max Failure Attempt that configured from Windows Server.
  Result of this code from our client side: They are able to Authenticate LDAP user but they can't User Accout Lock however exceed the Max Failure Attemp that configured from their Windows Server.
  Can u please help us if any experience about it and suggest if any other configuration require from Windows Server / Active Directory Server OR also if some other implementation require for resolving this issue.
  Your optimistic reply is much appreciated.
  Thanks,
  Mehul Garnara.
  Edited by: [email protected] on Mar 6, 2008 10:24 PM
  Edited by: [email protected] on Mar 6, 2008 10:25 PM
  Edited by: [email protected] on Mar 6, 2008 10:25 PM

• MS Active Directory (LDAP) and SAP Integration

  Hi all!
  don't know if I'm right here in this forum, but:
  I'm using MS Windows Server 2003 and installed Active Directory as LDAP-System on the one hand side, on the other I'm using a 6.20 ABAP Web AS.
  I'd like to synchronize the User Storage on these two systems.
  Does anyone have experience in doing this? I'm facing a tricky exception in depth of my customizing too complex to explain right now. The problem concerns the mapping of LDAP-Fields and SAP-Fields.
  Thankx,
  Christoph

  Hi Christoph,
  This is the mySAP ERP forum. Perhaps you can post your question in the Web AS forum (SAP NetWeaver Application Server).
  For now: here is a link to a video regarding SAP Active Directory integration:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sap active directory integration,%20SSO%20and%20User%20Management%20Webinar.wrf
  I found it by searching on Active Directory here on sdn:
  https://www.sdn.sap.com/sdn/search.sdn?contenttype=url&content=/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fSDN!2fiViews!2fFramework!2fcom.sap.sdn.advsearch%3Fprttheme%3DCSIN%26QueryString=active%20directory%26searchDatasource=SDNContent
  Cheers,
  Noel

• OID and MS Active Directory  LDAP information Synchronization

  Do you know have to do the integration between OID and MS active Directory? How to synchronize the LDAP information between two?

  Hi, I have the same question.
  Thanks,
  Malin

• What is the Point of Active Directory/LDAP Specification?

  My college threw an interesting curve ball today and I couldn't give him a good enough answer. The question was simple 'What is the point of active directory'. Now I don't have a lot of exposure to active directory, but I thought I could easily answer. My argument was; If you have a group of objects its easy to look up attributes for those objects using active directory. For example, if you have a group in AD and you want to verify the users of that group you simply look up the member attribute of that group. However he argued, rightly so, that you can do that with a table in a database, why do that in AD. I couldn't give him a good enough answer and now I'm curious. Given the above example, why use AD over a database?
  To me AD is a way to manage a set of resources, whatever they are, by mapping them to objects that have however many attributes. But we could do that in a database, whats the point of AD? Why do you use AD?

  I come from a primarily database centric background. Just like life experience, it casts a certain perspective on problems. Database people solve things with databases. Directory people solve things with directories. Everyone has their perspective. It's not really about who's right and who's wrong. It's about perspective because people are most likely to go with what's familiar when given a problem. It's easy to have this conversation in a educational environment but when you're on the job it's about turf, schedules and careers. My latest job (in which this debate comes up a lot) has been about directories which has been a very enlightening experience because I've been given a gift of perspective. I can put on the directory hat and look at it from another angle.
  To get back to your professor's question. The answer is easy. LDAP (AD or other) is an application above a database. It has a data store behind it, in most cases we can just assume this is a database. So, in short, it's apples to oranges. But if we insist on comparing which makes the better juice, let's look at how we'd make a database like a directory. We could create a data model with an attributes table, an entries table and so on. We can deconstruct what LDAP data structures really are and implement each type as a table with FK/PK relationships and so on. It's sure to work because there are already so many products on the market doing this very thing. But think about the effort now. How are you going to add new users? A front-end? Stored procedures? Scripts? How are you going to keep someone from seeing things they shouldn't? You have to insert an object into all the right tables to ensure that your data is consistent and valid. In a pure database, you're trying to create ACLs on database rows. Now you're writing a full featured application with a lot of complexity. Given enough directory features, the database isn't going to be able to do everything without an external application.
  What is the point of LDAP? It's got hierarchy, ACLs, group of unique names functionality and things that are a layer of abstraction above the data store. I love databases but if you start designing out a directory server from scratch you'll realize it's far beyond comparing a user.ldif to a row in a user table. They are similar in appearance but different types of software.
  Edited by: milkfilk on Dec 16, 2008 11:48 AM
  Edited by: milkfilk on Dec 16, 2008 11:54 AM

• Using Active Directory (LDAP Plugin) Across Multiple AD Servers

  Hi,
  I need to give an existing application the ability to talk to multiple active directories using the AD LDAP interface from a J2EE Applcation running on Apache 2.x/Tomcat 5.x (there are 4 independent AD trees and users from ANY of the trees can access the application)
  Can anyone point me in the right direction with this? I would seem to make sense that I should create a central security servlet that is aware of all the domains and connect to each of the AD servers in turn using LDAP (as often discussed on these forums) to acertain security rights, then turn control back to the application.
  Thoughts? Feedback? General help?
  thanks
  John

  Another thing that would help is any references to sample code where someone has done this before for..
  1. the server.xml file mods required? Web.xml Mods?
  2. Java code to accomplish this?
  Also, am i overthinking the problem? Could I just use some utility class inside the controller servlet that would have one method that would return access level or something? Then in the utility file I can do the looping through LDAP servers (really AD trees) and when I find the information I want, simply return it.

• ISE, Active directory and OUs

  Hello Everyone
  I have an ISE with an AD integration, i am trying to limit the access to the wireless users, i only added one OU "wireless users", but all the users can access to the wireless network, i just want to allow the access to the users in that OU, and block the access to the other users not included in that OU.
  Other thing, i am not able to see the attributes from the directory, is this an issue with the AD?.
  Regards
  Israel

  Just to add some information, I added the AD in the external identity sources, and i can see the OUs in the groups, i choosed the ou wireless.
  Then i created an authorization compound conditions
  Radius Service type: Frame
  Radius Nas Port: Wireless -802.1x
  and the network access equals domain/users/wireless.
  I applied this in my authorization policy.
  But it still does not work.

• Accessing Terminal Services Attributes from Active Directory LDAP property userParameters

  After many years of complaints, Microsoft has done little to address the overwhelming outcry for information on the accessing the Terminal Services properties through LDAP.
  I found this document that fully describes the Encode/Decode mechanism for the userParameters attribute.
  https://msdn.microsoft.com/en-us/library/ff635189.aspx
  The property is used for more than terminal services, but even Microsoft is confused about it's use it would seem.  I won't go into details, but for all those trying to access the terminal services attributes, this document should help.
  I have not yet converted the mapping into a JAVA module, so please don't ask for help.  I just need a more public place to put this, than the currently buried location at microsoft, to make for easier retrieval from the web community of java developers.

  Hi,
  What about other changed attributes? Are other attributes retrieved by DirSync control turn to be encrypted form?
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]