Ldap anonymous directory access

Similar Messages

• LDAP support limited. How to configure Address Book / Directory Access?

  I complained to a sysadmin that my LDAP searches were returning very limited information (just surname and e-mail). He replied,
  "...[Address Book] can't be configured to query specific attributes, it can't be configured to show specific attributes except for the small set they have elected to permit, ... it doesn't even show cn/commonName which is a compulsory field in the inetOrgPerson schema or ou/organizationalUnitName which is the standard way of distinguishing components of an organization..."
  Directory Access seems to offer facilities for requesting specific attributes. I tried mapping them to Address Book fields, but with no improvement in the search results. Any tips?

  Here is some info I found on manually configuring and mapping schemas.
  Configuring LDAP Searches and Mappings
  Using Directory Access, you can edit the mappings, search bases, and search scopes that specify how Mac OS X finds specific data items in an LDAP directory. You can edit these settings separately for each LDAP directory configuration listed in Directory Access. Each LDAP directory configuration specifies how Mac OS X accesses data in an LDAPv3 or LDAPv2 directory.
  You can edit the mapping of each Mac OS X record type to one or more LDAP object classes.
  For each record type, you can also edit the mapping of Mac OS X data types, or attributes, to LDAP attributes.
  You can edit the LDAP search base and search scope that determine where Mac OS X looks for a particular Mac OS X record type in an LDAP directory.
  IMPORTANT: When mapping Mac OS X user attributes to a read/write LDAP directory domain (an LDAP domain that is not read-only), the LDAP attribute mapped to RealName must not be the same as the first attribute in a list of LDAP attributes mapped to RecordName. For example, the cn attribute must not be the first attribute mapped to RecordName if cn is also mapped to RealName.
  For detailed specifications of Mac OS X record types and attributes, refer to "Mac OS X Server Open Directory Administration for Version 10.4 or Later" (available at www.apple.com/server/documentation/).
  In Directory Access, click Services.
  If the lock icon is locked, click it and type the name and password of an administrator.
  Select LDAPv3 in the list of services, then click Configure.
  If the list of server configurations is hidden, click Show Options.
  Select a server configuration in the list, then click Edit.
  Click Search & Mappings.
  Select the mappings that you want to use as a starting point, if any.
  Click the "Access this LDAPv3 server using" pop-up menu and choose a mapping template to use its mappings as a starting point or choose Custom to begin with no predefined mappings.
  Add record types and change their search bases as needed.
  To add record types, click the Add button below the Record Types and Attributes list. In the sheet that appears, select Record Types, select one or more record types from the list, and then click OK.
  To change the search base and search scope of a record type, select it in the Record Types and Attributes List. Then edit the "Search base" field. Select "all subtrees" to set the search scope to include the entire LDAP directory's hierarchy from the search base down. Select "first level only" to set the search scope to include only the search base and one level below it in the LDAP directory's hierarchy.
  To remove a record type, select it in the Record Types and Attributes List and click Delete.
  To add a mapping for a record type, select the record type in the Record Types and Attributes List. Then click the Add button below "Map to __ items in list" and enter the name of an object class from the LDAP directory. To add another LDAP object class, you can press Return and enter the name of the object class. Specify whether to use all or any of the listed LDAP object classes by using the pop-up menu above the list.
  To change a mapping for a record type, select the record type in the Record Types and Attributes List. Then double-click the LDAP object class that you want to change in the "Map to __ items in list" and edit it. Specify whether to use all or any of the listed LDAP object classes by using the pop-up menu above the list.
  To remove a mapping for a record type, select the record type in the Record Types and Attributes List. Then click the LDAP object class that you want to remove from the "Map to __ items in list" and click the Delete button below "Map to __ items in list."
  Add attributes and change their mappings as needed.
  To add attributes to a record type, select the record type in the Record Types and Attributes List. Then click the Add button below the Record Types and Attributes list. In the sheet that appears, select Attribute Types, select one or more attribute types, and then click OK.
  To add a mapping for an attribute, select the attribute in the Record Types and Attributes List. Then click the Add button below "Map to __ items in list" and enter the name of an attribute from the LDAP directory. To add another LDAP attribute, you can press Return and enter the name of the attribute.
  To change a mapping for an attribute, select the attribute in the Record Types and Attributes List. Then double-click the item that you want to change in the "Map to __ items in list" and edit the item name.
  To remove a mapping for an attribute, select the attribute in the Record Types and Attributes List. Then click the item that you want to remove from the "Map to __ items in list" and click the Delete button below "Map to __ items in list."
  To change the order of attributes displayed in the list on the right, drag the attributes up or down in the list.
  Click Save Template if you want to save your mappings as a template.
  Templates saved in the default location are listed in pop-up menus of LDAP mapping templates the next time the current user opens Directory Access. The default location for saved templates is in the current user's home folder at this path:
  ~/Library/Application Support/Directory Access/LDAPv3/Templates
  Click Write to Server if you want to store the mappings in the LDAP directory so that it can supply them automatically to its clients.
  You must enter a search base to store the mappings, a distinguished name of an administrator (for example, uid=diradmin,cn=users,dc=ods,dc=example,dc=com), and a password. If you are writing mappings to an Open Directory LDAP server, the correct search base is "cn=config, suffix" (where suffix is the server's search base suffix, such as "dc=ods,dc=example,dc=com").
  The LDAP directory supplies its mappings to Mac OS X clients whose custom search policy includes a connection that's configured to get mappings from the LDAP server. The LDAP directory also supplies its mappings to all Mac OS X clients that have an automatic search policy. For instructions, see Configuring Access to an LDAP Directory and Setting Up Search Policies.

• What kind of permissions are needed  in LDAP to install Access Manager?

  Hi people,
  I'm trying to install Access Manager in three different machines, and i'll try to configure them in a failover schema, but I'm not the owner of the LDAP where the Access Manager DIT is going to live, my question is what kind of permissions do I need to install it, rigth now I've tried to install it three times and I can't get a succesfull install process, this is a resume of the common errors that I've got in the Java_Enterprise_System_Config_Log.xxxx
  adding new entry ou=portalmmm_1.0_n21i,ou=internalData,ou=1.0,ou=SunAMClientData,ou=ClientData,o=bbva
  sleep 3
  ERROR : Configuring/Loading of the default DIT in the Directory Server failed
  CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss4.jar:/opt/SUNWam/lib/am_sdk.jar
  Loading service schema XML files ...
  Info 109: Calling SCHEMA MANAGER
  Info 110: XML file to import:/etc/opt/SUNWam/config/ums/ums.xml
  Info 103: Loading Service Schema XML /etc/opt/SUNWam/config/ums/ums.xml
  Loading Service Schema XML /etc/opt/SUNWam/config/ums/ums.xml
  Error occured while loading: /etc/opt/SUNWam/config/ums/ums.xml
  Error Log:
  ldap_modify: Insufficient access
  ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-pluginEnabled' attribute of entry 'cn=referential integrity postoperation,cn=plugins,cn=config'.
  ldap_modify: Insufficient access
  ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-pluginarg10' attribute of entry 'cn=referential integrity postoperation,cn=plugins,cn=config'.
  ldap_add: Already exists
  ldap_add: Insufficient access
  ldap_add: Insufficient access
  ldap_add: Insufficient access
  ldap_add: Insufficient access
  ldap_add: Insufficient access
  ldap_add: Already exists
  ldap_add: Already exists
  ldap_add: Already exists
  ldap_add: Already exists
  ldap_add: Already exists
  ldap_modify: Insufficient access
  ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-sizelimit' attribute of entry 'cn=config'.
  ldap_modify: Insufficient access
  ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-timelimit' attribute of entry 'cn=config'.
  ldap_modify: Insufficient access
  ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-lookthroughlimit' attribute of entry 'cn=config,cn=ldbm database,cn=plugins,cn=config'.
  ldap_add: Already exists
  ldap_add: Insufficient access
  ldap_add: additional info: Insufficient 'add' privilege to add the entry 'ou=DSAME Users,o=isp'.
  ldap_modify: Type or value exists
  ldap_modify: Insufficient access
  ldap_modify: additional info: Insufficient 'write' privilege to the 'objectClass' attribute of entry 'o=isp'.
  ldap_modify: Insufficient access
  ldap_modify: additional info: Insufficient 'write' privilege to the 'objectClass' attribute of entry 'o=isp'.
  ldap_modify: Insufficient access
  ldap_modify: additional info: Insufficient 'write' privilege to the 'objectClass' attribute of entry 'o=isp'.
  ldap_add: No such object
  ldap_add: matched: o=isp
  ldap_add: No such object
  ldap_add: matched: o=isp
  /opt/SUNWam/bin/amadmin: -Dcom.sun.identity.sm.enableDataStoreNotification=true: not found
  Error 29: ServiceManager Exception
  Error 10: Cannot process requests:
  sms-UNKNOWN_EXCEPTION_OCCURRED
  Identity Server Configuration Failed ...
  Configuration failed for : ISConfigurator
  *** End configuring ISConfigurator***Please suggest...
  Thanks in advance
  Lalo

  You can't install Access Manager without full control on the base organization.
  You need the Directory Manager user (maybe with a temporary password) or a user with full permissions on the Access Manager root DN.
  Hope It Helps
  Saludos!!

• Can't login to local NON-admin accounts-Directory Access set to server

  I have a strange problem on a set of laptops that I cannot resolve and am hoping someone can help me.
  Here is the issue:
  I have a set of building laptops (PowerPC, OSX.4.11) that seemingly will not "search locally" in the authentication process. The logins seem to work fine for NETWORK logins to our Open Directory Master xserve, but these machines will not login to any LOCAL non-admin accounts. The local root and local admin account logins do, however, work fine. ?? The remainder of the building computers (Intel iMacs OSX.4.11) appear to have the exact same settings and login fine both locally and via the network home directories.
  I have tried the following:
  Deleted DirectoryService preferences folder (MacintoshHD-->Library-->Preferences->DirectoryService)
  Deleted the mcx cache in Directory Access
  Tried adding a new non-admin user to test (still will not login)
  Removed and re-created LDAP configuration (all set to custom)
  Tried setting the LDAP to the automatic settings ("Add DHCP-supplied LDAP servers to automatic search policies")
  Disabled all network connectivity (turned off Airport and disconnected the ethernet cable), still cannot login to local accounts
  Tried to bind in LDAP configuration (when I did bind the machine, it would no longer authenticate to the network authentication server, so I did an "unbind" and restarted and it went back to performing the network logins, but still will not login to local non-admin accounts).
  Reset passwords in System Prefs and also re-typed them in NetInfo Manager
  Deleted login keychains
  Deleted mcx.plist
  Reinstalled the OS from disk and local logins worked TEMPORARILY--UNTIL I set the LDAP directory access to authenticate to our server (which I also need for the network logins to work),then, the issue started again.
  *Same results with both ethernet and wireless connectivity enabled.
  *Note: I also manage these local accounts via WGM (installed on the local machine) and even tried disabling that and still no luck.
  Please help...I have spent hours and hours trying to find a solution and nothing seems to work! What am I missing??

  Mostly just a bump...
  How about that .local extension, or trailing / ?

• PAB_CMD_GET_PABS returns ldap error: Insufficient access

  hi when i run the messenger express web interface, whenever I do anything that tries to acess the address book I get:- PAB_CMD_GET_PABS returns ldap error: Insufficient access
  can anyone help me ?

  Thanks for your reply, the cn was set to msg-admin-4 so I granted that user access to the o=pab area in ldap and it is now working ok, except for the fact that this system is used witha proprietory system called campus pipeline as well which stores its personal addresses elsewhere in the ldap, and when I do a directory lookup, it returns all the matching email addresses in everybodys personal address lists!
  Is there any support for compiling groups from the global ldap search ? or is this a personal address book only [eice of software?                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

• Open Directory access from outside of network / internet

  Hello all,
  Got a question I'd love to get some help on, I have some users who are outside of my network and I'd like them to connect into the open directory on our leopard server so they can use the Shared iCal calendars, addresses, etc.
  So my questions are A) Is it possible to connect in from outside the network and get access to the directory without having to have a seperate user account and use our VPN every time you want to connect? - if not is this the only way to do it (would you have to connect via the Mac VPN and then connect to the directory?)
  B) is it possible to do this "seamlessly" so that you don't have to change any settings, login details each time you switch between your local user from outside the network and your directory access. (so basically if you are in iCal if you have internet access it will connect you to the directory, without you doing anything extra?)
  Hope that makes sense, I can't seem to find the answers I need in the manuals, if I knew how this was meant to work I could probably have a fair go at figuring out how to actually do it (firewall changes etc)
  Thanks in advance for the help
  Martin

  So my questions are A) Is it possible to connect in from outside the network and get access to the directory without having to have a seperate user account and use our VPN every time you want to connect? - if not is this the only way to do it (would you have to connect via the Mac VPN and then connect to the directory?)
  If your OD server is visible from the internet -- i.e., it has a public address -- then you can do this without the VPN. However, it's not advisable to have a server exposed in that fashion.
  You would be better off doing this through the VPN:
  - Remote user connects to internet at hotel, for example.
  - Remote user initiates VPN connection.
  - Remote user now has access to iCal server and directory information.
  Explain to the users that this information is private to the company, and private company resources are only available through the VPN. Allowing access without the VPN would be similar to the company posting its Employee roster and meeting calendars on the face of the building where any person (or competitor) could see them.
  B) is it possible to do this "seamlessly" so that you don't have to change any settings, login details each time you switch between your local user from outside the network and your directory access. (so basically if you are in iCal if you have internet access it will connect you to the directory, without you doing anything extra?)
  It's just one extra step: Connect to VPN. You're still the same local user on the computer.
  If you're talking about laptop users needing directory access to authenticate when logging into their computers, well...That sounds like a whole other situation.
  Hopefully this helps.
  Bryan Vines

• Directory Access and Permissions

  Hi,
  I work at a company that's having a problem setting up the new macs (Core 2 Duo iMac 24") our marketing department just ordered.
  The rest of our network uses windows, so we have active directory logins for everyone. We've setup the Directory Access on the new iMacs so that marketing users log in using their AD username and pw. The local user account that 10.4 generates is set to be a local admin, but the users are just normal users in AD.
  The problem we're having is with setting permissions for some Apps that require changes from the default settings. When I go to set permissions in the Info pane of a folder or app, I open the pull down menu for 'Owner' and go to 'Other...' at the bottom to grab the user from AD (because the user is not available in the top portion where local users can normally be selected). This is where the problem occurs. This opens up the "User Listing" box, which contains a long list of AD usernames, but does not have any AD usernames that were created less than 10 months ago. I checked with my Network Admin, and virtually no settings in terms of creating AD users have changed in the last two years.
  I don't know if this is a problem with settings on the AD side or the Mac side, but here's the Mac settings in Directory Access:
  +Services: AD is checked+
  +Authentication: Custom path selected, our domain is in the list+
  +Contacts: Same as Authentication+
  +Under AD:+
  +Forest and Domain are correct, computer is bound correctly.+
  +User Experience:+
  +Create mobile account is not selected.+
  +Force local home directory on startup is selected.+
  +Use UNC path from AD... is selected, smb: is selected as Network protocol.+
  +Default user shell is selected as '/bin/bash'+
  +Mappings: Nothing selected.+
  Administrative:
  +Prefer this domain server is checked and correct for our network+
  +Allow administration by is checked, domain admins and enterprise admins+
  +Allow authentication from any domain in the forest is selected+
  Is there anything in these settings that might cause the problem described above, or is the problem something else entirely, maybe on the AD side?
  I'm also wondering if anyone knows how to find out where Directory Access is grabbing this list of users from. Perhaps our Network Admin can find out what the problem is given that info.
  Thanks,
  Gabe
  Message was edited by: Gabe Stein

  I have exactly the same problem and ProtectHome wasn't the solution. "sudo minidlnad" works fine -- TV shows root and /home/blah/blah is accessible. However, I'm not able to make the daemon run as root. Just for testing purposes, I've made all the settings as loose as possible, but TV stills shows minidlna as username and the folder is not available (systemctl status reveals permission denied).
  minidlna.service:
  [Unit]
  Description=minidlna server
  After=network.target
  [Service]
  Type=simple
  User=root
  Group=root
  ExecStart=/usr/bin/minidlnad -S
  ProtectSystem=off
  ProtectHome=off
  PrivateDevices=on
  NoNewPrivileges=off
  [Install]
  WantedBy=multi-user.target
  minidlna.conf:
  user=root
  media_dir=/home/blah/blah
  What am I missing here? No possibility to run minidlna as root after the last update any more?
  Edit:
  Never mind. During all this testing I had forgotten "User=minidlna" to /etc/systemd/system/minidlna.service.d/override.conf. Daemon as root works after removing that line.
  Last edited by riivo (2015-03-19 14:38:18)

• Problem with Directory Access

  Hi!
  I have a problem, I uninstall Directory Access by mistake and now I don't know how can I install it again. Any clues?

  The platform service doesn't seem to exist.
  Please use the following commad to load the Platform Service to the Access Manager.
  cd /opt/SUNWam/bin/
  ./amadmin -u amadmin -w password -s /etc/opt/SUNWam/config/xml/amPlatform.xml

• Error while configuring SSL in OID 11g - LDAP 50 Insufficient Access rights

  HI,
  I am trying to configure SSL in OID 11g.As per the doc http://download.oracle.com/docs/cd/E12839_01/oid.1111/e10029/ssl.htm#CBHGBGAF ,i tried creating a Self-Signed Wallte using Fusion Middleware control,But i am getting an error LDAP 50: Insufficient access rights".I logged into Fusion Middle Ware control as Weblogic user.Is anybody faced this issue?.Thanks in advance.

  I am not sure how you tried, but I would recommend to do the following...
  1. Add the 'user1' to "OU=Franchisees,ou=People,dc=company,dc=com"
  2. Delete the 'user1' from 'OU=Internal,ou=People,dc=company,dc=com'

• Setting up the "Directory Access" application

  I was just looking at the "Directory Access" application, and noticed some services enabled by default (AppleTalk, Bonjour etc).
  I'm not using AppleTalk or Bonjour, so would it be useful to switch these off? (for security reasons or performance).
  Can I maybe safely switch off the other three services as well? (I dont use the computer for any file sharing, by the way).
  Thanks in advance for any advice on this.

  Hi, interesting questions, Bonjour is indeed a Hog, I'd give it a try, since you know how to change it.
  See these...
  http://hints.macworld.com/article.php?story=20050707222434355
  http://osxdaily.com/2009/09/15/disable-bonjour-by-turning-off-mdnsresponder/

• Could not connect to the Active Directory. Active Directory Certificate Services will retry when processing requires Active Directory access

  Event properties – Event 91, Level Error, Event ID 91, Date and time 5/10/2012 11:29:48AM, Service CertificationAuthority
  General: 
  Could not connect to the Active Directory.
  Active Directory Certificate Services will retry when processing requires Active Directory access.
  We have a Windows 2008 Server Enterprise with AD . I would like to enable the service  "Certificate Services"  that
  allow me to enable radius to authenticate users wireless with the active directory.

  Hi, 
  Can you please check this forum or someone from Microsoft, as we have post here dating back from October that are not being answered.
  Everything for us is exactly the same as szucsati and Racom
  NMNM, 
  Please give us an answer on this as the link provided is absolutely useless.
  Thank you.

• Anonymous user access site central admin?

  Anonymous user access site  central admin?

  Hi,
  you need to adjust the context, check this
  http://blogs.msdn.com/b/sowmyancs/archive/2008/08/14/spsecurity-runwithelevatedprivileges-an-important-point-while-using-it-in-web-context.aspx
  http://sharepoint.stackexchange.com/questions/46194/sharepoint-2010-runwithelevatedprivileges-throws-exception
  SPSecurity.RunWithElevatedPrivileges(delegate()
  using (SPSite elevatedSite = new SPSite(SPContext.Current.Site.Id))
  using (SPWeb elevatedWeb = elevatedSite.OpenWeb(SPContext.Current.Web.Id))
  // Perform administrative actions by using the elevated site and web objects.
  // elevatedWeb.CurrentUser.LoginName gives SHAREPOINTsystem
  Kind Regards,
  John Naguib
  Senior Consultant
  John Naguib Blog
  John Naguib Twitter
  Please remember to mark this as answered if it helped you

• Anonymous User Access to Web Dynpro ABAP Application

  Dear All,
  I'm not able to set anonymous user access to a WDA application. The requirement is : I have to Call the application if the user clicks a link on the portal (even before logging).
  Please note that I have gone thru note No. 1020795 and 1031159 and have complied and followed all the given steps there.
  Also, I have given anonymous acces to iveiw that i had created.
  Request the gurus around to help, if they have cracked a similiar situation.
  PS : Points are up for grab for any positive helps provided.
  Thankx a Ton in advance.
  Regds,
  Srini

  Hi, Srini,
  A WDA application runs on the WAS. It needs to login to the ABAP core in order o execute. In your case, what you can do is supply a user/passord directly on the service (tcode SICF).
  Hope this helps!
  Regards,
  Andre

• Directory access solution - please recommend.

  In regards to the site
  http://www.myhappypeople.com
  I need a simple directory access solution (that hopefully
  doesn't let people bookmark an accessed page and go back to it
  without logging in again). All I want is for a client to click one
  link, which prompts a login/password screen, and based on their
  input directs them to a directory/page they are allowed to view.
  The DW 8 manual doesn't seem to really tell me how to do
  anything but rather sends me in circles on the elements I need
  (databases, page with forms, etc).
  I've looked into some free CGI scripts, that don't seem to be
  easy to update/maintain.
  Can anyone offer a suggestion. It's the last thing I need to
  figure out to complete this site.

  Well, there's two ways of doing this: server level and app
  level.
  You can setup users in IIS and Apache and this will cause the
  server to automatically prompt for login. However, this requires
  access to the user database on the server and usually admin access
  to set file permissions.
  The way I prefer to handle it (and I'm not a security expert,
  btw) it with a session cookie and an authenication script. I make a
  file that checks to see if the session cookie for auth is set. If
  not, it sends the user to a login page. I then include this file at
  the top of every page I want to protect.
  The login is then just a form that posts to a page the
  verifies the password and sets the cookie. Now, this technique
  isn't foolproof. If you're not using HTTPS, then you are sending
  the password in clear text and it could be grabbed by a hacker.
  But, for light security, it works pretty well and is easy to
  deploy.
  <?php
  #fire up the session and see if user is logged in.
  session_start();
  if(isset($_SESSION["LOGGED_IN"]) &&
  $_SESSION["LOGGED_IN"] == "TRUE"){
  # Do something if needed. I connect to databases here.
  }else{
  #Redirect non-logged in request
  header("location: /admin/login.php");
  }

• EA4500 and Non-Anonymous Disk Access

  Purchased an EA4500 this weekend and overall it's working well. Running into what seems like a bug however with the NAS settings in firmware 2.0.37. If I enable "anonymous disk access" I can use the attached USB hard drive no problem, as soon as I turn off that setting and try to setup a user it's a no-go. Windows 7 reports that the device can not be found, and in fact the icon for it will immediately disappear from the list of network devices within a few seconds of changing the radio button and clicking "save".
  It's behaving as if it's in a different workgroup than the PC's. I just have the workgroup set to the Windows 7 default of "WORKGROUP" and have the EA4500 set to the same.
  Is this a known bug with this device and firmware combination, or am I missing something obvious?

  Jake_2.0 wrote:
  By default, Anonymous Disk Access specify whether users have read-and-write or read-only access to the folder. How about if you try to map the netework drive after disabling that feature and see if the harddrive will be detected.
  That's incorrect. When it is enabled, users on the LAN can access the drive without having to enter in the credentials of one of the accounts set up in the router. 
  When it's disabled, then users have to enter in the correct credentials of one of the registered accounts to be able to access the drive. 
  The read/write access in parentheses which you are referring to is meant to make users aware what privileges an anonymous user will have. 
  I don't work for Cisco. I'm just here to help.